From 34ba36e0ee12d99a541a9e24878511e374d5657a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= Date: Tue, 8 Oct 2024 12:46:59 +0200 Subject: [PATCH 1/2] add radixconfig docs for new fields in network.ingress.public --- public-site/docs/radix-config/index.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/public-site/docs/radix-config/index.md b/public-site/docs/radix-config/index.md index 931e393f..fd6f01b7 100644 --- a/public-site/docs/radix-config/index.md +++ b/public-site/docs/radix-config/index.md @@ -1166,6 +1166,9 @@ spec: network: ingress: public: + proxyBodySize: 500m + proxyReadTimeout: 5 + proxySendTimeout: 10 allow: - 100.1.1.1 - 110.1.1.1/30 @@ -1173,21 +1176,33 @@ spec: - environment: dev network: ingress: + proxyBodySize: 20m + proxyReadTimeout: 30 + proxySendTimeout: 30 public: allow: [] - environment: qa network: ingress: public: + proxyBodySize: 100m allow: - 200.1.1.1 - 200.10.1.1 - environment: prod ``` -The `network.ingress.public.allow` property defines a list of public IP addresses or CIDRs allowed to access the component's public endpoints. The `allow` list can be configured on the component level and/or in `environmentConfig` for a specific environment. `environmentConfig` takes precedence over component level configuration. Setting `allow` to an empty list allows access from all public IP addresses. +`network.ingress.public` contains settings used to control the behavior of [public endpoints](../docs/topic-domain-names/). These settings can be configured on the component level and/or in `environmentConfig` for a specific environment. `environmentConfig` takes precedence over component level configuration. -In the example, `allow` is configured on the component level with two IP address ranges. This configuration will apply to all environments, unless `allow` is configured in `environmentConfig`. For environment `dev`, `allow` to en empty list, which will allow all public IP addresses to access the component. In the `qa` environment, `allow` is configured with a new list if IP addresses. These will be used instead of the IP addresses configured on the component level. The `environmentConfig` for `prod` does not specify `allow`, which means that the configuration from the component level will be used. +- `allow`: Defines a list of public IP addresses or CIDRs allowed to access the component's public endpoints. Setting `allow` to an empty list allows access from all public IP addresses. +**Note**: When `allow` is configured in `environmentConfig`, it will _overwrite_ any values defined on component level. +- `proxyBodySize`: Sets the maximum allowed size of the client request body. Sizes can be specified in bytes, kilobytes (suffixes k and K), megabytes (suffixes m and M), or gigabytes (suffixes g and G), for example "1024", "64k", "32m" or "2g". If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client. Setting this value to "0" disables checking of client request body size. The default is 100m. +- `proxyReadTimeout`: Defines a timeout, in seconds, for reading a response from the proxied server. The timeout is set only between two successive read operations, not for the transmission of the whole response. If the proxied server does not transmit anything within this time, the connection is closed. The default is 60 seconds. +- `proxySendTimeout`: Defines a timeout, in seconds, for transmitting a request to the proxied server. The timeout is set only between two successive write operations, not for the transmission of the whole request. If the proxied server does not receive anything within this time, the connection is closed. The default is 60 seconds. + +:::warning Caution +Setting `proxyBodySize` to "0", or an unneccessary high value, can lead to instability/denial of service or increased cost, depending on how the request body is processed by the backend, e.g. when buffering to memory or storing the content to disk, either locally or remotly. Never set the value to "0" unless the backend component is configured to enforce a limit. +::: ## `jobs` From 92a0a77034df77921ef86a33ea7ffec618909e97 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20Gustav=20Str=C3=A5b=C3=B8?= Date: Tue, 8 Oct 2024 13:50:37 +0200 Subject: [PATCH 2/2] replace script-src unsafe-inline with sha256 in CSP --- public-site/README.md | 2 +- public-site/proxy/securityheaders | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/public-site/README.md b/public-site/README.md index 1ad1438a..8ed1a093 100644 --- a/public-site/README.md +++ b/public-site/README.md @@ -45,7 +45,7 @@ NGINX configuration: - `/proxy/server.conf`: Configuration used for production. Serves the statically built files. - `/proxy/server.dev.conf`: Configuration used for development. Proxies requests to docusaurus backend. -- `/proxy/securityheaders`: Contains security related headers for the HTTP response. Included in both production and development configurations. +- `/proxy/securityheaders`: Contains security related headers for the HTTP response. Included in both production and development configurations. The `Content-Security-Profile` value for `script-src` includes two sha256 values (`$script_src_dev_sha` when running in dev mode, and `$script_src_prod_sha` for production build) for inline javascript generated by docusaurs. These scripts can change when packages are updated, which will cause the sha256 values to be invalid, causing the web page to fail. In this happens the values for both variables must be updated. Chrome (and chromium based browsers) will print the expected value in `Developer Tools` > `Console`. Run `make dev-up` to get the value for `$script_src_dev_sha`, and `make prod-up` for `$script_src_prod_sha`. Update both variables with the new corresponding values and test that both dev and prod builds works by running `dev-up` and then `prod-up`. ## docusaurus diff --git a/public-site/proxy/securityheaders b/public-site/proxy/securityheaders index 61140d0b..1de5e4d9 100644 --- a/public-site/proxy/securityheaders +++ b/public-site/proxy/securityheaders @@ -1,7 +1,11 @@ +set $script_src_dev_sha "'sha256-PE/7QjqXXKVhTWba7f6GhIv05JWyUEggAwueH3hMSXI='"; +set $script_src_prod_sha "'sha256-pBkmluod9Ko4GzDfbWgKM/wxzujFXUdGVOePkwOQT+c='"; +set $script_src_sha "$script_src_dev_sha $script_src_prod_sha"; + add_header X-Frame-Options deny always; add_header X-Content-Type-Options nosniff always; add_header X-Permitted-Cross-Domain-Policies none always; -add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://cdn.eds.equinor.com/font/; font-src 'self' https://cdn.eds.equinor.com/font/; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" always; +add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-eval' $script_src_sha; object-src 'none'; img-src 'self' data:; style-src 'self' 'unsafe-inline' https://cdn.eds.equinor.com/font/; font-src 'self' https://cdn.eds.equinor.com/font/; frame-ancestors 'none'; upgrade-insecure-requests; block-all-mixed-content" always; add_header Cross-Origin-Resource-Policy same-origin always; add_header Permissions-Policy "camera=(),display-capture=(),fullscreen=(),geolocation=(),microphone=()" always; add_header Referrer-Policy no-referrer always; \ No newline at end of file