Website does not meet Agency's DIT (Data In Transit) or TLS (Transport Layer Security) requirements

[cowen23]

Environment

VMware
Red Hat Enterprise Linux release 8.8 (Ootpa)
d103da8

Issue details

After meza deploy monolith, the haproxy configuration does not meet NASA specs.

Edit /etc/haproxy/haproxy.cfg and update settings based on NASA-SPEC-2650 for TLS.
Set ciphers:
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-SEED-SHA:!DHE-RSA-CAMELLIA128-SHA

Set protocols:
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11

Commented out port 80:
#frontend www-http

bind *:80

reqadd X-Forwarded-Proto:\ http

default_backend www-backend

Set HSTS max-age to one year:
http-response set-header Strict-Transport-Security max-age=31557600;\ includeSubDomains;\ preload;

Each administrator should copy their server's certificate, unencrypted certificate key, and CA chain into /etc/haproxy/certs/meza.pem
Ex. cat server.crt server.key ca-bundle.crt > meza.pem

Also, update template so that future deployments retain the settings:
/opt/meza/src/roles/haproxy/templates/haproxy.cfg.j2

NASA-SPEC-2650_v4.0_TLS.pdf

[revansx]

I hope to have this fixed soon. Thanks!

[revansx]

the cipher's will be added to the haproxy template directly and the port 80 will be conditional based on a public.yml setting that we will update the deploy script to solicit from the user if it doesn't already exist in public.yml

[ndc-rkevans]

Fixed in 39.x with 8eb2240