How we can edit Apache config file in a Kubernetes environment?
Usually I do edit some security in the .conf for all the headers.
Exemple:
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Thank you
I set up a cert for an IP address with nginx, and enabled http strict transport security:
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
The directive is in the header
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 17 Sep 2014 22:46:54 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Access-Control-Allow-Origin: *
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubdomains;
X-UA-Compatible: IE=Edge,chrome=1
... but it's not respected by the browsers (instead they do for FQDN).
If I understand you correctly, you direct you browser to IP address (https://xx.xx.xx.xx/) instead of domain name and expect it to obey HSTS rule?
But RFC 6797 Appendix A explicitly exclude IP addresses:
HSTS Hosts are identified only via domain names -- explicit IP address identification of all forms is excluded.
This is in the context of Cross-origin resource sharing. For the preflight request, the server is not sending the headers set.
When a valid cookie is not passed with the "Options request", the server in it's response is not sending the headers I set, however, it's sending "200 OK". I checked this with curl as can be seen below (obviously, I replaced my valid cookie with a dummy "xyzabcde" here)
The curl request WITHOUT cookie:
curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" -X OPTIONS --verbose app1_url/jsonrpc.cgi
(sends below response...)
HTTP/1.1 200 OK
Date: Tue, 01 Oct 2013 11:37:36 GMT
Server: Apache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Expires: Tue, 01 Oct 2013 11:37:36 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 4531
Content-Type: text/html; charset=utf-8
with "-H Cookie:xyzabcde":
curl -H "Origin: app2_url" -H "Access-Control-Request-Method: POST" -H "Access-Control-Request-Headers: accept, origin, content-type" "-H Cookie:xyzabcde" -X OPTIONS --verbose app1_url/jsonrpc.cgi
(sends below response...)
HTTP/1.1 403 Forbidden
Date: Wed, 02 Oct 2013 18:48:34 GMT
Server: Apache
X-frame-options: ALLOW-FROM app2_url
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With
Access-Control-Allow-Methods: GET, POST, HEAD, PUT, OPTIONS
Access-Control-Allow-Origin: app2_url
Access-Control-Max-Age: 1800
Transfer-Encoding: chunked
Content-Type: application/json; charset=UTF-8
The apache config looks something like...
<VirtualHost *:443>
.
.
Header always set X-Frame-Options "ALLOW-FROM app2_url"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Headers "accept, origin, content-type, Man, Messagetype, Soapaction, X-Requested-With"
Header always set Access-Control-Allow-Methods "GET, POST, HEAD, PUT, OPTIONS"
Header always set Access-Control-Allow-Origin "app2_url"
Header always set Access-Control-Max-Age "1800"
.
.
.
<Directory /app1/dir/>
Options Includes FollowSymLinks ExecCGI MultiViews
AllowOverride None
Order allow,deny
allow from all
AuthType Net
PubcookieInactiveExpire -1
PubcookieAppID app1.company.com
require valid-user
</Directory>
.
.
</VirtualHost>
How can I make all the headers be sent in response to unauthenticated requests?
I guess, Options requests ideally are supposed to not require any authentication.
We solved this with different configuration. Below is the snippet from myApplication.conf file at /usr/local/apache/conf/extra
<Location "/myService">
SetEnvIf Request_URI "/healthCheck" REDIRECT_noauth=1
SetEnvIf Request_Method "OPTIONS" REDIRECT_noauth=1
AuthType Basic
AuthName "myService"
AuthUserFile /usr/local/apache/conf/passwd/passwords
AuthGroupFile /usr/local/apache/conf/passwd/groups
Require group GroupName
Order allow,deny
Allow from env=REDIRECT_noauth
Satisfy any
</Location>
So, we can bypass the authentication:
Based on particular URI, in above example /healthCheck is bypassed
Based on HTTP method, in above example OPTIONS is bypassed and auth will be prompted for other HTTP methods
Hope it helps someone to resolve the issues.
"LimitExcept" directive solved it. In fact, prior to posting the question I tried the directive, however the mistake earlier was including the first two lines ("Options Includes..." and "Alowoverride...") within the "LimitExcept" block.
<Directory /app1/dir/>
Options Includes FollowSymLinks ExecCGI MultiViews
AllowOverride None
<LimitExcept OPTIONS>
Order allow,deny
allow from all
AuthType Net
PubcookieInactiveExpire -1
PubcookieAppID app1.company.com
require valid-user
</LimitExcept> #<- syntax error fixed.
</Directory>
I added the following lines to my .htacces file:
Content-Security-Policy: default-src 'self'
X-Content-Security-Policy: default-src 'self'
X-WebKit-CSP: default-src 'self'
But I always got the following error:
Invalid command 'Content-Security-Policy:', perhaps misspelled or defined by a module not included in the server configuration
I don't get it. Which Apache module do I have to activate? What's wrong with these lines?
Thx,
David
Add those lines into your httpd.conf configuration files, or inside your virtualhost sections, or inside your .htaccess files:
Header unset Content-Security-Policy
Header add Content-Security-Policy "default-src 'self'"
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
You may also be interested in adding those headers:
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"
You have to enable (LoadModule) mod_headers if not already enabled, then restart apache.
I'm not an apache expert, but content security policy is a response header. http://httpd.apache.org/docs/2.2/mod/mod_headers.html
I am trying to force no-cache on csv file on my site.
I added those lines to httpd.conf, by the documentation from apache:
ExpiresActive On
ExpiresDefault A0
<FilesMatch "\.(html|csv|htm)$">
ExpiresDefault A0
Header set Cache-Control "no-cache, no-store, must-revalidate, max-age=0, proxy-revalidate, no-transform"
Header set Pragma "no-cache"
</FilesMatch>
But when I am trying to get the page at the first time, i get this on the csv file :
Request Method:GET
Status Code:200 OK (from cache)
Do you have any idea what i am doing wrong?!
Thanks!!
Gabi.
I checked it out and saw I have Django Middleware enabled, thet handled the cache.. I disabled it and now it works..
Sorry.. :)