Update TLS / Cipher settings

README.md

@@ -34,8 +34,8 @@ Run unit tests with `npm run test`. Jest will pick up test in files with the `.t
 
 To run integration tests:
 
-1. First install chromedriver `./scripts/install-chromedriver.sh`
-1. Make sure you also have a compatible version of chrome (88)
+1. First install chromedriver `sudo ./scripts/install-chromedriver.sh`
+1. Make sure you also have a compatible version of chrome (110)
 1. Run the proxy and dependencies with `./scripts/dev.sh`
 1. Then run tests with `npm run integration-test`
 

integration-tests.dockerfile

@@ -11,13 +11,15 @@ RUN apt-get update && apt-get install -yq \
                 libcairo2 \
                 libcups2 \
                 libdbus-1-3 \
+                libdrm2 \
                 libexpat1 \
                 libfontconfig1 \
                 libgcc1 \
                 libgconf-2-4 \
                 libgdk-pixbuf2.0-0 \
                 libglib2.0-0 \
                 libgtk-3-0 \
+                libgbm1 \
                 libnspr4 \
                 libpango-1.0-0 \
                 libpangocairo-1.0-0 \
@@ -35,6 +37,8 @@ RUN apt-get update && apt-get install -yq \
                 libxrender1 \
                 libxss1 \
                 libxtst6 \
+                libu2f-udev \
+                libvulkan1 \
                 ca-certificates \
                 fonts-liberation \
                 libappindicator1 \

nginx.montagu.conf

@@ -3,13 +3,37 @@ server {
     listen       _PORT_ ssl;
     server_name  localhost  montagu.vaccineimpact.org;
 
+    # Enable HTTP Strict Transport Security (HSTS)
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # https://scotthelme.co.uk/content-security-policy-an-introduction/
+    # https://content-security-policy.com/examples/nginx/
+
+    # add_header Content-Security-Policy "default-src 'self';" always;
+    # However, this one does work:
+    add_header Content-Security-Policy "frame-ancestors 'self' *.vaccineimpact.org" always;
+
+    # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-frame-options
+    # https://geekflare.com/add-x-frame-options-nginx/
+    add_header X-Frame-Options "SAMEORIGIN";
+
+    # https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options
+    add_header X-Content-Type-Options "nosniff" always;
+
+    # https://scotthelme.co.uk/a-new-security-header-referrer-policy/
+    add_header Referrer-Policy 'origin' always;
+
+    # https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
+    # Actual values adopted from securityheaders.com :)
+    add_header Permissions-Policy "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()" always;
+
     ssl_certificate      /etc/montagu/proxy/certificate.pem;
     ssl_certificate_key  /etc/montagu/proxy/ssl_key.pem;
 
-    # SSL settings as recommended by this blog: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
-    ssl_prefer_server_ciphers on;
+    # SSL settings as recommended by https://ssl-config.mozilla.org
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
     ssl_session_cache shared:SSL:10m;
     ssl_dhparam /etc/montagu/proxy/dhparam.pem;
 

scripts/dev.sh

@@ -47,7 +47,7 @@ docker run -d \
     -nginx.scrape-uri "http://reverse-proxy/basic_status"
 
 # the real dhparam will be 4096 bits but that takes ages to generate
-openssl dhparam -out workspace/dhparam.pem 1024
+openssl dhparam -out workspace/dhparam.pem 2048
 
 docker cp workspace/certificate.pem reverse-proxy:/etc/montagu/proxy/
 docker cp workspace/ssl_key.pem reverse-proxy:/etc/montagu/proxy/

scripts/install-chromedriver.sh

@@ -1,10 +1,10 @@
 #!/usr/bin/env bash
 
-sudo apt-get update
-sudo apt-get install -y unzip xvfb libxi6 libgconf-2-4
+apt-get update
+apt-get install -y unzip xvfb libxi6 libgconf-2-4
 
-wget https://chromedriver.storage.googleapis.com/88.0.4324.96/chromedriver_linux64.zip
+wget https://chromedriver.storage.googleapis.com/110.0.5481.77/chromedriver_linux64.zip
 unzip chromedriver_linux64.zip
-sudo mv chromedriver /usr/bin/chromedriver
-sudo chown root:root /usr/bin/chromedriver
-sudo chmod +x /usr/bin/chromedriver
+mv chromedriver /usr/bin/chromedriver
+chown root:root /usr/bin/chromedriver
+chmod +x /usr/bin/chromedriver

scripts/run-integration-tests.sh

@@ -39,7 +39,7 @@ docker run -d \
     -nginx.scrape-uri "http://reverse-proxy/basic_status"
 
 # the real dhparam will be 4096 bits but that takes ages to generate
-openssl dhparam -out workspace/dhparam.pem 1024
+openssl dhparam -out workspace/dhparam.pem 2048
 
 docker cp workspace/certificate.pem reverse-proxy:/etc/montagu/proxy/
 docker cp workspace/ssl_key.pem reverse-proxy:/etc/montagu/proxy/

shared-build-env.dockerfile

@@ -1,4 +1,18 @@
-FROM vimc/node-docker:master
+FROM node:16-buster
+
+RUN apt-get update
+RUN apt-get install -y \
+        apt-transport-https \
+        ca-certificates \
+        curl \
+        software-properties-common
+RUN curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+RUN add-apt-repository \
+   "deb [arch=amd64] https://download.docker.com/linux/debian \
+   $(lsb_release -cs) \
+   stable"
+RUN apt-get update
+RUN apt-get install -y docker-ce
 
 ARG MONTAGU_GIT_ID="UNKNOWN"
 ARG MONTAGU_GIT_BRANCH="UNKNOWN"