[Horizon] Hide OS and Apache version in error messages

This PS allows to customize (and disable) information about OS and
Apache version displayed on pages with error messages.

Change-Id: Ic4d19bcc90dadf5cf26faa5c8fb39de00a6f3212
This commit is contained in:
Dmitrii Kabanov 2019-01-15 15:42:05 -08:00 committed by Chris Wedgwood
parent 5b86825680
commit 1173ef79a1
3 changed files with 75 additions and 0 deletions

View File

@ -25,6 +25,9 @@ type: Opaque
data:
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.apache "key" "horizon.conf" "format" "Secret" ) | indent 2 }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.local_settings.template "key" "local_settings" "format" "Secret" ) | indent 2 }}
{{- if .Values.conf.horizon.security }}
{{- include "helm-toolkit.snippets.values_template_renderer" (dict "envAll" $envAll "template" .Values.conf.horizon.security "key" "security.conf" "format" "Secret" ) | indent 2 }}
{{- end }}
{{- range $key, $value := .Values.conf.horizon.policy }}
{{ printf "%s_policy.json" $key }}: {{ $value | toPrettyJson | b64enc }}
{{- end }}

View File

@ -102,6 +102,12 @@ spec:
mountPath: /etc/apache2/sites-enabled/000-default.conf
subPath: horizon.conf
readOnly: true
{{- if .Values.conf.horizon.security }}
- name: horizon-etc
mountPath: /etc/apache2/conf-available/security.conf
subPath: security.conf
readOnly: true
{{- end }}
- name: horizon-bin
mountPath: /var/www/cgi-bin/horizon/django.wsgi
subPath: django.wsgi

View File

@ -97,6 +97,72 @@ conf:
CustomLog /dev/stdout combined env=!forwarded
CustomLog /dev/stdout proxy env=forwarded
</Virtualhost>
security: |
#
# Disable access to the entire file system except for the directories that
# are explicitly allowed later.
#
# This currently breaks the configurations that come with some web application
# Debian packages.
#
#<Directory />
# AllowOverride None
# Require all denied
#</Directory>
# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.
#
# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of: Full | OS | Minimal | Minor | Major | Prod
# where Full conveys the most information, and Prod the least.
ServerTokens Prod
#
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature Off
#
# Allow TRACE method
#
# Set to "extended" to also reflect the request body (only for testing and
# diagnostic purposes).
#
# Set to one of: On | Off | extended
TraceEnable Off
#
# Forbid access to version control directories
#
# If you use version control systems in your document root, you should
# probably deny access to their directories. For example, for subversion:
#
#<DirectoryMatch "/\.svn">
# Require all denied
#</DirectoryMatch>
#
# Setting this header will prevent MSIE from interpreting files as something
# else than declared by the content type in the HTTP headers.
# Requires mod_headers to be enabled.
#
#Header set X-Content-Type-Options: "nosniff"
#
# Setting this header will prevent other sites from embedding pages from this
# site as frames. This defends against clickjacking attacks.
# Requires mod_headers to be enabled.
#
#Header set X-Frame-Options: "sameorigin"
local_settings:
config:
# Use "True" and "False" as Titlecase strings with quotes, boolean