diff --git a/README.md b/README.md index 5bdd9d8..46e1186 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,8 @@ Run unit tests with `npm run test`. Jest will pick up test in files with the `.t To run integration tests: -1. First install chromedriver `./scripts/install-chromedriver.sh` -1. Make sure you also have a compatible version of chrome (88) +1. First install chromedriver `sudo ./scripts/install-chromedriver.sh` +1. Make sure you also have a compatible version of chrome (110) 1. Run the proxy and dependencies with `./scripts/dev.sh` 1. Then run tests with `npm run integration-test` diff --git a/integration-tests.dockerfile b/integration-tests.dockerfile index 6831b57..0c647f4 100755 --- a/integration-tests.dockerfile +++ b/integration-tests.dockerfile @@ -11,6 +11,7 @@ RUN apt-get update && apt-get install -yq \ libcairo2 \ libcups2 \ libdbus-1-3 \ + libdrm2 \ libexpat1 \ libfontconfig1 \ libgcc1 \ @@ -18,6 +19,7 @@ RUN apt-get update && apt-get install -yq \ libgdk-pixbuf2.0-0 \ libglib2.0-0 \ libgtk-3-0 \ + libgbm1 \ libnspr4 \ libpango-1.0-0 \ libpangocairo-1.0-0 \ @@ -35,6 +37,8 @@ RUN apt-get update && apt-get install -yq \ libxrender1 \ libxss1 \ libxtst6 \ + libu2f-udev \ + libvulkan1 \ ca-certificates \ fonts-liberation \ libappindicator1 \ diff --git a/nginx.montagu.conf b/nginx.montagu.conf index 984643b..fc6537c 100644 --- a/nginx.montagu.conf +++ b/nginx.montagu.conf @@ -3,13 +3,37 @@ server { listen _PORT_ ssl; server_name localhost montagu.vaccineimpact.org; + # Enable HTTP Strict Transport Security (HSTS) + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # https://scotthelme.co.uk/content-security-policy-an-introduction/ + # https://content-security-policy.com/examples/nginx/ + + # add_header Content-Security-Policy "default-src 'self';" always; + # However, this one does work: + add_header Content-Security-Policy "frame-ancestors 'self' *.vaccineimpact.org" always; + + # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options + # https://geekflare.com/add-x-frame-options-nginx/ + add_header X-Frame-Options "SAMEORIGIN"; + + # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options + add_header X-Content-Type-Options "nosniff" always; + + # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ + add_header Referrer-Policy 'origin' always; + + # https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/ + # Actual values adopted from securityheaders.com :) + add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" always; + ssl_certificate /etc/montagu/proxy/certificate.pem; ssl_certificate_key /etc/montagu/proxy/ssl_key.pem; - # SSL settings as recommended by this blog: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; - ssl_prefer_server_ciphers on; + # SSL settings as recommended by https://ssl-config.mozilla.org + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_dhparam /etc/montagu/proxy/dhparam.pem; diff --git a/scripts/dev.sh b/scripts/dev.sh index f684fef..e427964 100755 --- a/scripts/dev.sh +++ b/scripts/dev.sh @@ -47,7 +47,7 @@ docker run -d \ -nginx.scrape-uri "http://reverse-proxy/basic_status" # the real dhparam will be 4096 bits but that takes ages to generate -openssl dhparam -out workspace/dhparam.pem 1024 +openssl dhparam -out workspace/dhparam.pem 2048 docker cp workspace/certificate.pem reverse-proxy:/etc/montagu/proxy/ docker cp workspace/ssl_key.pem reverse-proxy:/etc/montagu/proxy/ diff --git a/scripts/install-chromedriver.sh b/scripts/install-chromedriver.sh index ccc9693..242a528 100755 --- a/scripts/install-chromedriver.sh +++ b/scripts/install-chromedriver.sh @@ -1,10 +1,10 @@ #!/usr/bin/env bash -sudo apt-get update -sudo apt-get install -y unzip xvfb libxi6 libgconf-2-4 +apt-get update +apt-get install -y unzip xvfb libxi6 libgconf-2-4 -wget https://chromedriver.storage.googleapis.com/88.0.4324.96/chromedriver_linux64.zip +wget https://chromedriver.storage.googleapis.com/110.0.5481.77/chromedriver_linux64.zip unzip chromedriver_linux64.zip -sudo mv chromedriver /usr/bin/chromedriver -sudo chown root:root /usr/bin/chromedriver -sudo chmod +x /usr/bin/chromedriver +mv chromedriver /usr/bin/chromedriver +chown root:root /usr/bin/chromedriver +chmod +x /usr/bin/chromedriver diff --git a/scripts/run-integration-tests.sh b/scripts/run-integration-tests.sh index fff1308..1410a4c 100755 --- a/scripts/run-integration-tests.sh +++ b/scripts/run-integration-tests.sh @@ -39,7 +39,7 @@ docker run -d \ -nginx.scrape-uri "http://reverse-proxy/basic_status" # the real dhparam will be 4096 bits but that takes ages to generate -openssl dhparam -out workspace/dhparam.pem 1024 +openssl dhparam -out workspace/dhparam.pem 2048 docker cp workspace/certificate.pem reverse-proxy:/etc/montagu/proxy/ docker cp workspace/ssl_key.pem reverse-proxy:/etc/montagu/proxy/ diff --git a/shared-build-env.dockerfile b/shared-build-env.dockerfile index b82155e..be90d20 100644 --- a/shared-build-env.dockerfile +++ b/shared-build-env.dockerfile @@ -1,4 +1,18 @@ -FROM vimc/node-docker:master +FROM node:16-buster + +RUN apt-get update +RUN apt-get install -y \ + apt-transport-https \ + ca-certificates \ + curl \ + software-properties-common +RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add - +RUN add-apt-repository \ + "deb [arch=amd64] https://download.docker.com/linux/debian \ + $(lsb_release -cs) \ + stable" +RUN apt-get update +RUN apt-get install -y docker-ce ARG MONTAGU_GIT_ID="UNKNOWN" ARG MONTAGU_GIT_BRANCH="UNKNOWN"