echo "

Addendum: SimpleHTTP(S) or how to get an SSL terminated file server with 5 lines of Python code...

So in the previous post I already hinted at the possibility of using SimpleHTTP as a basic file server for your mirror. You can use this to publish any folder and I combined some tricks to get this SSL terminated SimpleHTTP server. This is a lot simpler than Apache and a good solution if your only goal is a simple file server.

 

The actual web server (simple-https-server.py)

import BaseHTTPServer, SimpleHTTPServer
import ssl

httpd = BaseHTTPServer.HTTPServer(('', 8443), SimpleHTTPServer.SimpleHTTPRequestHandler)
httpd.socket = ssl.wrap_socket (httpd.socket, certfile='../mirror.pem', keyfile='../mirror.key', server_side=True)
httpd.serve_forever()

The SystemD service. Make sure the user exists and please disable the shell for the simplehttp user in /etc/passwd. (/etc/systemd/system/simplehttp.service)

[Unit]
Description=Job that runs the python SimpleHTTPServer daemon
Documentation=man:SimpleHTTPServer(1)

[Service]
Type=simple
User=simplehttp
WorkingDirectory=/opt/data/mirror/
ExecStart=/usr/bin/python /opt/data/simple-https-server.py &
ExecStop=/bin/kill `/bin/ps aux | /bin/grep SimpleHTTPServer | /bin/grep -v grep | /usr/bin/awk '{ print $2 }'`

[Install]
WantedBy=multi-user.target

And of course, enable and start the service + create the right FW entries. In this example you have a redirect to HTTPS as well.

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=443 --permanent
firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=8443 --permanent
systemctl enable simplehttp
service simplehttp start

 

Configuring F5 and Apache for security headers

We started to implement security headers in all our public web services. This article has some examples of how I implemented them in F5 and/or Apache.

 

For HTTP Strict Transport Security (HSTS) I used an iRule. (current max-age is 181 days)

when RULE_INIT {
set static::max_age 15638400
}
when HTTP_RESPONSE {
  #HSTS
  HTTP::header insert Strict-Transport-Security "max-age=$static::max_age; includeSubDomains"
}

If you don't have an F5 you can implement the HSTS header in apache as well like this:

Header append Strict-Transport-Security "max-age=63072000; includeSubdomains;"

The other Security Headers are in Apache if possible.

RequestHeader set X-Forwarded-Proto "https"

Header append X-Frame-Options SAMEORIGIN
Header append X-XSS-Protection "1; mode=block"
Header append X-Content-Type-Options nosniff
Header append Content-Security-Policy "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append x-webkit-csp "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append X-Content-Security-Policy "frame-ancestors 'self' https://*.cloudfront.net https://*.googleapis.com https://fonts.gstatic.com https://*.youtube.com https://www.googleadservices.com https://googleads.g.doubleclick.net https://s.ytimg.com https://www.google.com https://www.google.be https://usage.trackjs.com https://i.ytimg.com"
Header append Referrer-Policy "strict-origin-when-cross-origin"

Or for Java based applications we also use an iRule:

when HTTP_REQUEST { 
HTTP::header insert X-Forwarded-Proto "https"
}
when HTTP_RESPONSE {
#X-XSS-Protection
HTTP::header insert X-XSS-Protection "1; mode=block"
#X-Frame-Options
HTTP::header insert X-Frame-Options "SAMEORIGIN"
#X-Content-Type-Options
HTTP::header insert X-Content-Type-Options "nosniff"
#CSP
HTTP::header insert Content-Security-Policy "frame-ancestors 'self'"
#CSP for IE
HTTP::header insert X-Content-Security-Policy "frame-ancestors 'self'"
#CSP
HTTP::header insert x-webkit-csp "frame-ancestors 'self'"
#referrere policy
HTTP::header insert Referrer-Policy "strict-origin-when-cross-origin"
}

Some info about Security Headers:

And to verify your Security Headers you can use this online tool

And the blog of the guy who made the test. He seems well informed and his blog has a lot of useful information and examples

And of course to verify that this site got an A rating!

Force update of certificate in Satellite

I needed to update our certificate for Satellite and capsule to include SAN to get around issues in Chrome 58. In this tutorial we use a single certificate for both the Satellite and capsule(s) servers. 

This is what I did:

First create a CSR that contains the SAN field

san.cnf  (you only have to adapt the DNS.? fields)

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
stateOrProvinceName         = State or Province Name (full name)
localityName               = Locality Name (eg, city)
organizationName           = Organization Name (eg, company)
commonName                 = Common Name (e.g. server FQDN or YOUR name)
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = satellite.company.com
DNS.2   = capsule.dmz.com

Next generate the CSR using this config

openssl req -out satellite.csr -newkey rsa:4096 -nodes -keyout satellite.key -config san.cnf

Next validate your CSR against your CA or SSL provider.

And now we are going to update the Satellite (as root on the satellite server)

satellite-installer --certs-server-cert /home/koen/satellite.cer --certs-server-cert-req /home/koen/satellite.csr --certs-server-key /home/koen/satellite.key --certs-server-ca-cert /etc/pki/ca-trust/source/anchors/CA01.crt --certs-update-server --certs-update-server-ca

And optionel create the package for the capsule server using the same certificate (since we have both FQDNs in the SAN field) (still as root on the satellite server)

capsule-certs-generate --capsule-fqdn "capsule.dmz.com" --certs-tar /root/sat_cert/capsule.dmz.com-certs.tar --server-cert /home/koen/satellite.cer --server-cert-req /home/koen/satellite.csr --server-key /home/koen/satellite.key --server-ca-cert /etc/pki/ca-trust/source/anchors/CA01.crt --regenerate --regenerate-ca --certs-update-server

Which will tell you how to install it on the capsule server. Next you can restart the katello-service on both machines and check if everything has been updated with the new cert.

katello-service restart

 

Home