new configuration version

This commit is contained in:
haburger 2024-11-29 06:56:43 +00:00
parent 4104117bc7
commit fbb4776faf
6 changed files with 118 additions and 14 deletions

View File

@ -46,7 +46,7 @@ spec:
podDisruptionBudget: podDisruptionBudget:
maxUnavailable: "50%" maxUnavailable: "50%"
git: git:
tag: "r-cd771331fc5533d563e060e912962ba97444b86b" tag: "r-6cf60cd5531f9aed26896314800fd102f3af114f"
dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm" dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-idm"
credentials: "git-credentials" credentials: "git-credentials"
keystores: keystores:

View File

@ -0,0 +1,18 @@
function outputHeader(request, response)
trace = request:getTracer()
cspHeader = response:getHeader("content-security-policy")
if (cspHeader ~= nil) then
trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").")
else
trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").")
response:setHeader("content-security-policy", param_csp)
end
if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
response:setHeader("content-security-policy-report-only", param_report_only_csp)
else
trace:debug("AGOV CSP: No report only CSP-header set")
end
end

View File

@ -100,6 +100,36 @@
</param-value> </param-value>
</init-param> </init-param>
</filter> </filter>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<filter>
<filter-name>Lua_CSP_Security_Response_Headers</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>Script.Namespace</param-name>
<param-value>param_</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>Script.OutputHeaderFunctionName</param-name>
<param-value>outputHeader</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>Script.Path</param-name>
<param-value>/var/opt/nevisproxy/default/host-admin.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>param_csp</param-name>
<param-value>default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self';</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>param_report_only_csp</param-name>
<param-value>default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self';</param-value>
</init-param>
</filter>
<!-- source: pattern://4095d4e66ef51810f07a6ed3 --> <!-- source: pattern://4095d4e66ef51810f07a6ed3 -->
<filter> <filter>
<filter-name>ModSecurity_nevisIDM_Administration_GUI</filter-name> <filter-name>ModSecurity_nevisIDM_Administration_GUI</filter-name>
@ -175,15 +205,14 @@
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
</filter> </filter>
<!-- source: pattern://9c6ad44795320a7adec1ccde --> <!-- source: pattern://36886a1934993d1f69690e1d -->
<filter> <filter>
<filter-name>ResponseHeader_Security_Response_Headers</filter-name> <filter-name>ResponseHeader_Base_Security_Response_Headers</filter-name>
<filter-class>ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter</filter-class> <filter-class>ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter</filter-class>
<!-- source: pattern://9c6ad44795320a7adec1ccde --> <!-- source: pattern://36886a1934993d1f69690e1d -->
<init-param> <init-param>
<param-name>DelegateToFrontend</param-name> <param-name>DelegateToFrontend</param-name>
<param-value> <param-value>
Content-Security-Policy-Report-Only:default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; img-src 'self'; style-src 'self' 'sha256-/yxYnm5QjS5hz1/KbfNQ/Deyfb9rK1xZefYJGNT9UmU=' 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-DHdp+1g/LIFDKreGcezYZywjzyvqUEbmjv4fv+nEQeE=' 'sha256-DtJ0G5eArSV7tvvFUUeV7iyiWfBGflIkRW64/tmMWUk=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=' 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-dnsMWK7eeuHUJm/wLL2CXCibJJV0lnUxjpqlu5fcUsg=' 'sha256-iKyiqXXi2KXxNcOUCr+VCUo09ipHFWuIkztLNvUXhd0=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls; font-src 'self'; connect-src 'self';
Cross-Origin-Embedder-Policy:require-corp Cross-Origin-Embedder-Policy:require-corp
Cross-Origin-Opener-Policy:same-origin Cross-Origin-Opener-Policy:same-origin
Cross-Origin-Resource-Policy:same-site Cross-Origin-Resource-Policy:same-site
@ -377,9 +406,14 @@
<filter-name>URLHandler_Virtual_Host_idmOperations-Loggedout</filter-name> <filter-name>URLHandler_Virtual_Host_idmOperations-Loggedout</filter-name>
<url-pattern>/*</url-pattern> <url-pattern>/*</url-pattern>
</filter-mapping> </filter-mapping>
<!-- source: pattern://9c6ad44795320a7adec1ccde --> <!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<filter-mapping> <filter-mapping>
<filter-name>ResponseHeader_Security_Response_Headers</filter-name> <filter-name>Lua_CSP_Security_Response_Headers</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- source: pattern://36886a1934993d1f69690e1d -->
<filter-mapping>
<filter-name>ResponseHeader_Base_Security_Response_Headers</filter-name>
<url-pattern>/*</url-pattern> <url-pattern>/*</url-pattern>
</filter-mapping> </filter-mapping>
<!-- source: pattern://6f9c9f982dcc7ef59a34f1f7 --> <!-- source: pattern://6f9c9f982dcc7ef59a34f1f7 -->

View File

@ -46,7 +46,7 @@ spec:
podDisruptionBudget: podDisruptionBudget:
maxUnavailable: "50%" maxUnavailable: "50%"
git: git:
tag: "r-868174843070c36c5da54e3a43d558da046b6ce7" tag: "r-6cf60cd5531f9aed26896314800fd102f3af114f"
dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp" dir: "DEFAULT-ADN-AGOV-ADMIN-PROJECT/DEFAULT-ADN-AGOV-ADMIN-INV/proxy-sp"
credentials: "git-credentials" credentials: "git-credentials"
keystores: keystores:

View File

@ -0,0 +1,18 @@
function outputHeader(request, response)
trace = request:getTracer()
cspHeader = response:getHeader("content-security-policy")
if (cspHeader ~= nil) then
trace:debug("AGOV CSP: Header set by backend, keep it as is (" .. cspHeader .. ").")
else
trace:debug("AGOV CSP: Header not set by backend, default AGOV csp set (" .. param_csp .. ").")
response:setHeader("content-security-policy", param_csp)
end
if (param_report_only_csp ~= nil and param_report_only_csp ~= "none") then
trace:debug("AGOV CSP: Additionl report only CSP-header set (" .. param_report_only_csp .. ")")
response:setHeader("content-security-policy-report-only", param_report_only_csp)
else
trace:debug("AGOV CSP: No report only CSP-header set")
end
end

View File

@ -175,6 +175,36 @@
</param-value> </param-value>
</init-param> </init-param>
</filter> </filter>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<filter>
<filter-name>Lua_CSP_Security_Response_Headers</filter-name>
<filter-class>ch::nevis::isiweb4::filter::lua::LuaFilter</filter-class>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>Script.Namespace</param-name>
<param-value>param_</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>Script.OutputHeaderFunctionName</param-name>
<param-value>outputHeader</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>Script.Path</param-name>
<param-value>/var/opt/nevisproxy/default/host-op.agov-w.azure.adnovum.net/WEB-INF/csp_security_response_headers.lua</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>param_csp</param-name>
<param-value>default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self';</param-value>
</init-param>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<init-param>
<param-name>param_report_only_csp</param-name>
<param-value>default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/ https://me.agov-d.azure.adnovum.net/; font-src 'self';</param-value>
</init-param>
</filter>
<!-- source: pattern://f010ec68088ebd56349c7135 --> <!-- source: pattern://f010ec68088ebd56349c7135 -->
<filter> <filter>
<filter-name>ModSecurity_GreenMail</filter-name> <filter-name>ModSecurity_GreenMail</filter-name>
@ -270,15 +300,14 @@
<param-value>false</param-value> <param-value>false</param-value>
</init-param> </init-param>
</filter> </filter>
<!-- source: pattern://9c6ad44795320a7adec1ccde --> <!-- source: pattern://36886a1934993d1f69690e1d -->
<filter> <filter>
<filter-name>ResponseHeader_Security_Response_Headers</filter-name> <filter-name>ResponseHeader_Base_Security_Response_Headers</filter-name>
<filter-class>ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter</filter-class> <filter-class>ch::nevis::isiweb4::filter::delegation::HeaderDelegationFilter</filter-class>
<!-- source: pattern://9c6ad44795320a7adec1ccde --> <!-- source: pattern://36886a1934993d1f69690e1d -->
<init-param> <init-param>
<param-name>DelegateToFrontend</param-name> <param-name>DelegateToFrontend</param-name>
<param-value> <param-value>
Content-Security-Policy-Report-Only:default-src 'none'; script-src 'self' 'sha256-4r4l/2aahtvPIxQP0YmmqfftYXNwNqxxqOUaXVE0FjM=' 'sha256-3sconOU5uxdS6tVa5DhEli3N+/aY9IvYh873WqDptD0=' 'sha256-N3+RfLbnlpBc0lUnNy4soyLbX0tNDqQt5LPzkEsYOHo=' 'sha256-uOoE0nq21NJDv37YLUOxV9aCnNstJ0GK7BiXNMXQAcI='; img-src 'self'; style-src 'self' 'sha256-/yxYnm5QjS5hz1/KbfNQ/Deyfb9rK1xZefYJGNT9UmU=' 'sha256-2diQqrANllVP9IWjXj1A6fjjvlPtpN6NXlmTiRJneCU=' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-DHdp+1g/LIFDKreGcezYZywjzyvqUEbmjv4fv+nEQeE=' 'sha256-DtJ0G5eArSV7tvvFUUeV7iyiWfBGflIkRW64/tmMWUk=' 'sha256-JhfXJ5URuB/EAqhZ9vqgEO6trOuCE0w2/ChmfrVzxFo=' 'sha256-MdFWcEIx4V82/ap9SUt01BxZMN4eFGEl8hNDFEGIzJU=' 'sha256-dnsMWK7eeuHUJm/wLL2CXCibJJV0lnUxjpqlu5fcUsg=' 'sha256-iKyiqXXi2KXxNcOUCr+VCUo09ipHFWuIkztLNvUXhd0=' 'sha256-ifPclQYYwRDXSPQgB9/6UgAgEICBpwegJBWNhOI8dOA='; form-action 'self' https://trustbroker.agov-d.azure.adnovum.net/adfs/ls; font-src 'self'; connect-src 'self';
Cross-Origin-Embedder-Policy:require-corp Cross-Origin-Embedder-Policy:require-corp
Cross-Origin-Opener-Policy:same-origin Cross-Origin-Opener-Policy:same-origin
Cross-Origin-Resource-Policy:same-site Cross-Origin-Resource-Policy:same-site
@ -517,9 +546,14 @@
<filter-name>URLHandler_Virtual_Host_idmOperations-Loggedout</filter-name> <filter-name>URLHandler_Virtual_Host_idmOperations-Loggedout</filter-name>
<url-pattern>/*</url-pattern> <url-pattern>/*</url-pattern>
</filter-mapping> </filter-mapping>
<!-- source: pattern://9c6ad44795320a7adec1ccde --> <!-- source: pattern://36886a1934993d1f69690e1d -->
<filter-mapping> <filter-mapping>
<filter-name>ResponseHeader_Security_Response_Headers</filter-name> <filter-name>ResponseHeader_Base_Security_Response_Headers</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<!-- source: pattern://29a7ba8eaff67eb26d2394bc -->
<filter-mapping>
<filter-name>Lua_CSP_Security_Response_Headers</filter-name>
<url-pattern>/*</url-pattern> <url-pattern>/*</url-pattern>
</filter-mapping> </filter-mapping>
<!-- source: pattern://7518c6cc61e47eec6322ae17 --> <!-- source: pattern://7518c6cc61e47eec6322ae17 -->