From e29c33663deaa144629fc7994b1b228aff02efc8 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 14 Jan 2023 14:17:15 +0100
Subject: [PATCH] HSTS

---
 lam-packaging/RPM/lam.apache.conf             |  3 ++
 lam-packaging/RPM/lam.nginx.conf              |  2 +
 lam-packaging/debian/lam.apache.conf          |  3 ++
 lam-packaging/debian/lam.nginx.conf           |  2 +
 lam/docs/manual-sources/appendix-security.xml | 46 ++++++++++++++++---
 5 files changed, 50 insertions(+), 6 deletions(-)

diff --git a/lam-packaging/RPM/lam.apache.conf b/lam-packaging/RPM/lam.apache.conf
index 99392684d..ed00ea109 100644
--- a/lam-packaging/RPM/lam.apache.conf
+++ b/lam-packaging/RPM/lam.apache.conf
@@ -1,6 +1,9 @@
 
 Alias /lam /usr/share/ldap-account-manager
 
+# HSTS header to enforce https:// connections (requires active mod_headers)
+# Header always set Strict-Transport-Security "max-age=31536000"
+
 <Directory /usr/share/ldap-account-manager>
   Options +FollowSymLinks
   AllowOverride None
diff --git a/lam-packaging/RPM/lam.nginx.conf b/lam-packaging/RPM/lam.nginx.conf
index 6f945d99d..b8fab4342 100644
--- a/lam-packaging/RPM/lam.nginx.conf
+++ b/lam-packaging/RPM/lam.nginx.conf
@@ -2,6 +2,8 @@ location /lam {
 	index index.html;
 	alias /usr/share/ldap-account-manager;
 	autoindex off;
+	# HSTS header to enforce https:// connections
+	# add_header Strict-Transport-Security "max-age=31536000";
 
 	location ~ /lam/tmp/(.|\n)*\.(php|inc)$ {
 		deny all;
diff --git a/lam-packaging/debian/lam.apache.conf b/lam-packaging/debian/lam.apache.conf
index 99392684d..ed00ea109 100644
--- a/lam-packaging/debian/lam.apache.conf
+++ b/lam-packaging/debian/lam.apache.conf
@@ -1,6 +1,9 @@
 
 Alias /lam /usr/share/ldap-account-manager
 
+# HSTS header to enforce https:// connections (requires active mod_headers)
+# Header always set Strict-Transport-Security "max-age=31536000"
+
 <Directory /usr/share/ldap-account-manager>
   Options +FollowSymLinks
   AllowOverride None
diff --git a/lam-packaging/debian/lam.nginx.conf b/lam-packaging/debian/lam.nginx.conf
index 3229d3280..4e93e9b9a 100644
--- a/lam-packaging/debian/lam.nginx.conf
+++ b/lam-packaging/debian/lam.nginx.conf
@@ -2,6 +2,8 @@ location /lam {
 	index index.html;
 	alias /usr/share/ldap-account-manager;
 	autoindex off;
+	# HSTS header to enforce https:// connections
+	# add_header Strict-Transport-Security "max-age=31536000";
 
 	location ~ /lam/tmp/(.|\n)*\.(php|inc)$ {
 		deny all;
diff --git a/lam/docs/manual-sources/appendix-security.xml b/lam/docs/manual-sources/appendix-security.xml
index 64ae1f8d0..e3018696c 100644
--- a/lam/docs/manual-sources/appendix-security.xml
+++ b/lam/docs/manual-sources/appendix-security.xml
@@ -188,6 +188,22 @@ semodule -i httpdlocal.pp</programlisting>
   <section id="apache">
     <title>Apache configuration</title>
 
+    <section>
+      <title>Security headers</title>
+
+      <para>LAM already sets several security headers by default. For
+      production machines it is recommended to run LAM with "https://"
+      enabled. In this case the HSTS header should be set, e.g. like
+      this:</para>
+
+      <programlisting>Header always set Strict-Transport-Security "max-age=31536000"</programlisting>
+
+      <para>This will enforce browsers to connect via "https://". Please note
+      that you need to make sure that your installation has a valid
+      certificate now and in the future. The configuration requires
+      mod_headers to be active.</para>
+    </section>
+
     <section>
       <title>Sensitive directories</title>
 
@@ -372,6 +388,22 @@ semodule -i httpdlocal.pp</programlisting>
     <para>There is no fully automatic setup of Nginx but LAM provides a
     ready-to-use configuration file.</para>
 
+    <section>
+      <title>Security headers</title>
+
+      <para>LAM already sets several security headers by default. For
+      production machines it is recommended to run LAM with "https://"
+      enabled. In this case the HSTS header should be set.</para>
+
+      <para>This will enforce browsers to connect via "https://". Please note
+      that you need to make sure that your installation has a valid
+      certificate now and in the future.</para>
+
+      <para>The example configurations below already include a commented
+      example for "Strict-Transport-Security" (HSTS). You can activate it if
+      needed.</para>
+    </section>
+
     <section>
       <title>RPM based installations</title>
 
@@ -390,9 +422,9 @@ semodule -i httpdlocal.pp</programlisting>
         ...
 }</programlisting>
 
-      <para>The included config file uses PHP 5. In case you run with PHP 7
-      please update the parameter "fastcgi_pass" to
-      "/var/run/php7-fpm.sock".</para>
+      <para>The included config file uses "127.0.0.1:9000" for PHP. In case
+      you run PHP with a socket please update the parameter "fastcgi_pass" to
+      e.g. "/var/run/php8-fpm.sock".</para>
     </section>
 
     <section>
@@ -409,9 +441,9 @@ semodule -i httpdlocal.pp</programlisting>
         ...
 }</programlisting>
 
-      <para>The included config file uses PHP 7.0. In case you run with PHP
-      7.1 or PHP 5 please update the parameter "fastcgi_pass" to
-      "/var/run/php/php7.1-fpm.sock".</para>
+      <para>The included config file uses PHP 7.4. In case you run with PHP 8
+      please update the parameter "fastcgi_pass" to e.g.
+      "/var/run/php/php8.1-fpm.sock".</para>
     </section>
 
     <section>
@@ -429,6 +461,8 @@ semodule -i httpdlocal.pp</programlisting>
   index index.html;
   alias /usr/share/ldap-account-manager;
   autoindex off;
+  # HSTS header to enforce https:// connections
+  # add_header Strict-Transport-Security "max-age=31536000";
 
   location ~ \.php$ {
     fastcgi_split_path_info ^(.+\.php)(/.+)$;