Feat/1544 add nginx configuration increase security performance #2173
Conversation
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## develop #2173 +/- ##
========================================
Coverage 94.13% 94.13%
========================================
Files 96 96
Lines 2846 2846
Branches 263 263
========================================
Hits 2679 2679
Misses 120 120
Partials 47 47
Flags with carried forward coverage won't be shown. Click here to find out more.
Continue to review full report at Codecov.
|
…e-security-performance
raftmsohani
added
Deploy with CircleCI-raft
raftmsohani
removed
the
Deploy with CircleCI-raft
|
|
||
| In general for TDRS, the *Nginx* handles incoming HTTP requests to both frontend and backend. The frontend requests are handled directly while the backend requests are forwarded to the backend server. | ||
|
|
||
|  |
There was a problem hiding this comment.
We might be able to keep a single diagram and just update this one:
https://github.com/raft-tech/TANF-app/blob/develop/docs/Security-Compliance/boundary-diagram.md
andrew-jameson
added
Deploy with CircleCI-raft
|
@raftmsohani Can you verify that the ip whitelist allows the territories (Puerto Rico, Guam, Virgin Islands)? Credit to @ADPennington |
| @@ -93,7 +93,7 @@ services: | |||
| bash -c "./wait_for_services.sh && | |||
| ./gunicorn_start.sh && celery -A tdpservice.settings worker -l info" | |||
| ports: | |||
| - "8080:8080" | |||
| #- "8080:8080" | |||
There was a problem hiding this comment.
Port assignment should be removed -> delete #- "8080:8080"
| location = /profile { | ||
| index index.html index.htm; | ||
| try_files $uri $uri/ /index.html; | ||
| } | ||
|
|
||
| location = /home { | ||
| index index.html index.htm; | ||
| try_files $uri $uri/ /index.html; | ||
| } | ||
|
|
||
| location ^~ /data-files { | ||
| index index.html index.htm; | ||
| try_files $uri $uri/ /index.html; | ||
| } | ||
|
|
||
| location = /login { | ||
| index index.html index.htm; | ||
| try_files $uri $uri/ /index.html; | ||
| } | ||
|
|
||
| location = / { | ||
| index index.html index.htm; | ||
| try_files $uri $uri/ /index.html; | ||
| } |
There was a problem hiding this comment.
Can these locations be collapsed into one block? They appear identical.
EDIT: Looks like this was the same as from prior locations.conf. It's not a real change but didn't notice initially since we don't have before/after diff on several files.
There was a problem hiding this comment.
it can be done for sure. An easy fix
The before after missing is because of file relocation -> moved some of the files to another directory
There was a problem hiding this comment.
The before after missing is because of file relocation -> moved some of the files to another directory
Did you just manually move it vs using git mv? Minor nit
There was a problem hiding this comment.
Virgin Islands
I bet the test will fail because I will have to add the following lists:
https://lite.ip2location.com/virgin-islands-(u.s.)-ip-address-ranges https://lite.ip2location.com/guam-ip-address-ranges?lang=en_US
Virgin Islands
I bet the test will fail because I will have to add the following lists:
https://lite.ip2location.com/virgin-islands-(u.s.)-ip-address-ranges https://lite.ip2location.com/guam-ip-address-ranges?lang=en_US
Added both location to whitelist
| @@ -0,0 +1,81 @@ | |||
|
|
|||
There was a problem hiding this comment.
Before merging, I would want to deploy-to/test-in prod and would want to coordinate this with @ADPennington and setup maintenance window w/ UX
| # prevent MIME sniffing | ||
| add_header X-Content-Type-Options: nosniff; | ||
|
|
||
| # CSP header options. All options are set either to none or self except |
There was a problem hiding this comment.
Looks like the second half of this sentence got missed
| #location ~ \.(css)$ { | ||
| # add_header Content-Type text/css; | ||
| #} | ||
|
|
||
| #location = /nginx_status { | ||
| # stub_status on; | ||
| # access_log off; | ||
| # deny all; | ||
| #} | ||
|
|
There was a problem hiding this comment.
| #location ~ \.(css)$ { | |
| # add_header Content-Type text/css; | |
| #} | |
| #location = /nginx_status { | |
| # stub_status on; | |
| # access_log off; | |
| # deny all; | |
| #} |
There was a problem hiding this comment.
kept the /nginx_status for local.
| set $CSP "${CSP}media-src 'none';"; | ||
| set $CSP "${CSP}prefetch-src 'none';"; | ||
| set $CSP "${CSP}form-action 'none';"; | ||
| set $CSP "${CSP}script-src-elem 'self' http://localhost:* http://www.w3.org;"; |
There was a problem hiding this comment.
| set $CSP "${CSP}script-src-elem 'self' http://localhost:* http://www.w3.org;"; | |
| set $CSP "${CSP}script-src-elem 'self' http://localhost:*;"; |
Are we sure we want the w3 part in there? Confused on why. Are we pulling JS/CSS?
There was a problem hiding this comment.
I believe the icons needed w3. In any case, this should be safe.
| '"http_user_agent": $http_user_agent, ' | ||
| '"cookies=$http_cookie;" "server=$server_name" "http_host=$http_host"'; | ||
|
|
||
| limit_req_zone $binary_remote_addr zone=limitreqsbyaddr:20m rate=10r/s; |
There was a problem hiding this comment.
I think I commented on this elsewhere already but I think we might need to stress test or up the rate-limit here.
There was a problem hiding this comment.
We discussed this briefly and I think we should have to increase the limit. I have done some testing and got a rejection only once. But one caveat is: when frontend auth check function gets rejected, if user is already logged in, the backend will log them out.
There was a problem hiding this comment.
Increased the rate! Resolved
| #location ~ \.(css)$ { | ||
| # add_header Content-Type text/css; | ||
| #} | ||
|
|
||
| #location = /nginx_status { | ||
| # stub_status on; | ||
| # access_log off; | ||
| # deny all; | ||
| #} | ||
|
|
There was a problem hiding this comment.
| #location ~ \.(css)$ { | |
| # add_header Content-Type text/css; | |
| #} | |
| #location = /nginx_status { | |
| # stub_status on; | |
| # access_log off; | |
| # deny all; | |
| #} |
I will see what can be done here! will update this post once done! |
| @@ -117,6 +117,7 @@ update_backend() | |||
| cf map-route tdp-backend-prod api-tanfdata.acf.hhs.gov | |||
| # deny all; | ||
| #} | ||
|
|
||
| location ^~ /v1/ { |
There was a problem hiding this comment.
Have to add /admin location
UX might be able to coordinate tests with Virgin Islands or Guam to test against develop/staging environment. |
I bet the test will fail because I will have to add the following lists: https://lite.ip2location.com/virgin-islands-(u.s.)-ip-address-ranges |
| @@ -1,10 +1,12 @@ | |||
| types { | |||
| text/html html htm shtml; | |||
| text/css css; | |||
| text/css chunk.css; | |||
There was a problem hiding this comment.
This is really not a requirement, but I thought it is better to add to save us from future problem.
raftmsohani
changed the title
Co-authored-by: Andrew <84722778+andrew-jameson@users.noreply.github.com>
Co-authored-by: Andrew <84722778+andrew-jameson@users.noreply.github.com>
Co-authored-by: Andrew <84722778+andrew-jameson@users.noreply.github.com>
Co-authored-by: Andrew <84722778+andrew-jameson@users.noreply.github.com>
|
Out of date per @raftmsohani. Please see #2449 |
Summary of Changes
The Nginx CSP and server configuration need to be revised and correctly documented for both local and Cloud.gov deployment to increase security.
Pull request closes #1544 , #1543 and #2031
How to Test
It is important to use commands.sh to start the application since local deployment needs external network to be created first to connect the backend and frontend docker-compose configs.
Deliverables
More details on how deliverables herein are assessed included here.
Deliverable 1: Accepted Features
Checklist of ACs:
lfrohlichand/oradpenningtonconfirmed that ACs are met.Deliverable 2: Tested Code
CodeCov Reportcomment in PR)CodeCov Reportcomment in PR)Deliverable 3: Properly Styled Code
Deliverable 4: Accessible
iamjollyandttran-hubusing Accessibility Insights reveal any errors introduced in this PR?Deliverable 5: Deployed
Deliverable 6: Documented
Deliverable 7: Secure
Deliverable 8: User Research
Research product(s) clearly articulate(s):