Implement security headers and HTTPS

2 years ago · 4ce321dc36
parent c4c64d0202
commit 4ce321dc36
6 changed files with 102 additions and 14 deletions
--- a/cmd/boardvoting/config.go
+++ b/cmd/boardvoting/config.go
@ -83,7 +83,7 @@ func parseConfig(ctx context.Context, configFile string) (context.Context, error

 	config := &Config{
 		HTTPAddress:  "127.0.0.1:8000",
-		HTTPSAddress: "127.0.0.1:8433",
+		HTTPSAddress: "127.0.0.1:8443",
 		Timeouts: &httpTimeoutConfig{
 			Idle:       httpIdleTimeout,
 			ReadHeader: httpReadHeaderTimeout,
--- a/cmd/boardvoting/main.go
+++ b/cmd/boardvoting/main.go
@ -20,10 +20,13 @@ package main

 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"flag"
 	"fmt"
 	"html/template"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@ -112,8 +115,37 @@ func main() {

 	go app.jobScheduler.Schedule()

+	infoLog.Printf("Starting server on %s", config.HTTPAddress)
+
+	errChan := make(chan error, 1)
+
+	go func() {
+		redirect := &http.Server{
+			Addr:              config.HTTPAddress,
+			Handler:           http.RedirectHandler(config.BaseURL, http.StatusMovedPermanently),
+			IdleTimeout:       config.Timeouts.Idle,
+			ReadHeaderTimeout: config.Timeouts.ReadHeader,
+			ReadTimeout:       config.Timeouts.Read,
+			WriteTimeout:      config.Timeouts.Write,
+		}
+
+		if err := redirect.ListenAndServe(); err != nil {
+			errChan <- err
+		}
+
+		close(errChan)
+	}()
+
+	tlsConfig, err := setupTLSConfig(config)
+	if err != nil {
+		errorLog.Fatalf("could not setup TLS configuration: %v", err)
+	}
+
+	infoLog.Printf("TLS config setup, starting TLS server on %s", config.HTTPSAddress)
+
 	srv := &http.Server{
-		Addr:              config.HTTPAddress,
+		Addr:              config.HTTPSAddress,
+		TLSConfig:         tlsConfig,
 		ErrorLog:          errorLog,
 		Handler:           app.routes(),
 		IdleTimeout:       config.Timeouts.Idle,
@ -122,11 +154,35 @@ func main() {
 		WriteTimeout:      config.Timeouts.Write,
 	}

-	infoLog.Printf("Starting server on %s", config.HTTPAddress)
+	err = srv.ListenAndServeTLS(config.ServerCert, config.ServerKey)
+	if err != nil {
+		errorLog.Fatalf("ListenAndServeTLS (HTTPS) failed: %v", err)
+	}
+
+	if err := <-errChan; err != nil {
+		errorLog.Fatalf("ListenAndServe (HTTP) failed: %v", err)
+	}
+}

-	err = srv.ListenAndServe()
+func setupTLSConfig(config *Config) (*tls.Config, error) {
+	caCert, err := ioutil.ReadFile(config.ClientCACertificates)
+	if err != nil {
+		return nil, fmt.Errorf("could not read client certificate CAs %w", err)
+	}
+
+	caCertPool := x509.NewCertPool()
+	if !caCertPool.AppendCertsFromPEM(caCert) {
+		return nil, fmt.Errorf(
+			"could not initialize client CA certificate pool from %s",
+			config.ClientCACertificates,
+		)
+	}

-	errorLog.Fatal(err)
+	return &tls.Config{
+		MinVersion: tls.VersionTLS12,
+		ClientCAs:  caCertPool,
+		ClientAuth: tls.VerifyClientCertIfGiven,
+	}, nil
 }

 func openDB(dbFile string) (*sqlx.DB, error) {
--- a/cmd/boardvoting/middleware.go
+++ b/cmd/boardvoting/middleware.go
@ -0,0 +1,33 @@
+/*
+Copyright 2022 CAcert Inc.
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package main
+
+import "net/http"
+
+func secureHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Security-Policy", "default-src 'self'; font-src 'self' data:")
+		w.Header().Set("Referrer-Policy", "origin-when-cross-origin")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("X-Frame-Options", "deny")
+		w.Header().Set("X-XSS-Protection", "0")
+		w.Header().Set("Strict-Transport-Security", "max-age=63072000")
+
+		next.ServeHTTP(w, r)
+	})
+}
--- a/cmd/boardvoting/routes.go
+++ b/cmd/boardvoting/routes.go
@ -27,7 +27,7 @@ import (
 	"git.cacert.org/cacert-boardvoting/ui"
 )

-func (app *application) routes() *http.ServeMux {
+func (app *application) routes() http.Handler {
 	mux := http.NewServeMux()

 	staticDir, _ := fs.Sub(ui.Files, "static")
@ -44,5 +44,5 @@ func (app *application) routes() *http.ServeMux {
 	mux.HandleFunc("/", app.home)
 	mux.HandleFunc("/motions/", app.motionList)

-	return mux
+	return secureHeaders(mux)
 }
--- a/ui/html/base.html
+++ b/ui/html/base.html
@ -44,12 +44,6 @@
 </body>
 <script src="/static/jquery.min.js"></script>
 <script src="/static/semantic.min.js"></script>
-<script type="text/javascript">
-    $(document).ready(function () {
-        $('.message .close').on('click', function () {
-            $(this).closest('.message').transition('fade');
-        });
-    });
-</script>
+<script src="/static/handlers.js"></script>
 </html>
 {{ end }}
--- a/ui/static/handlers.js
+++ b/ui/static/handlers.js
@ -0,0 +1,5 @@
+$(document).ready(function () {
+    $('.message .close').on('click', function () {
+        $(this).closest('.message').transition('fade');
+    });
+});