From 1173ef79a1c10b94dda2ea81a122e0a0d8ba7fc0 Mon Sep 17 00:00:00 2001
From: Dmitrii Kabanov <dk370c@att.com>
Date: Tue, 15 Jan 2019 15:42:05 -0800
Subject: [PATCH] [Horizon] Hide OS and Apache version in error messages

This PS allows to customize (and disable) information about OS and
Apache version displayed on pages with error messages.

Change-Id: Ic4d19bcc90dadf5cf26faa5c8fb39de00a6f3212
---
 horizon/templates/configmap-etc.yaml |  3 ++
 horizon/templates/deployment.yaml    |  6 +++
 horizon/values.yaml                  | 66 ++++++++++++++++++++++++++++
 3 files changed, 75 insertions(+)

diff --git a/horizon/templates/configmap-etc.yaml b/horizon/templates/configmap-etc.yaml
index bfdfc18733..2a812a61b2 100644
--- a/horizon/templates/configmap-etc.yaml
+++ b/horizon/templates/configmap-etc.yaml
@@ -25,6 +25,9 @@ type: Opaque
 data:
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.apache "key" "horizon.conf" "format" "Secret" ) | indent 2 }}
 {{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.local_settings.template "key" "local_settings" "format" "Secret" ) | indent 2 }}
+{{- if .Values.conf.horizon.security }}
+{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
+{{- end }}
 {{- range $key, $value := .Values.conf.horizon.policy }}
   {{ printf "%s_policy.json" $key }}: {{ $value | toPrettyJson | b64enc }}
 {{- end }}
diff --git a/horizon/templates/deployment.yaml b/horizon/templates/deployment.yaml
index 688e880a77..5a636471fd 100644
--- a/horizon/templates/deployment.yaml
+++ b/horizon/templates/deployment.yaml
@@ -102,6 +102,12 @@ spec:
               mountPath: /etc/apache2/sites-enabled/000-default.conf
               subPath: horizon.conf
               readOnly: true
+            {{- if .Values.conf.horizon.security }}
+            - name: horizon-etc
+              mountPath: /etc/apache2/conf-available/security.conf
+              subPath: security.conf
+              readOnly: true
+            {{- end }}
             - name: horizon-bin
               mountPath: /var/www/cgi-bin/horizon/django.wsgi
               subPath: django.wsgi
diff --git a/horizon/values.yaml b/horizon/values.yaml
index 50a337e5bb..846982d204 100644
--- a/horizon/values.yaml
+++ b/horizon/values.yaml
@@ -97,6 +97,72 @@ conf:
           CustomLog /dev/stdout combined env=!forwarded
           CustomLog /dev/stdout proxy env=forwarded
       </Virtualhost>
+    security: |
+      #
+      # Disable access to the entire file system except for the directories that
+      # are explicitly allowed later.
+      #
+      # This currently breaks the configurations that come with some web application
+      # Debian packages.
+      #
+      #<Directory />
+      #   AllowOverride None
+      #   Require all denied
+      #</Directory>
+
+      # Changing the following options will not really affect the security of the
+      # server, but might make attacks slightly more difficult in some cases.
+
+      #
+      # ServerTokens
+      # This directive configures what you return as the Server HTTP response
+      # Header. The default is 'Full' which sends information about the OS-Type
+      # and compiled in modules.
+      # Set to one of:  Full | OS | Minimal | Minor | Major | Prod
+      # where Full conveys the most information, and Prod the least.
+      ServerTokens Prod
+
+      #
+      # Optionally add a line containing the server version and virtual host
+      # name to server-generated pages (internal error documents, FTP directory
+      # listings, mod_status and mod_info output etc., but not CGI generated
+      # documents or custom error documents).
+      # Set to "EMail" to also include a mailto: link to the ServerAdmin.
+      # Set to one of:  On | Off | EMail
+      ServerSignature Off
+
+      #
+      # Allow TRACE method
+      #
+      # Set to "extended" to also reflect the request body (only for testing and
+      # diagnostic purposes).
+      #
+      # Set to one of:  On | Off | extended
+      TraceEnable Off
+
+      #
+      # Forbid access to version control directories
+      #
+      # If you use version control systems in your document root, you should
+      # probably deny access to their directories. For example, for subversion:
+      #
+      #<DirectoryMatch "/\.svn">
+      #   Require all denied
+      #</DirectoryMatch>
+
+      #
+      # Setting this header will prevent MSIE from interpreting files as something
+      # else than declared by the content type in the HTTP headers.
+      # Requires mod_headers to be enabled.
+      #
+      #Header set X-Content-Type-Options: "nosniff"
+
+      #
+      # Setting this header will prevent other sites from embedding pages from this
+      # site as frames. This defends against clickjacking attacks.
+      # Requires mod_headers to be enabled.
+      #
+      #Header set X-Frame-Options: "sameorigin"
     local_settings:
       config:
         # Use "True" and "False" as Titlecase strings with quotes, boolean