From ad839aa492704dda3a9f8e5fe9de58c4074bd39a Mon Sep 17 00:00:00 2001 From: Dima Lazerka <58356625+dima-vm@users.noreply.github.com> Date: Mon, 30 Oct 2023 03:33:38 -0700 Subject: [PATCH] lib/httpserver: add flags to specify HSTS / Frame-Options / CSP headers for httpserver (#5111) support `Strict-Transport-Security`, `Content-Security-Policy` and `X-Frame-Options` HTTP headers in all VictoriaMetrics components. The values for headers can be specified by users via the following flags: `-http.header.hsts`, `-http.header.csp` and `-http.header.frameOptions`. Co-authored-by: hagen1778 --- README.md | 7 +++++++ app/vmagent/README.md | 6 ++++++ app/vmalert/README.md | 6 ++++++ app/vmauth/README.md | 6 ++++++ app/vmbackup/README.md | 6 ++++++ app/vmbackupmanager/README.md | 6 ++++++ app/vmgateway/README.md | 6 ++++++ app/vmrestore/README.md | 6 ++++++ docs/CHANGELOG.md | 1 + docs/Cluster-VictoriaMetrics.md | 21 ++++++++++++++++++- docs/README.md | 7 +++++++ docs/Single-server-VictoriaMetrics.md | 7 +++++++ docs/VictoriaLogs/README.md | 6 ++++++ docs/vmagent.md | 6 ++++++ docs/vmalert.md | 6 ++++++ docs/vmauth.md | 6 ++++++ docs/vmbackup.md | 6 ++++++ docs/vmbackupmanager.md | 6 ++++++ docs/vmgateway.md | 6 ++++++ docs/vmrestore.md | 6 ++++++ lib/httpserver/httpserver.go | 13 ++++++++++++ lib/httpserver/httpserver_test.go | 30 +++++++++++++++++++++++++++ 22 files changed, 175 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e966a8bb4..d013eea18 100644 --- a/README.md +++ b/README.md @@ -1948,6 +1948,7 @@ VictoriaMetrics provides the following security-related command-line flags: * `-tls`, `-tlsCertFile` and `-tlsKeyFile` for switching from HTTP to HTTPS. * `-httpAuth.username` and `-httpAuth.password` for protecting all the HTTP endpoints with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). +* `-http.header.hsts`, `-http.header.csp`, and `-http.header.frameOptions` for serving `Strict-Transport-Security`, `Content-Security-Policy` and `X-Frame-Options` HTTP response headers. * `-deleteAuthKey` for protecting `/api/v1/admin/tsdb/delete_series` endpoint. See [how to delete time series](#how-to-delete-time-series). * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). @@ -2541,6 +2542,12 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/app/vmagent/README.md b/app/vmagent/README.md index 941557f77..a93a49ce0 100644 --- a/app/vmagent/README.md +++ b/app/vmagent/README.md @@ -1263,6 +1263,12 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/app/vmalert/README.md b/app/vmalert/README.md index 53066c39b..d0c6a0a4f 100644 --- a/app/vmalert/README.md +++ b/app/vmalert/README.md @@ -1046,6 +1046,12 @@ The shortlist of configuration flags is the following: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/app/vmauth/README.md b/app/vmauth/README.md index 485039cca..3855568ad 100644 --- a/app/vmauth/README.md +++ b/app/vmauth/README.md @@ -408,6 +408,12 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/app/vmbackup/README.md b/app/vmbackup/README.md index 5c4b81ecd..6fbb5effd 100644 --- a/app/vmbackup/README.md +++ b/app/vmbackup/README.md @@ -316,6 +316,12 @@ Run `vmbackup -help` in order to see all the available options: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/app/vmbackupmanager/README.md b/app/vmbackupmanager/README.md index f4422ac44..b64921363 100644 --- a/app/vmbackupmanager/README.md +++ b/app/vmbackupmanager/README.md @@ -450,6 +450,12 @@ command-line flags: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/app/vmgateway/README.md b/app/vmgateway/README.md index d62469721..0862ef113 100644 --- a/app/vmgateway/README.md +++ b/app/vmgateway/README.md @@ -353,6 +353,12 @@ The shortlist of configuration flags include the following: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/app/vmrestore/README.md b/app/vmrestore/README.md index 142af1dc1..ec62df29c 100644 --- a/app/vmrestore/README.md +++ b/app/vmrestore/README.md @@ -113,6 +113,12 @@ i.e. the end result would be similar to [rsync --delete](https://askubuntu.com/q Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md index 5cd1aa04a..6a08f730a 100644 --- a/docs/CHANGELOG.md +++ b/docs/CHANGELOG.md @@ -31,6 +31,7 @@ The sandbox cluster installation is running under the constant load generated by **vmalert's cmd-line flag `datasource.queryTimeAlignment` was deprecated and will have no effect anymore. It will be completely removed in next releases. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5049) and more detailed changes below.** **vmalert's cmd-line flag `datasource.lookback` will be deprecated soon. Please use `-rule.evalDelay` command-line flag instead. It will have no effect in next release and be removed in future releases. See [this issue](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/5155).** +* SECURITY: support `Strict-Transport-Security`, `Content-Security-Policy` and `X-Frame-Options` HTTP headers in all VictoriaMetrics components. The values for headers can be specified by users via the following flags: `-http.header.hsts`, `-http.header.csp` and `-http.header.frameOptions`. * SECURITY: upgrade Go builder from Go1.21.1 to Go1.21.3. See [the list of issues addressed in Go1.21.2](https://github.com/golang/go/issues?q=milestone%3AGo1.21.2+label%3ACherryPickApproved) and [the list of issues addressed in Go1.21.3](https://github.com/golang/go/issues?q=milestone%3AGo1.21.3+label%3ACherryPickApproved). * FEATURE: `vmselect`: improve query performance on systems with big number of CPU cores (`>=32`). Add `-search.maxWorkersPerQuery` command-line flag, which can be used for fine-tuning query performance on systems with big number of CPU cores. See [this pull request](https://github.com/VictoriaMetrics/VictoriaMetrics/pull/5195). diff --git a/docs/Cluster-VictoriaMetrics.md b/docs/Cluster-VictoriaMetrics.md index 9b6fd488c..227cbbecd 100644 --- a/docs/Cluster-VictoriaMetrics.md +++ b/docs/Cluster-VictoriaMetrics.md @@ -267,10 +267,11 @@ General security recommendations: - All the VictoriaMetrics cluster components must run in protected private network without direct access from untrusted networks such as Internet. - External clients must access `vminsert` and `vmselect` via auth proxy such as [vmauth](https://docs.victoriametrics.com/vmauth.html) or [vmgateway](https://docs.victoriametrics.com/vmgateway.html). -- The auth proxy must accept auth tokens from untrusted networks only via https in order to protect the auth tokens from eavesdropping. +- The auth proxy must accept auth tokens from untrusted networks only via https in order to protect the auth tokens from MitM attacks. - It is recommended using distinct auth tokens for distinct [tenants](#multitenancy) in order to reduce potential damage in case of compromised auth token for some tenants. - Prefer using lists of allowed [API endpoints](#url-format), while disallowing access to other endpoints when configuring auth proxy in front of `vminsert` and `vmselect`. This minimizes attack surface. +- All http-serving components also respond with reasonable default headers for HSTS, CSP and Frame-Options, configurable with flags. See also [security recommendation for single-node VictoriaMetrics](https://docs.victoriametrics.com/#security) and [the general security page at VictoriaMetrics website](https://victoriametrics.com/security/). @@ -896,6 +897,12 @@ Below is the output for `/path/to/vminsert -help`: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration @@ -1118,6 +1125,12 @@ Below is the output for `/path/to/vmselect -help`: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration @@ -1356,6 +1369,12 @@ Below is the output for `/path/to/vmstorage -help`: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/README.md b/docs/README.md index 082aa30b4..28603c46b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -1951,6 +1951,7 @@ VictoriaMetrics provides the following security-related command-line flags: * `-tls`, `-tlsCertFile` and `-tlsKeyFile` for switching from HTTP to HTTPS. * `-httpAuth.username` and `-httpAuth.password` for protecting all the HTTP endpoints with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). +* `-http.header.hsts`, `-http.header.csp`, and `-http.header.frameOptions` for serving `Strict-Transport-Security`, `Content-Security-Policy` and `X-Frame-Options` HTTP response headers. * `-deleteAuthKey` for protecting `/api/v1/admin/tsdb/delete_series` endpoint. See [how to delete time series](#how-to-delete-time-series). * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). @@ -2544,6 +2545,12 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/Single-server-VictoriaMetrics.md b/docs/Single-server-VictoriaMetrics.md index db91525aa..4941830c3 100644 --- a/docs/Single-server-VictoriaMetrics.md +++ b/docs/Single-server-VictoriaMetrics.md @@ -1959,6 +1959,7 @@ VictoriaMetrics provides the following security-related command-line flags: * `-tls`, `-tlsCertFile` and `-tlsKeyFile` for switching from HTTP to HTTPS. * `-httpAuth.username` and `-httpAuth.password` for protecting all the HTTP endpoints with [HTTP Basic Authentication](https://en.wikipedia.org/wiki/Basic_access_authentication). +* `-http.header.hsts`, `-http.header.csp`, and `-http.header.frameOptions` for serving `Strict-Transport-Security`, `Content-Security-Policy` and `X-Frame-Options` HTTP response headers. * `-deleteAuthKey` for protecting `/api/v1/admin/tsdb/delete_series` endpoint. See [how to delete time series](#how-to-delete-time-series). * `-snapshotAuthKey` for protecting `/snapshot*` endpoints. See [how to work with snapshots](#how-to-work-with-snapshots). * `-forceMergeAuthKey` for protecting `/internal/force_merge` endpoint. See [force merge docs](#forced-merge). @@ -2552,6 +2553,12 @@ Pass `-help` to VictoriaMetrics in order to see the list of supported command-li Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/VictoriaLogs/README.md b/docs/VictoriaLogs/README.md index faa529033..a9d674941 100644 --- a/docs/VictoriaLogs/README.md +++ b/docs/VictoriaLogs/README.md @@ -160,6 +160,12 @@ Pass `-help` to VictoriaLogs in order to see the list of supported command-line Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/vmagent.md b/docs/vmagent.md index 2d767c474..6e5b9f9ad 100644 --- a/docs/vmagent.md +++ b/docs/vmagent.md @@ -1274,6 +1274,12 @@ See the docs at https://docs.victoriametrics.com/vmagent.html . Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/vmalert.md b/docs/vmalert.md index 57e6eb9c0..b462a7609 100644 --- a/docs/vmalert.md +++ b/docs/vmalert.md @@ -1057,6 +1057,12 @@ The shortlist of configuration flags is the following: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/vmauth.md b/docs/vmauth.md index 8628753aa..7ee675c58 100644 --- a/docs/vmauth.md +++ b/docs/vmauth.md @@ -419,6 +419,12 @@ See the docs at https://docs.victoriametrics.com/vmauth.html . Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/vmbackup.md b/docs/vmbackup.md index 660fc8910..c3a858563 100644 --- a/docs/vmbackup.md +++ b/docs/vmbackup.md @@ -327,6 +327,12 @@ Run `vmbackup -help` in order to see all the available options: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/vmbackupmanager.md b/docs/vmbackupmanager.md index 94de93680..0f8485560 100644 --- a/docs/vmbackupmanager.md +++ b/docs/vmbackupmanager.md @@ -461,6 +461,12 @@ command-line flags: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/vmgateway.md b/docs/vmgateway.md index 7b77e7a95..84f74b78a 100644 --- a/docs/vmgateway.md +++ b/docs/vmgateway.md @@ -364,6 +364,12 @@ The shortlist of configuration flags include the following: Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/docs/vmrestore.md b/docs/vmrestore.md index 07ad5815e..d22590388 100644 --- a/docs/vmrestore.md +++ b/docs/vmrestore.md @@ -124,6 +124,12 @@ i.e. the end result would be similar to [rsync --delete](https://askubuntu.com/q Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem (default 2m0s) -http.disableResponseCompression Disable compression of HTTP responses to save CPU resources. By default, compression is enabled to save network bandwidth + -http.header.csp string + Value for 'Content-Security-Policy' header + -http.header.frameOptions string + Value for 'X-Frame-Options' header + -http.header.hsts string + Value for 'Strict-Transport-Security' header -http.idleConnTimeout duration Timeout for incoming idle http connections (default 1m0s) -http.maxGracefulShutdownDuration duration diff --git a/lib/httpserver/httpserver.go b/lib/httpserver/httpserver.go index 4d1d00042..e7f6157a5 100644 --- a/lib/httpserver/httpserver.go +++ b/lib/httpserver/httpserver.go @@ -51,6 +51,10 @@ var ( shutdownDelay = flag.Duration("http.shutdownDelay", 0, `Optional delay before http server shutdown. During this delay, the server returns non-OK responses from /health page, so load balancers can route new requests to other servers`) idleConnTimeout = flag.Duration("http.idleConnTimeout", time.Minute, "Timeout for incoming idle http connections") connTimeout = flag.Duration("http.connTimeout", 2*time.Minute, `Incoming http connections are closed after the configured timeout. This may help to spread the incoming load among a cluster of services behind a load balancer. Please note that the real timeout may be bigger by up to 10% as a protection against the thundering herd problem`) + + headerHSTS = flag.String("http.header.hsts", "", "Value for 'Strict-Transport-Security' header") + headerFrameOptions = flag.String("http.header.frameOptions", "", "Value for 'X-Frame-Options' header") + headerCSP = flag.String("http.header.csp", "", "Value for 'Content-Security-Policy' header") ) var ( @@ -238,6 +242,15 @@ func handlerWrapper(s *server, w http.ResponseWriter, r *http.Request, rh Reques } }() + if *headerHSTS != "" { + w.Header().Add("Strict-Transport-Security", *headerHSTS) + } + if *headerFrameOptions != "" { + w.Header().Add("X-Frame-Options", *headerFrameOptions) + } + if *headerCSP != "" { + w.Header().Add("Content-Security-Policy", *headerCSP) + } w.Header().Add("X-Server-Hostname", hostname) requestsTotal.Inc() if whetherToCloseConn(r) { diff --git a/lib/httpserver/httpserver_test.go b/lib/httpserver/httpserver_test.go index 9311cbfcc..f3bf43668 100644 --- a/lib/httpserver/httpserver_test.go +++ b/lib/httpserver/httpserver_test.go @@ -3,6 +3,7 @@ package httpserver import ( "encoding/json" "net/http" + "net/http/httptest" "testing" ) @@ -34,3 +35,32 @@ func TestGetQuotedRemoteAddr(t *testing.T) { f("1.2.3.4", "foo.bar", `"1.2.3.4, X-Forwarded-For: foo.bar"`) f("1.2\n\"3.4", "foo\nb\"ar", `"1.2\n\"3.4, X-Forwarded-For: foo\nb\"ar"`) } + +func TestHandlerWrapper(t *testing.T) { + *headerHSTS = "foo" + *headerFrameOptions = "bar" + *headerCSP = "baz" + defer func() { + *headerHSTS = "" + *headerFrameOptions = "" + *headerCSP = "" + }() + + req, _ := http.NewRequest("GET", "/health", nil) + + srv := &server{s: &http.Server{}} + w := &httptest.ResponseRecorder{} + handlerWrapper(srv, w, req, func(_ http.ResponseWriter, _ *http.Request) bool { + return true + }) + + if w.Header().Get("Strict-Transport-Security") != "foo" { + t.Errorf("HSTS header not set") + } + if w.Header().Get("X-Frame-Options") != "bar" { + t.Errorf("X-Frame-Options header not set") + } + if w.Header().Get("Content-Security-Policy") != "baz" { + t.Errorf("CSP header not set") + } +}