Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add HSTS to caddy configuration #395

Closed
wants to merge 4 commits into from
Closed

Add HSTS to caddy configuration #395

wants to merge 4 commits into from

Conversation

pondzix
Copy link
Contributor

@pondzix pondzix commented Jan 26, 2024

New control-plane endpoint /add-hsts, when invoked modifies this part of Caddyfile:

:8443 {
    import protectedPaths

    @isHttps {
        header X-Forwarded-Proto https
    }

    route {
      handle @isHttps {
        import handleProtectedPaths
      }
      redir @protectedPaths https://{host}{uri}
    }

    import handleCollector
}

to

:8443 {
    import protectedPaths

    @isHttps {
        header X-Forwarded-Proto https
    }

    route {
      handle @isHttps {
        import handleProtectedPaths
        header Strict-Transport-Security max-age=31536000; includeSubDomains
      }
      redir @protectedPaths https://{host}{uri}
    }

    import handleCollector
}

So adds header Strict-Transport-Security max-age=31536000; includeSubDomains HSTS response header to HTTPS calls.

@stanch
Copy link

stanch commented Jan 26, 2024
edited
Loading

Do we have any other http(s) endpoints there that we need to slap hsts on? like the control plane itself Never mind, seems like it’s part of handleProtectedPaths

colmsnowplow
colmsnowplow reviewed Jan 26, 2024
View reviewed changes
Copy link

@colmsnowplow colmsnowplow left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks a sound approach to me.

I'm not entirely sure how caddy works but I believe it's a linux service, so I imagine the config change won't take effect until that we use sytemctl reload to reboot it.

The good news is that doing that is just a matter of calling this function.

The bad news is I'm not sure how safe it is to do so while other services are running, so it'll need some fairly annoying testing.

So, I suggest the following:

  • Test this code as-is, maybe we get lucky and caddy is smart enough to just take effect
  • If it doesn't work, add restartSPService("caddy"), test that it worked, and then test that the other services didn't break.
  • If they did break, maybe we need to restart everything when we reload caddy.

Happy to hop on a call to help figure it out!

@colmsnowplow
Copy link

If someone more confident than I about how caddy works can tell us that reloading doesn't mess everything up (from a bit of further reading it seems that's what reload is supposed to do), then we can save ourselves some of the hassle

colmsnowplow
colmsnowplow approved these changes Jan 29, 2024
View reviewed changes
Copy link

@colmsnowplow colmsnowplow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving on the condition that it gets tested and works. Based on reading the code looks good though!

colmsnowplow
colmsnowplow approved these changes Jan 30, 2024
View reviewed changes
Copy link

@colmsnowplow colmsnowplow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@pondzix pondzix closed this in 1d33a21 Jan 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colmsnowplow colmsnowplow colmsnowplow approved these changes

Assignees
No one assigned
Labels
cla:yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pondzix @stanch @colmsnowplow @snowplowcla