Skip to content

Commit

Permalink
Merge remote-tracking branch
Browse files Browse the repository at this point in the history 
'origin/issues/117_118_Cipher_Suites_Web_UI' into develop
  • Loading branch information
@hhund
hhund committed Oct 31, 2023
2 parents d84da45 + 61674af commit fb4cd5f
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 6 deletions.
5 changes: 3 additions & 2 deletions dsf-docker-test-setup-3dic-ttp/proxy/nginx.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,8 +30,9 @@ http {

ssl_certificate /run/secrets/proxy_certificate_and_int_cas.pem;
ssl_certificate_key /run/secrets/proxy_certificate_private_key.pem;
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=63072000" always;

ssl_client_certificate /run/secrets/proxy_trusted_client_cas.pem;
Expand Down
6 changes: 4 additions & 2 deletions dsf-docker/fhir_proxy/conf/extra/httpd-ssl.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,9 @@ Listen 443
#SSLCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
#SSLProxyCipherSuite HIGH:MEDIUM:!SSLv3:!kRSA
SSLCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
SSLCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
SSLProxyCipherSuite TLSv1.3 TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
SSLProxyCipherSuite SSL ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256

# User agents such as web browsers are not configured for the user's
# own preference of either security or performance, therefore this
Expand All @@ -80,8 +82,8 @@ SSLHonorCipherOrder on
# protocol or later should remain in use.
#SSLProtocol all -SSLv3 -TLSv1
#SSLProxyProtocol all -SSLv3 -TLSv1
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1

# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
Expand Down
12 changes: 10 additions & 2 deletions ...erver/src/main/java/dev/dsf/fhir/webservice/filter/BrowserPolicyHeaderResponseFilter.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,16 @@ public void filter(ContainerRequestContext requestContext, ContainerResponseCont
headers.add("Cross-Origin-Embedder-Policy", "require-corp");
headers.add("Cross-Origin-Resource-Policy", "same-site");
headers.add("Permissions-Policy", "geolocation=(), camera=(), microphone=()");
headers.add("Content-Security-Policy",
"frame-ancestors 'none'; default-src 'self'; frame-src 'none'; media-src 'none'; object-src 'none'; worker-src 'none'");

if (requestContext.getUriInfo() != null && requestContext.getUriInfo().getPath() != null
&& requestContext.getUriInfo().getPath().startsWith("Binary/"))
headers.add("Content-Security-Policy",
"base-uri 'self'; frame-ancestors 'none'; form-action 'self'; default-src 'none'; connect-src 'self'; img-src 'self';"
+ " script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'");
else
headers.add("Content-Security-Policy",
"base-uri 'self'; frame-ancestors 'none'; form-action 'self'; default-src 'none'; connect-src 'self'; img-src 'self';"
+ " script-src 'self'; style-src 'self'");
}
}
}

0 comments on commit fb4cd5f

Please sign in to comment.