From 6d37234ae0e22f9dc217e49493f168dd054c5f97 Mon Sep 17 00:00:00 2001 From: swatign Date: Thu, 30 Jan 2025 11:16:48 +0530 Subject: [PATCH] configuring the x-xss-protrction and csp header value Signed-off-by: swatign --- .../builder_api_proxy/config_request.go | 5 + .../builder_api_proxy/config_request.pb.go | 80 ++-- .../builder_api_proxy/config_request.proto | 1 + api/config/load_balancer/config_request.go | 5 + api/config/load_balancer/config_request.pb.go | 97 +++-- api/config/load_balancer/config_request.proto | 2 + api/config/shared/global.go | 1 + api/config/shared/global.pb.go | 378 +++++++++--------- api/config/shared/global.proto | 1 + .../habitat/config/nginx.conf | 2 +- .../config/automate-cs-nginx-location.conf | 2 +- .../habitat/config/nginx.conf | 36 +- 12 files changed, 340 insertions(+), 270 deletions(-) diff --git a/api/config/builder_api_proxy/config_request.go b/api/config/builder_api_proxy/config_request.go index b69e9b03d4e..96b11b18211 100644 --- a/api/config/builder_api_proxy/config_request.go +++ b/api/config/builder_api_proxy/config_request.go @@ -30,6 +30,7 @@ func DefaultConfigRequest() *ConfigRequest { c.V1.Sys.Http.SslProtocols = w.String("TLSv1.2 TLSv1.3") c.V1.Sys.Http.SslCiphers = w.String(config.InternalCipherSuite) c.V1.Sys.Http.SslVerifyDepth = w.Int32(2) + c.V1.Sys.Http.XXssProtection = w.String("1; mode=block") return c } @@ -60,6 +61,10 @@ func (c *ConfigRequest) SetGlobalConfig(g *config.GlobalConfig) { if logLevel := g.GetV1().GetLog().GetLevel().GetValue(); logLevel != "" { c.V1.Sys.Log.Level.Value = config.GlobalLogLevelToNginxLevel(logLevel) } + + if xxssProtextion := g.GetV1().GetSys().GetNgx().GetHttp().XXssProtection; xxssProtextion != nil { + c.V1.Sys.Http.XXssProtection = xxssProtextion + } } // PrepareSystemConfig returns a system configuration that can be used diff --git a/api/config/builder_api_proxy/config_request.pb.go b/api/config/builder_api_proxy/config_request.pb.go index 374f8ac80a1..05b4e3607d2 100644 --- a/api/config/builder_api_proxy/config_request.pb.go +++ b/api/config/builder_api_proxy/config_request.pb.go @@ -463,6 +463,7 @@ type ConfigRequest_V1_System_HTTP struct { SslCiphers *wrapperspb.StringValue `protobuf:"bytes,4,opt,name=ssl_ciphers,json=sslCiphers,proto3" json:"ssl_ciphers,omitempty" toml:"ssl_ciphers,omitempty" mapstructure:"ssl_ciphers,omitempty"` SslProtocols *wrapperspb.StringValue `protobuf:"bytes,5,opt,name=ssl_protocols,json=sslProtocols,proto3" json:"ssl_protocols,omitempty" toml:"ssl_protocols,omitempty" mapstructure:"ssl_protocols,omitempty"` SslVerifyDepth *wrapperspb.Int32Value `protobuf:"bytes,6,opt,name=ssl_verify_depth,json=sslVerifyDepth,proto3" json:"ssl_verify_depth,omitempty" toml:"ssl_verify_depth,omitempty" mapstructure:"ssl_verify_depth,omitempty"` + XXssProtection *wrapperspb.StringValue `protobuf:"bytes,7,opt,name=x_xss_protection,json=xXssProtection,proto3" json:"x_xss_protection,omitempty" toml:"x_xss_protection,omitempty" mapstructure:"x_xss_protection,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -539,6 +540,13 @@ func (x *ConfigRequest_V1_System_HTTP) GetSslVerifyDepth() *wrapperspb.Int32Valu return nil } +func (x *ConfigRequest_V1_System_HTTP) GetXXssProtection() *wrapperspb.StringValue { + if x != nil { + return x.XXssProtection + } + return nil +} + type ConfigRequest_V1_System_Web struct { state protoimpl.MessageState `protogen:"open.v1"` CookieDomain *wrapperspb.StringValue `protobuf:"bytes,1,opt,name=cookie_domain,json=cookieDomain,proto3" json:"cookie_domain,omitempty" toml:"cookie_domain,omitempty" mapstructure:"cookie_domain,omitempty"` @@ -616,13 +624,13 @@ var file_config_builder_api_proxy_config_request_proto_rawDesc = []byte{ 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x61, 0x32, 0x63, 0x6f, 0x6e, 0x66, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, - 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xdf, 0x12, + 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa7, 0x13, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x48, 0x0a, 0x02, 0x76, 0x31, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x38, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x5f, 0x61, 0x70, 0x69, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, - 0x73, 0x74, 0x2e, 0x56, 0x31, 0x52, 0x02, 0x76, 0x31, 0x1a, 0xe1, 0x11, 0x0a, 0x02, 0x56, 0x31, + 0x73, 0x74, 0x2e, 0x56, 0x31, 0x52, 0x02, 0x76, 0x31, 0x1a, 0xa9, 0x12, 0x0a, 0x02, 0x56, 0x31, 0x12, 0x51, 0x0a, 0x03, 0x73, 0x79, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3f, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x5f, 0x61, 0x70, 0x69, @@ -633,7 +641,7 @@ var file_config_builder_api_proxy_config_request_proto_rawDesc = []byte{ 0x2e, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x2e, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x5f, 0x61, 0x70, 0x69, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x56, 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, - 0x63, 0x65, 0x52, 0x03, 0x73, 0x76, 0x63, 0x1a, 0xa8, 0x10, 0x0a, 0x06, 0x53, 0x79, 0x73, 0x74, + 0x63, 0x65, 0x52, 0x03, 0x73, 0x76, 0x63, 0x1a, 0xf0, 0x10, 0x0a, 0x06, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x34, 0x0a, 0x04, 0x6d, 0x6c, 0x73, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x69, 0x6e, 0x66, 0x72, 0x61, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x4d, 0x6c, @@ -723,7 +731,7 @@ var file_config_builder_api_proxy_config_request_proto_rawDesc = []byte{ 0x67, 0x12, 0x3b, 0x0a, 0x0b, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x67, 0x7a, 0x69, 0x70, 0x18, 0x09, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, - 0x75, 0x65, 0x52, 0x0a, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x47, 0x7a, 0x69, 0x70, 0x1a, 0xb7, + 0x75, 0x65, 0x52, 0x0a, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x47, 0x7a, 0x69, 0x70, 0x1a, 0xff, 0x03, 0x0a, 0x04, 0x48, 0x54, 0x54, 0x50, 0x12, 0x50, 0x0a, 0x15, 0x6b, 0x65, 0x65, 0x70, 0x61, 0x6c, 0x69, 0x76, 0x65, 0x5f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, @@ -751,27 +759,32 @@ var file_config_builder_api_proxy_config_request_proto_rawDesc = []byte{ 0x64, 0x65, 0x70, 0x74, 0x68, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1b, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x49, 0x6e, 0x74, 0x33, 0x32, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x73, 0x73, 0x6c, 0x56, 0x65, 0x72, - 0x69, 0x66, 0x79, 0x44, 0x65, 0x70, 0x74, 0x68, 0x1a, 0xc7, 0x01, 0x0a, 0x03, 0x57, 0x65, 0x62, - 0x12, 0x41, 0x0a, 0x0d, 0x63, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, - 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0c, 0x63, 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x44, 0x6f, 0x6d, - 0x61, 0x69, 0x6e, 0x12, 0x3e, 0x0a, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, - 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, - 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, - 0x65, 0x6e, 0x74, 0x12, 0x3d, 0x0a, 0x0c, 0x75, 0x73, 0x65, 0x5f, 0x67, 0x72, 0x61, 0x76, 0x61, - 0x74, 0x61, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, - 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, - 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0b, 0x75, 0x73, 0x65, 0x47, 0x72, 0x61, 0x76, 0x61, 0x74, - 0x61, 0x72, 0x1a, 0x09, 0x0a, 0x07, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x3a, 0x20, 0xc2, - 0xf3, 0x18, 0x1c, 0x0a, 0x1a, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2d, 0x62, 0x75, - 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2d, 0x61, 0x70, 0x69, 0x2d, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x42, - 0x44, 0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x68, - 0x65, 0x66, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, - 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x5f, 0x61, - 0x70, 0x69, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x3b, 0x62, 0x6c, 0x64, 0x72, 0x61, 0x70, 0x69, - 0x70, 0x72, 0x6f, 0x78, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x69, 0x66, 0x79, 0x44, 0x65, 0x70, 0x74, 0x68, 0x12, 0x46, 0x0a, 0x10, 0x78, 0x5f, 0x78, 0x73, + 0x73, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x07, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x52, 0x0e, 0x78, 0x58, 0x73, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, + 0x1a, 0xc7, 0x01, 0x0a, 0x03, 0x57, 0x65, 0x62, 0x12, 0x41, 0x0a, 0x0d, 0x63, 0x6f, 0x6f, 0x6b, + 0x69, 0x65, 0x5f, 0x64, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0c, 0x63, + 0x6f, 0x6f, 0x6b, 0x69, 0x65, 0x44, 0x6f, 0x6d, 0x61, 0x69, 0x6e, 0x12, 0x3e, 0x0a, 0x0b, 0x65, + 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0b, + 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x3d, 0x0a, 0x0c, 0x75, + 0x73, 0x65, 0x5f, 0x67, 0x72, 0x61, 0x76, 0x61, 0x74, 0x61, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, + 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0b, 0x75, + 0x73, 0x65, 0x47, 0x72, 0x61, 0x76, 0x61, 0x74, 0x61, 0x72, 0x1a, 0x09, 0x0a, 0x07, 0x53, 0x65, + 0x72, 0x76, 0x69, 0x63, 0x65, 0x3a, 0x20, 0xc2, 0xf3, 0x18, 0x1c, 0x0a, 0x1a, 0x61, 0x75, 0x74, + 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2d, 0x62, 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x2d, 0x61, 0x70, + 0x69, 0x2d, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x42, 0x44, 0x5a, 0x42, 0x67, 0x69, 0x74, 0x68, 0x75, + 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x68, 0x65, 0x66, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x6d, + 0x61, 0x74, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x62, + 0x75, 0x69, 0x6c, 0x64, 0x65, 0x72, 0x5f, 0x61, 0x70, 0x69, 0x5f, 0x70, 0x72, 0x6f, 0x78, 0x79, + 0x3b, 0x62, 0x6c, 0x64, 0x72, 0x61, 0x70, 0x69, 0x70, 0x72, 0x6f, 0x78, 0x79, 0x62, 0x06, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -832,14 +845,15 @@ var file_config_builder_api_proxy_config_request_proto_depIdxs = []int32{ 11, // 25: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.HTTP.ssl_ciphers:type_name -> google.protobuf.StringValue 11, // 26: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.HTTP.ssl_protocols:type_name -> google.protobuf.StringValue 12, // 27: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.HTTP.ssl_verify_depth:type_name -> google.protobuf.Int32Value - 11, // 28: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.Web.cookie_domain:type_name -> google.protobuf.StringValue - 11, // 29: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.Web.environment:type_name -> google.protobuf.StringValue - 13, // 30: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.Web.use_gravatar:type_name -> google.protobuf.BoolValue - 31, // [31:31] is the sub-list for method output_type - 31, // [31:31] is the sub-list for method input_type - 31, // [31:31] is the sub-list for extension type_name - 31, // [31:31] is the sub-list for extension extendee - 0, // [0:31] is the sub-list for field type_name + 11, // 28: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.HTTP.x_xss_protection:type_name -> google.protobuf.StringValue + 11, // 29: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.Web.cookie_domain:type_name -> google.protobuf.StringValue + 11, // 30: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.Web.environment:type_name -> google.protobuf.StringValue + 13, // 31: chef.automate.domain.builder_api_proxy.ConfigRequest.V1.System.Web.use_gravatar:type_name -> google.protobuf.BoolValue + 32, // [32:32] is the sub-list for method output_type + 32, // [32:32] is the sub-list for method input_type + 32, // [32:32] is the sub-list for extension type_name + 32, // [32:32] is the sub-list for extension extendee + 0, // [0:32] is the sub-list for field type_name } func init() { file_config_builder_api_proxy_config_request_proto_init() } diff --git a/api/config/builder_api_proxy/config_request.proto b/api/config/builder_api_proxy/config_request.proto index 0b0056c7898..c5de874c209 100644 --- a/api/config/builder_api_proxy/config_request.proto +++ b/api/config/builder_api_proxy/config_request.proto @@ -55,6 +55,7 @@ message ConfigRequest { google.protobuf.StringValue ssl_ciphers = 4; google.protobuf.StringValue ssl_protocols = 5; google.protobuf.Int32Value ssl_verify_depth = 6; + google.protobuf.StringValue x_xss_protection = 7; } message Web { diff --git a/api/config/load_balancer/config_request.go b/api/config/load_balancer/config_request.go index f2ee515989a..d90326ccb28 100644 --- a/api/config/load_balancer/config_request.go +++ b/api/config/load_balancer/config_request.go @@ -74,6 +74,8 @@ func DefaultConfigRequest() *ConfigRequest { c.V1.Sys.Ngx.Http.ProxyBusyBuffersSize = w.String("16k") c.V1.Sys.Ngx.Http.Ipv6Supported = w.Bool(ipV6Supported()) c.V1.Sys.StaticConfig.Products = []string{"automate"} + c.V1.Sys.Ngx.Http.XXssProtection = w.String("1; mode=block") + c.V1.Sys.Ngx.Http.ContentSecurityPolicy = w.String("default-src 'self';frame-ancestors 'self';") return c } @@ -173,6 +175,9 @@ func (c *ConfigRequest) SetGlobalConfig(g *config.GlobalConfig) { c.V1.Sys.Ngx.Http.IncludeXForwardedFor = xFwd } + if xxssProtextion := g.GetV1().GetSys().GetNgx().GetHttp().XXssProtection; xxssProtextion != nil { + c.V1.Sys.Ngx.Http.XXssProtection = xxssProtextion + } } // PrepareSystemConfig returns a system configuration that can be used diff --git a/api/config/load_balancer/config_request.pb.go b/api/config/load_balancer/config_request.pb.go index 7f628ecbf7b..31014f5405e 100644 --- a/api/config/load_balancer/config_request.pb.go +++ b/api/config/load_balancer/config_request.pb.go @@ -638,6 +638,8 @@ type ConfigRequest_V1_System_Nginx_Http struct { ProxyBuffers *wrapperspb.StringValue `protobuf:"bytes,27,opt,name=proxy_buffers,json=proxyBuffers,proto3" json:"proxy_buffers,omitempty" toml:"proxy_buffers,omitempty" mapstructure:"proxy_buffers,omitempty"` ProxyBusyBuffersSize *wrapperspb.StringValue `protobuf:"bytes,28,opt,name=proxy_busy_buffers_size,json=proxyBusyBuffersSize,proto3" json:"proxy_busy_buffers_size,omitempty" toml:"proxy_busy_buffers_size,omitempty" mapstructure:"proxy_busy_buffers_size,omitempty"` EnableCspHeader *wrapperspb.BoolValue `protobuf:"bytes,29,opt,name=enable_csp_header,json=enableCspHeader,proto3" json:"enable_csp_header,omitempty" toml:"enable_csp_header,omitempty" mapstructure:"enable_csp_header,omitempty"` + XXssProtection *wrapperspb.StringValue `protobuf:"bytes,32,opt,name=x_xss_protection,json=xXssProtection,proto3" json:"x_xss_protection,omitempty" toml:"x_xss_protection,omitempty" mapstructure:"x_xss_protection,omitempty"` + ContentSecurityPolicy *wrapperspb.StringValue `protobuf:"bytes,33,opt,name=content_security_policy,json=contentSecurityPolicy,proto3" json:"content_security_policy,omitempty" toml:"content_security_policy,omitempty" mapstructure:"content_security_policy,omitempty"` // Auto-calculated Ipv6Supported *wrapperspb.BoolValue `protobuf:"bytes,24,opt,name=ipv6_supported,json=ipv6Supported,proto3" json:"ipv6_supported,omitempty" toml:"ipv6_supported,omitempty" mapstructure:"ipv6_supported,omitempty"` EnableParam *wrapperspb.BoolValue `protobuf:"bytes,30,opt,name=enable_param,json=enableParam,proto3" json:"enable_param,omitempty" toml:"enable_param,omitempty" mapstructure:"enable_param,omitempty"` @@ -872,6 +874,20 @@ func (x *ConfigRequest_V1_System_Nginx_Http) GetEnableCspHeader() *wrapperspb.Bo return nil } +func (x *ConfigRequest_V1_System_Nginx_Http) GetXXssProtection() *wrapperspb.StringValue { + if x != nil { + return x.XXssProtection + } + return nil +} + +func (x *ConfigRequest_V1_System_Nginx_Http) GetContentSecurityPolicy() *wrapperspb.StringValue { + if x != nil { + return x.ContentSecurityPolicy + } + return nil +} + func (x *ConfigRequest_V1_System_Nginx_Http) GetIpv6Supported() *wrapperspb.BoolValue { if x != nil { return x.Ipv6Supported @@ -946,12 +962,12 @@ var file_config_load_balancer_config_request_proto_rawDesc = []byte{ 0x6e, 0x66, 0x2f, 0x61, 0x6e, 0x6e, 0x6f, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, - 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xae, 0x22, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, + 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xcc, 0x23, 0x0a, 0x0d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x43, 0x0a, 0x02, 0x76, 0x31, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x33, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x69, 0x6e, 0x66, 0x72, 0x61, 0x2e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, - 0x75, 0x65, 0x73, 0x74, 0x2e, 0x56, 0x31, 0x52, 0x02, 0x76, 0x31, 0x1a, 0xb3, 0x21, 0x0a, 0x02, + 0x75, 0x65, 0x73, 0x74, 0x2e, 0x56, 0x31, 0x52, 0x02, 0x76, 0x31, 0x1a, 0xd1, 0x22, 0x0a, 0x02, 0x56, 0x31, 0x12, 0x4c, 0x0a, 0x03, 0x73, 0x79, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x3a, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x69, 0x6e, 0x66, 0x72, 0x61, 0x2e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, @@ -962,7 +978,7 @@ var file_config_load_balancer_config_request_proto_rawDesc = []byte{ 0x66, 0x72, 0x61, 0x2e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x2e, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x2e, 0x56, 0x31, 0x2e, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x52, 0x03, 0x73, 0x76, 0x63, 0x1a, - 0x84, 0x20, 0x0a, 0x06, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x34, 0x0a, 0x04, 0x6d, 0x6c, + 0xa2, 0x21, 0x0a, 0x06, 0x53, 0x79, 0x73, 0x74, 0x65, 0x6d, 0x12, 0x34, 0x0a, 0x04, 0x6d, 0x6c, 0x73, 0x61, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x69, 0x6e, 0x66, 0x72, 0x61, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x4d, 0x6c, 0x73, 0x61, 0x52, 0x04, 0x6d, 0x6c, 0x73, 0x61, @@ -1031,7 +1047,7 @@ var file_config_load_balancer_config_request_proto_rawDesc = []byte{ 0x72, 0x12, 0x32, 0x0a, 0x05, 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x05, - 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x1a, 0xae, 0x17, 0x0a, 0x05, 0x4e, 0x67, 0x69, 0x6e, 0x78, 0x12, + 0x6c, 0x65, 0x76, 0x65, 0x6c, 0x1a, 0xcc, 0x18, 0x0a, 0x05, 0x4e, 0x67, 0x69, 0x6e, 0x78, 0x12, 0x59, 0x0a, 0x04, 0x6d, 0x61, 0x69, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x45, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x69, 0x6e, 0x66, 0x72, 0x61, 0x2e, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, @@ -1078,7 +1094,7 @@ var file_config_load_balancer_config_request_proto_rawDesc = []byte{ 0x6c, 0x74, 0x69, 0x5f, 0x61, 0x63, 0x63, 0x65, 0x70, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0b, - 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x1a, 0xb0, 0x11, 0x0a, 0x04, + 0x6d, 0x75, 0x6c, 0x74, 0x69, 0x41, 0x63, 0x63, 0x65, 0x70, 0x74, 0x1a, 0xce, 0x12, 0x0a, 0x04, 0x48, 0x74, 0x74, 0x70, 0x12, 0x3b, 0x0a, 0x0a, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f, 0x6c, 0x6f, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, @@ -1204,28 +1220,37 @@ var file_config_load_balancer_config_request_proto_rawDesc = []byte{ 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x1d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0f, 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, - 0x43, 0x73, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x41, 0x0a, 0x0e, 0x69, 0x70, 0x76, - 0x36, 0x5f, 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x18, 0x18, 0x20, 0x01, 0x28, - 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, - 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0d, 0x69, - 0x70, 0x76, 0x36, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x12, 0x3d, 0x0a, 0x0c, - 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x18, 0x1e, 0x20, 0x01, - 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0b, - 0x65, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x12, 0x51, 0x0a, 0x17, 0x69, - 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x78, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, - 0x65, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x1f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, - 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, - 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, - 0x65, 0x58, 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x64, 0x46, 0x6f, 0x72, 0x1a, 0x06, - 0x0a, 0x04, 0x4d, 0x61, 0x69, 0x6c, 0x1a, 0x09, 0x0a, 0x07, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, - 0x65, 0x3a, 0x1c, 0xc2, 0xf3, 0x18, 0x18, 0x0a, 0x16, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, - 0x65, 0x2d, 0x6c, 0x6f, 0x61, 0x64, 0x2d, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x4a, - 0x04, 0x08, 0x01, 0x10, 0x03, 0x42, 0x33, 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, - 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x68, 0x65, 0x66, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, - 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x6c, 0x6f, 0x61, - 0x64, 0x5f, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, - 0x6f, 0x33, + 0x43, 0x73, 0x70, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x46, 0x0a, 0x10, 0x78, 0x5f, 0x78, + 0x73, 0x73, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, 0x20, 0x20, + 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, + 0x65, 0x52, 0x0e, 0x78, 0x58, 0x73, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6f, + 0x6e, 0x12, 0x54, 0x0a, 0x17, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x5f, 0x73, 0x65, 0x63, + 0x75, 0x72, 0x69, 0x74, 0x79, 0x5f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x18, 0x21, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, 0x6c, 0x75, 0x65, + 0x52, 0x15, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x6e, 0x74, 0x53, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, + 0x79, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x41, 0x0a, 0x0e, 0x69, 0x70, 0x76, 0x36, 0x5f, + 0x73, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x18, 0x18, 0x20, 0x01, 0x28, 0x0b, 0x32, + 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, + 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0d, 0x69, 0x70, 0x76, + 0x36, 0x53, 0x75, 0x70, 0x70, 0x6f, 0x72, 0x74, 0x65, 0x64, 0x12, 0x3d, 0x0a, 0x0c, 0x65, 0x6e, + 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x18, 0x1e, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, + 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x0b, 0x65, 0x6e, + 0x61, 0x62, 0x6c, 0x65, 0x50, 0x61, 0x72, 0x61, 0x6d, 0x12, 0x51, 0x0a, 0x17, 0x69, 0x6e, 0x63, + 0x6c, 0x75, 0x64, 0x65, 0x5f, 0x78, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x64, + 0x5f, 0x66, 0x6f, 0x72, 0x18, 0x1f, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, + 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, + 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x58, + 0x46, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x64, 0x46, 0x6f, 0x72, 0x1a, 0x06, 0x0a, 0x04, + 0x4d, 0x61, 0x69, 0x6c, 0x1a, 0x09, 0x0a, 0x07, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x3a, + 0x1c, 0xc2, 0xf3, 0x18, 0x18, 0x0a, 0x16, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2d, + 0x6c, 0x6f, 0x61, 0x64, 0x2d, 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x4a, 0x04, 0x08, + 0x01, 0x10, 0x03, 0x42, 0x33, 0x5a, 0x31, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x63, 0x68, 0x65, 0x66, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x6c, 0x6f, 0x61, 0x64, 0x5f, + 0x62, 0x61, 0x6c, 0x61, 0x6e, 0x63, 0x65, 0x72, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -1317,14 +1342,16 @@ var file_config_load_balancer_config_request_proto_depIdxs = []int32{ 16, // 51: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.proxy_buffers:type_name -> google.protobuf.StringValue 16, // 52: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.proxy_busy_buffers_size:type_name -> google.protobuf.StringValue 18, // 53: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.enable_csp_header:type_name -> google.protobuf.BoolValue - 18, // 54: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.ipv6_supported:type_name -> google.protobuf.BoolValue - 18, // 55: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.enable_param:type_name -> google.protobuf.BoolValue - 18, // 56: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.include_x_forwarded_for:type_name -> google.protobuf.BoolValue - 57, // [57:57] is the sub-list for method output_type - 57, // [57:57] is the sub-list for method input_type - 57, // [57:57] is the sub-list for extension type_name - 57, // [57:57] is the sub-list for extension extendee - 0, // [0:57] is the sub-list for field type_name + 16, // 54: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.x_xss_protection:type_name -> google.protobuf.StringValue + 16, // 55: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.content_security_policy:type_name -> google.protobuf.StringValue + 18, // 56: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.ipv6_supported:type_name -> google.protobuf.BoolValue + 18, // 57: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.enable_param:type_name -> google.protobuf.BoolValue + 18, // 58: chef.automate.infra.load_balancer.ConfigRequest.V1.System.Nginx.Http.include_x_forwarded_for:type_name -> google.protobuf.BoolValue + 59, // [59:59] is the sub-list for method output_type + 59, // [59:59] is the sub-list for method input_type + 59, // [59:59] is the sub-list for extension type_name + 59, // [59:59] is the sub-list for extension extendee + 0, // [0:59] is the sub-list for field type_name } func init() { file_config_load_balancer_config_request_proto_init() } diff --git a/api/config/load_balancer/config_request.proto b/api/config/load_balancer/config_request.proto index 22e14d29c33..7a80d756dc9 100644 --- a/api/config/load_balancer/config_request.proto +++ b/api/config/load_balancer/config_request.proto @@ -99,6 +99,8 @@ message ConfigRequest { google.protobuf.StringValue proxy_buffers = 27; google.protobuf.StringValue proxy_busy_buffers_size = 28; google.protobuf.BoolValue enable_csp_header = 29; + google.protobuf.StringValue x_xss_protection = 32; + google.protobuf.StringValue content_security_policy = 33; // Auto-calculated google.protobuf.BoolValue ipv6_supported = 24; google.protobuf.BoolValue enable_param = 30; diff --git a/api/config/shared/global.go b/api/config/shared/global.go index 9adf550e000..f1450550ef3 100644 --- a/api/config/shared/global.go +++ b/api/config/shared/global.go @@ -61,6 +61,7 @@ func DefaultGlobalConfig() *GlobalConfig { Ngx: &Nginx{ Http: &Http{ IncludeXForwardedFor: w.Bool(false), + XXssProtection: w.String("1; mode=block"), }, }, }, diff --git a/api/config/shared/global.pb.go b/api/config/shared/global.pb.go index cd92f3cc3d3..7360d5d206c 100644 --- a/api/config/shared/global.pb.go +++ b/api/config/shared/global.pb.go @@ -900,8 +900,9 @@ func (x *Nginx) GetHttp() *Http { } type Http struct { - state protoimpl.MessageState `protogen:"open.v1"` - IncludeXForwardedFor *wrapperspb.BoolValue `protobuf:"bytes,1,opt,name=include_x_forwarded_for,json=includeXForwardedFor,proto3" json:"include_x_forwarded_for,omitempty" toml:"include_x_forwarded_for,omitempty" mapstructure:"include_x_forwarded_for,omitempty"` + state protoimpl.MessageState `protogen:"open.v1"` + IncludeXForwardedFor *wrapperspb.BoolValue `protobuf:"bytes,1,opt,name=include_x_forwarded_for,json=includeXForwardedFor,proto3" json:"include_x_forwarded_for,omitempty" toml:"include_x_forwarded_for,omitempty" mapstructure:"include_x_forwarded_for,omitempty"` + XXssProtection *wrapperspb.StringValue `protobuf:"bytes,2,opt,name=x_xss_protection,json=xXssProtection,proto3" json:"x_xss_protection,omitempty" toml:"x_xss_protection,omitempty" mapstructure:"x_xss_protection,omitempty"` unknownFields protoimpl.UnknownFields sizeCache protoimpl.SizeCache } @@ -943,6 +944,13 @@ func (x *Http) GetIncludeXForwardedFor() *wrapperspb.BoolValue { return nil } +func (x *Http) GetXXssProtection() *wrapperspb.StringValue { + if x != nil { + return x.XXssProtection + } + return nil +} + type V1_System struct { state protoimpl.MessageState `protogen:"open.v1"` Tls *TLSCredentials `protobuf:"bytes,1,opt,name=tls,proto3" json:"tls,omitempty" toml:"tls,omitempty" mapstructure:"tls,omitempty"` @@ -4863,15 +4871,20 @@ var file_config_shared_global_proto_rawDesc = []byte{ 0x70, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x63, 0x68, 0x65, 0x66, 0x2e, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2e, 0x69, 0x6e, 0x66, 0x72, 0x61, 0x2e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2e, 0x48, 0x74, 0x74, 0x70, 0x52, 0x04, 0x68, 0x74, 0x74, 0x70, 0x22, - 0x59, 0x0a, 0x04, 0x48, 0x74, 0x74, 0x70, 0x12, 0x51, 0x0a, 0x17, 0x69, 0x6e, 0x63, 0x6c, 0x75, - 0x64, 0x65, 0x5f, 0x78, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x64, 0x5f, 0x66, - 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, - 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, 0x56, - 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x58, 0x46, 0x6f, - 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x64, 0x46, 0x6f, 0x72, 0x42, 0x2c, 0x5a, 0x2a, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x63, 0x68, 0x65, 0x66, 0x2f, 0x61, 0x75, - 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, - 0x67, 0x2f, 0x73, 0x68, 0x61, 0x72, 0x65, 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0xa1, 0x01, 0x0a, 0x04, 0x48, 0x74, 0x74, 0x70, 0x12, 0x51, 0x0a, 0x17, 0x69, 0x6e, 0x63, 0x6c, + 0x75, 0x64, 0x65, 0x5f, 0x78, 0x5f, 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x64, 0x5f, + 0x66, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f, 0x6f, 0x67, + 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f, 0x6f, 0x6c, + 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x69, 0x6e, 0x63, 0x6c, 0x75, 0x64, 0x65, 0x58, 0x46, + 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x65, 0x64, 0x46, 0x6f, 0x72, 0x12, 0x46, 0x0a, 0x10, 0x78, + 0x5f, 0x78, 0x73, 0x73, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x18, + 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, + 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x53, 0x74, 0x72, 0x69, 0x6e, 0x67, 0x56, 0x61, + 0x6c, 0x75, 0x65, 0x52, 0x0e, 0x78, 0x58, 0x73, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x65, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x42, 0x2c, 0x5a, 0x2a, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, + 0x6d, 0x2f, 0x63, 0x68, 0x65, 0x66, 0x2f, 0x61, 0x75, 0x74, 0x6f, 0x6d, 0x61, 0x74, 0x65, 0x2f, + 0x61, 0x70, 0x69, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x2f, 0x73, 0x68, 0x61, 0x72, 0x65, + 0x64, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( @@ -5004,177 +5017,178 @@ var file_config_shared_global_proto_depIdxs = []int32{ 60, // 48: chef.automate.infra.config.LargeReporting.enable_large_reporting:type_name -> google.protobuf.BoolValue 13, // 49: chef.automate.infra.config.Nginx.http:type_name -> chef.automate.infra.config.Http 60, // 50: chef.automate.infra.config.Http.include_x_forwarded_for:type_name -> google.protobuf.BoolValue - 62, // 51: chef.automate.infra.config.V1.System.tls:type_name -> chef.automate.infra.config.TLSCredentials - 12, // 52: chef.automate.infra.config.V1.System.ngx:type_name -> chef.automate.infra.config.Nginx - 60, // 53: chef.automate.infra.config.External.Elasticsearch.enable:type_name -> google.protobuf.BoolValue - 58, // 54: chef.automate.infra.config.External.Elasticsearch.nodes:type_name -> google.protobuf.StringValue - 21, // 55: chef.automate.infra.config.External.Elasticsearch.backup:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup - 22, // 56: chef.automate.infra.config.External.Elasticsearch.auth:type_name -> chef.automate.infra.config.External.Elasticsearch.Authentication - 23, // 57: chef.automate.infra.config.External.Elasticsearch.ssl:type_name -> chef.automate.infra.config.External.Elasticsearch.SSL - 60, // 58: chef.automate.infra.config.External.Opensearch.enable:type_name -> google.protobuf.BoolValue - 58, // 59: chef.automate.infra.config.External.Opensearch.nodes:type_name -> google.protobuf.StringValue - 30, // 60: chef.automate.infra.config.External.Opensearch.backup:type_name -> chef.automate.infra.config.External.Opensearch.Backup - 31, // 61: chef.automate.infra.config.External.Opensearch.auth:type_name -> chef.automate.infra.config.External.Opensearch.Authentication - 32, // 62: chef.automate.infra.config.External.Opensearch.ssl:type_name -> chef.automate.infra.config.External.Opensearch.SSL - 58, // 63: chef.automate.infra.config.External.Minio.endpoint:type_name -> google.protobuf.StringValue - 58, // 64: chef.automate.infra.config.External.Minio.root_user:type_name -> google.protobuf.StringValue - 58, // 65: chef.automate.infra.config.External.Minio.root_password:type_name -> google.protobuf.StringValue - 60, // 66: chef.automate.infra.config.External.Minio.enable_ssl:type_name -> google.protobuf.BoolValue - 58, // 67: chef.automate.infra.config.External.Minio.cert:type_name -> google.protobuf.StringValue - 61, // 68: chef.automate.infra.config.External.Minio.concurrent_open_search_requests:type_name -> google.protobuf.Int32Value - 61, // 69: chef.automate.infra.config.External.Minio.concurrent_minio_requests:type_name -> google.protobuf.Int32Value - 60, // 70: chef.automate.infra.config.External.Postgresql.enable:type_name -> google.protobuf.BoolValue - 58, // 71: chef.automate.infra.config.External.Postgresql.nodes:type_name -> google.protobuf.StringValue - 39, // 72: chef.automate.infra.config.External.Postgresql.backup:type_name -> chef.automate.infra.config.External.Postgresql.Backup - 40, // 73: chef.automate.infra.config.External.Postgresql.auth:type_name -> chef.automate.infra.config.External.Postgresql.Authentication - 41, // 74: chef.automate.infra.config.External.Postgresql.ssl:type_name -> chef.automate.infra.config.External.Postgresql.SSL - 60, // 75: chef.automate.infra.config.External.Automate.enable:type_name -> google.protobuf.BoolValue - 58, // 76: chef.automate.infra.config.External.Automate.node:type_name -> google.protobuf.StringValue - 44, // 77: chef.automate.infra.config.External.Automate.auth:type_name -> chef.automate.infra.config.External.Automate.Authentication - 45, // 78: chef.automate.infra.config.External.Automate.ssl:type_name -> chef.automate.infra.config.External.Automate.SSL - 60, // 79: chef.automate.infra.config.External.Elasticsearch.Backup.enable:type_name -> google.protobuf.BoolValue - 58, // 80: chef.automate.infra.config.External.Elasticsearch.Backup.location:type_name -> google.protobuf.StringValue - 24, // 81: chef.automate.infra.config.External.Elasticsearch.Backup.fs:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings - 25, // 82: chef.automate.infra.config.External.Elasticsearch.Backup.s3:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings - 26, // 83: chef.automate.infra.config.External.Elasticsearch.Backup.gcs:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings - 58, // 84: chef.automate.infra.config.External.Elasticsearch.Authentication.scheme:type_name -> google.protobuf.StringValue - 28, // 85: chef.automate.infra.config.External.Elasticsearch.Authentication.basic_auth:type_name -> chef.automate.infra.config.External.Elasticsearch.Authentication.BasicAuth - 29, // 86: chef.automate.infra.config.External.Elasticsearch.Authentication.aws_es:type_name -> chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth - 58, // 87: chef.automate.infra.config.External.Elasticsearch.SSL.root_cert:type_name -> google.protobuf.StringValue - 58, // 88: chef.automate.infra.config.External.Elasticsearch.SSL.server_name:type_name -> google.protobuf.StringValue - 58, // 89: chef.automate.infra.config.External.Elasticsearch.SSL.root_cert_file:type_name -> google.protobuf.StringValue - 58, // 90: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.path:type_name -> google.protobuf.StringValue - 27, // 91: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.settings:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.OptionalSettings - 58, // 92: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.bucket:type_name -> google.protobuf.StringValue - 58, // 93: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.client:type_name -> google.protobuf.StringValue - 58, // 94: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.base_path:type_name -> google.protobuf.StringValue - 50, // 95: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.settings:type_name -> chef.automate.infra.config.Backups.S3.Elasticsearch - 58, // 96: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.bucket:type_name -> google.protobuf.StringValue - 58, // 97: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.client:type_name -> google.protobuf.StringValue - 58, // 98: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.base_path:type_name -> google.protobuf.StringValue - 55, // 99: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.settings:type_name -> chef.automate.infra.config.Backups.GCS.Elasticsearch - 58, // 100: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.OptionalSettings.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 101: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.OptionalSettings.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 102: chef.automate.infra.config.External.Elasticsearch.Authentication.BasicAuth.username:type_name -> google.protobuf.StringValue - 58, // 103: chef.automate.infra.config.External.Elasticsearch.Authentication.BasicAuth.password:type_name -> google.protobuf.StringValue - 58, // 104: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.username:type_name -> google.protobuf.StringValue - 58, // 105: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.password:type_name -> google.protobuf.StringValue - 58, // 106: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.access_key:type_name -> google.protobuf.StringValue - 58, // 107: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.secret_key:type_name -> google.protobuf.StringValue - 60, // 108: chef.automate.infra.config.External.Opensearch.Backup.enable:type_name -> google.protobuf.BoolValue - 58, // 109: chef.automate.infra.config.External.Opensearch.Backup.location:type_name -> google.protobuf.StringValue - 33, // 110: chef.automate.infra.config.External.Opensearch.Backup.fs:type_name -> chef.automate.infra.config.External.Opensearch.Backup.FsSettings - 34, // 111: chef.automate.infra.config.External.Opensearch.Backup.s3:type_name -> chef.automate.infra.config.External.Opensearch.Backup.S3Settings - 35, // 112: chef.automate.infra.config.External.Opensearch.Backup.gcs:type_name -> chef.automate.infra.config.External.Opensearch.Backup.GCSSettings - 58, // 113: chef.automate.infra.config.External.Opensearch.Authentication.scheme:type_name -> google.protobuf.StringValue - 37, // 114: chef.automate.infra.config.External.Opensearch.Authentication.basic_auth:type_name -> chef.automate.infra.config.External.Opensearch.Authentication.BasicAuth - 38, // 115: chef.automate.infra.config.External.Opensearch.Authentication.aws_os:type_name -> chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth - 58, // 116: chef.automate.infra.config.External.Opensearch.SSL.root_cert:type_name -> google.protobuf.StringValue - 58, // 117: chef.automate.infra.config.External.Opensearch.SSL.server_name:type_name -> google.protobuf.StringValue - 58, // 118: chef.automate.infra.config.External.Opensearch.SSL.root_cert_file:type_name -> google.protobuf.StringValue - 58, // 119: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.path:type_name -> google.protobuf.StringValue - 36, // 120: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.settings:type_name -> chef.automate.infra.config.External.Opensearch.Backup.FsSettings.OptionalSettings - 58, // 121: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.bucket:type_name -> google.protobuf.StringValue - 58, // 122: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.client:type_name -> google.protobuf.StringValue - 58, // 123: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.base_path:type_name -> google.protobuf.StringValue - 51, // 124: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.settings:type_name -> chef.automate.infra.config.Backups.S3.Opensearch - 58, // 125: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.bucket:type_name -> google.protobuf.StringValue - 58, // 126: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.client:type_name -> google.protobuf.StringValue - 58, // 127: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.base_path:type_name -> google.protobuf.StringValue - 56, // 128: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.settings:type_name -> chef.automate.infra.config.Backups.GCS.Opensearch - 58, // 129: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.OptionalSettings.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 130: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.OptionalSettings.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 131: chef.automate.infra.config.External.Opensearch.Authentication.BasicAuth.username:type_name -> google.protobuf.StringValue - 58, // 132: chef.automate.infra.config.External.Opensearch.Authentication.BasicAuth.password:type_name -> google.protobuf.StringValue - 58, // 133: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.username:type_name -> google.protobuf.StringValue - 58, // 134: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.password:type_name -> google.protobuf.StringValue - 58, // 135: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.access_key:type_name -> google.protobuf.StringValue - 58, // 136: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.secret_key:type_name -> google.protobuf.StringValue - 60, // 137: chef.automate.infra.config.External.Postgresql.Backup.enable:type_name -> google.protobuf.BoolValue - 58, // 138: chef.automate.infra.config.External.Postgresql.Authentication.scheme:type_name -> google.protobuf.StringValue - 42, // 139: chef.automate.infra.config.External.Postgresql.Authentication.password:type_name -> chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication - 58, // 140: chef.automate.infra.config.External.Postgresql.SSL.mode:type_name -> google.protobuf.StringValue - 58, // 141: chef.automate.infra.config.External.Postgresql.SSL.cert:type_name -> google.protobuf.StringValue - 58, // 142: chef.automate.infra.config.External.Postgresql.SSL.key:type_name -> google.protobuf.StringValue - 58, // 143: chef.automate.infra.config.External.Postgresql.SSL.root_cert:type_name -> google.protobuf.StringValue - 60, // 144: chef.automate.infra.config.External.Postgresql.SSL.enable:type_name -> google.protobuf.BoolValue - 43, // 145: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.superuser:type_name -> chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User - 43, // 146: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.dbuser:type_name -> chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User - 58, // 147: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User.username:type_name -> google.protobuf.StringValue - 58, // 148: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User.password:type_name -> google.protobuf.StringValue - 58, // 149: chef.automate.infra.config.External.Automate.Authentication.scheme:type_name -> google.protobuf.StringValue - 58, // 150: chef.automate.infra.config.External.Automate.Authentication.token:type_name -> google.protobuf.StringValue - 58, // 151: chef.automate.infra.config.External.Automate.SSL.root_cert:type_name -> google.protobuf.StringValue - 58, // 152: chef.automate.infra.config.External.Automate.SSL.server_name:type_name -> google.protobuf.StringValue - 58, // 153: chef.automate.infra.config.Backups.Filesystem.path:type_name -> google.protobuf.StringValue - 58, // 154: chef.automate.infra.config.Backups.Filesystem.es_max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 155: chef.automate.infra.config.Backups.Filesystem.es_max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue - 49, // 156: chef.automate.infra.config.Backups.S3.credentials:type_name -> chef.automate.infra.config.Backups.S3.AWSCredentials - 50, // 157: chef.automate.infra.config.Backups.S3.es:type_name -> chef.automate.infra.config.Backups.S3.Elasticsearch - 52, // 158: chef.automate.infra.config.Backups.S3.bucket:type_name -> chef.automate.infra.config.Backups.S3.Bucket - 53, // 159: chef.automate.infra.config.Backups.S3.ssl:type_name -> chef.automate.infra.config.Backups.S3.SSL - 51, // 160: chef.automate.infra.config.Backups.S3.os:type_name -> chef.automate.infra.config.Backups.S3.Opensearch - 54, // 161: chef.automate.infra.config.Backups.GCS.credentials:type_name -> chef.automate.infra.config.Backups.GCS.GCPCredentials - 55, // 162: chef.automate.infra.config.Backups.GCS.es:type_name -> chef.automate.infra.config.Backups.GCS.Elasticsearch - 57, // 163: chef.automate.infra.config.Backups.GCS.bucket:type_name -> chef.automate.infra.config.Backups.GCS.Bucket - 56, // 164: chef.automate.infra.config.Backups.GCS.os:type_name -> chef.automate.infra.config.Backups.GCS.Opensearch - 58, // 165: chef.automate.infra.config.Backups.S3.AWSCredentials.access_key:type_name -> google.protobuf.StringValue - 58, // 166: chef.automate.infra.config.Backups.S3.AWSCredentials.secret_key:type_name -> google.protobuf.StringValue - 58, // 167: chef.automate.infra.config.Backups.S3.AWSCredentials.session_token:type_name -> google.protobuf.StringValue - 60, // 168: chef.automate.infra.config.Backups.S3.Elasticsearch.compress:type_name -> google.protobuf.BoolValue - 60, // 169: chef.automate.infra.config.Backups.S3.Elasticsearch.server_side_encryption:type_name -> google.protobuf.BoolValue - 58, // 170: chef.automate.infra.config.Backups.S3.Elasticsearch.buffer_size:type_name -> google.protobuf.StringValue - 58, // 171: chef.automate.infra.config.Backups.S3.Elasticsearch.canned_acl:type_name -> google.protobuf.StringValue - 58, // 172: chef.automate.infra.config.Backups.S3.Elasticsearch.storage_class:type_name -> google.protobuf.StringValue - 58, // 173: chef.automate.infra.config.Backups.S3.Elasticsearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 174: chef.automate.infra.config.Backups.S3.Elasticsearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 175: chef.automate.infra.config.Backups.S3.Elasticsearch.chunk_size:type_name -> google.protobuf.StringValue - 58, // 176: chef.automate.infra.config.Backups.S3.Elasticsearch.read_timeout:type_name -> google.protobuf.StringValue - 61, // 177: chef.automate.infra.config.Backups.S3.Elasticsearch.max_retries:type_name -> google.protobuf.Int32Value - 60, // 178: chef.automate.infra.config.Backups.S3.Elasticsearch.use_throttle_retries:type_name -> google.protobuf.BoolValue - 58, // 179: chef.automate.infra.config.Backups.S3.Elasticsearch.protocol:type_name -> google.protobuf.StringValue - 58, // 180: chef.automate.infra.config.Backups.S3.Elasticsearch.region:type_name -> google.protobuf.StringValue - 58, // 181: chef.automate.infra.config.Backups.S3.Elasticsearch.role_arn:type_name -> google.protobuf.StringValue - 60, // 182: chef.automate.infra.config.Backups.S3.Opensearch.compress:type_name -> google.protobuf.BoolValue - 60, // 183: chef.automate.infra.config.Backups.S3.Opensearch.server_side_encryption:type_name -> google.protobuf.BoolValue - 58, // 184: chef.automate.infra.config.Backups.S3.Opensearch.buffer_size:type_name -> google.protobuf.StringValue - 58, // 185: chef.automate.infra.config.Backups.S3.Opensearch.canned_acl:type_name -> google.protobuf.StringValue - 58, // 186: chef.automate.infra.config.Backups.S3.Opensearch.storage_class:type_name -> google.protobuf.StringValue - 58, // 187: chef.automate.infra.config.Backups.S3.Opensearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 188: chef.automate.infra.config.Backups.S3.Opensearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 189: chef.automate.infra.config.Backups.S3.Opensearch.chunk_size:type_name -> google.protobuf.StringValue - 58, // 190: chef.automate.infra.config.Backups.S3.Opensearch.read_timeout:type_name -> google.protobuf.StringValue - 61, // 191: chef.automate.infra.config.Backups.S3.Opensearch.max_retries:type_name -> google.protobuf.Int32Value - 60, // 192: chef.automate.infra.config.Backups.S3.Opensearch.use_throttle_retries:type_name -> google.protobuf.BoolValue - 58, // 193: chef.automate.infra.config.Backups.S3.Opensearch.protocol:type_name -> google.protobuf.StringValue - 58, // 194: chef.automate.infra.config.Backups.S3.Opensearch.region:type_name -> google.protobuf.StringValue - 58, // 195: chef.automate.infra.config.Backups.S3.Opensearch.role_arn:type_name -> google.protobuf.StringValue - 58, // 196: chef.automate.infra.config.Backups.S3.Bucket.endpoint:type_name -> google.protobuf.StringValue - 58, // 197: chef.automate.infra.config.Backups.S3.Bucket.base_path:type_name -> google.protobuf.StringValue - 58, // 198: chef.automate.infra.config.Backups.S3.Bucket.name:type_name -> google.protobuf.StringValue - 58, // 199: chef.automate.infra.config.Backups.S3.SSL.root_cert:type_name -> google.protobuf.StringValue - 58, // 200: chef.automate.infra.config.Backups.GCS.GCPCredentials.json:type_name -> google.protobuf.StringValue - 60, // 201: chef.automate.infra.config.Backups.GCS.Elasticsearch.compress:type_name -> google.protobuf.BoolValue - 60, // 202: chef.automate.infra.config.Backups.GCS.Elasticsearch.application_name:type_name -> google.protobuf.BoolValue - 58, // 203: chef.automate.infra.config.Backups.GCS.Elasticsearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 204: chef.automate.infra.config.Backups.GCS.Elasticsearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 205: chef.automate.infra.config.Backups.GCS.Elasticsearch.chunk_size:type_name -> google.protobuf.StringValue - 58, // 206: chef.automate.infra.config.Backups.GCS.Elasticsearch.read_timeout:type_name -> google.protobuf.StringValue - 60, // 207: chef.automate.infra.config.Backups.GCS.Elasticsearch.connect_timeout:type_name -> google.protobuf.BoolValue - 60, // 208: chef.automate.infra.config.Backups.GCS.Opensearch.compress:type_name -> google.protobuf.BoolValue - 60, // 209: chef.automate.infra.config.Backups.GCS.Opensearch.application_name:type_name -> google.protobuf.BoolValue - 58, // 210: chef.automate.infra.config.Backups.GCS.Opensearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 211: chef.automate.infra.config.Backups.GCS.Opensearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue - 58, // 212: chef.automate.infra.config.Backups.GCS.Opensearch.chunk_size:type_name -> google.protobuf.StringValue - 58, // 213: chef.automate.infra.config.Backups.GCS.Opensearch.read_timeout:type_name -> google.protobuf.StringValue - 60, // 214: chef.automate.infra.config.Backups.GCS.Opensearch.connect_timeout:type_name -> google.protobuf.BoolValue - 58, // 215: chef.automate.infra.config.Backups.GCS.Bucket.base_path:type_name -> google.protobuf.StringValue - 58, // 216: chef.automate.infra.config.Backups.GCS.Bucket.name:type_name -> google.protobuf.StringValue - 217, // [217:217] is the sub-list for method output_type - 217, // [217:217] is the sub-list for method input_type - 217, // [217:217] is the sub-list for extension type_name - 217, // [217:217] is the sub-list for extension extendee - 0, // [0:217] is the sub-list for field type_name + 58, // 51: chef.automate.infra.config.Http.x_xss_protection:type_name -> google.protobuf.StringValue + 62, // 52: chef.automate.infra.config.V1.System.tls:type_name -> chef.automate.infra.config.TLSCredentials + 12, // 53: chef.automate.infra.config.V1.System.ngx:type_name -> chef.automate.infra.config.Nginx + 60, // 54: chef.automate.infra.config.External.Elasticsearch.enable:type_name -> google.protobuf.BoolValue + 58, // 55: chef.automate.infra.config.External.Elasticsearch.nodes:type_name -> google.protobuf.StringValue + 21, // 56: chef.automate.infra.config.External.Elasticsearch.backup:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup + 22, // 57: chef.automate.infra.config.External.Elasticsearch.auth:type_name -> chef.automate.infra.config.External.Elasticsearch.Authentication + 23, // 58: chef.automate.infra.config.External.Elasticsearch.ssl:type_name -> chef.automate.infra.config.External.Elasticsearch.SSL + 60, // 59: chef.automate.infra.config.External.Opensearch.enable:type_name -> google.protobuf.BoolValue + 58, // 60: chef.automate.infra.config.External.Opensearch.nodes:type_name -> google.protobuf.StringValue + 30, // 61: chef.automate.infra.config.External.Opensearch.backup:type_name -> chef.automate.infra.config.External.Opensearch.Backup + 31, // 62: chef.automate.infra.config.External.Opensearch.auth:type_name -> chef.automate.infra.config.External.Opensearch.Authentication + 32, // 63: chef.automate.infra.config.External.Opensearch.ssl:type_name -> chef.automate.infra.config.External.Opensearch.SSL + 58, // 64: chef.automate.infra.config.External.Minio.endpoint:type_name -> google.protobuf.StringValue + 58, // 65: chef.automate.infra.config.External.Minio.root_user:type_name -> google.protobuf.StringValue + 58, // 66: chef.automate.infra.config.External.Minio.root_password:type_name -> google.protobuf.StringValue + 60, // 67: chef.automate.infra.config.External.Minio.enable_ssl:type_name -> google.protobuf.BoolValue + 58, // 68: chef.automate.infra.config.External.Minio.cert:type_name -> google.protobuf.StringValue + 61, // 69: chef.automate.infra.config.External.Minio.concurrent_open_search_requests:type_name -> google.protobuf.Int32Value + 61, // 70: chef.automate.infra.config.External.Minio.concurrent_minio_requests:type_name -> google.protobuf.Int32Value + 60, // 71: chef.automate.infra.config.External.Postgresql.enable:type_name -> google.protobuf.BoolValue + 58, // 72: chef.automate.infra.config.External.Postgresql.nodes:type_name -> google.protobuf.StringValue + 39, // 73: chef.automate.infra.config.External.Postgresql.backup:type_name -> chef.automate.infra.config.External.Postgresql.Backup + 40, // 74: chef.automate.infra.config.External.Postgresql.auth:type_name -> chef.automate.infra.config.External.Postgresql.Authentication + 41, // 75: chef.automate.infra.config.External.Postgresql.ssl:type_name -> chef.automate.infra.config.External.Postgresql.SSL + 60, // 76: chef.automate.infra.config.External.Automate.enable:type_name -> google.protobuf.BoolValue + 58, // 77: chef.automate.infra.config.External.Automate.node:type_name -> google.protobuf.StringValue + 44, // 78: chef.automate.infra.config.External.Automate.auth:type_name -> chef.automate.infra.config.External.Automate.Authentication + 45, // 79: chef.automate.infra.config.External.Automate.ssl:type_name -> chef.automate.infra.config.External.Automate.SSL + 60, // 80: chef.automate.infra.config.External.Elasticsearch.Backup.enable:type_name -> google.protobuf.BoolValue + 58, // 81: chef.automate.infra.config.External.Elasticsearch.Backup.location:type_name -> google.protobuf.StringValue + 24, // 82: chef.automate.infra.config.External.Elasticsearch.Backup.fs:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings + 25, // 83: chef.automate.infra.config.External.Elasticsearch.Backup.s3:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings + 26, // 84: chef.automate.infra.config.External.Elasticsearch.Backup.gcs:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings + 58, // 85: chef.automate.infra.config.External.Elasticsearch.Authentication.scheme:type_name -> google.protobuf.StringValue + 28, // 86: chef.automate.infra.config.External.Elasticsearch.Authentication.basic_auth:type_name -> chef.automate.infra.config.External.Elasticsearch.Authentication.BasicAuth + 29, // 87: chef.automate.infra.config.External.Elasticsearch.Authentication.aws_es:type_name -> chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth + 58, // 88: chef.automate.infra.config.External.Elasticsearch.SSL.root_cert:type_name -> google.protobuf.StringValue + 58, // 89: chef.automate.infra.config.External.Elasticsearch.SSL.server_name:type_name -> google.protobuf.StringValue + 58, // 90: chef.automate.infra.config.External.Elasticsearch.SSL.root_cert_file:type_name -> google.protobuf.StringValue + 58, // 91: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.path:type_name -> google.protobuf.StringValue + 27, // 92: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.settings:type_name -> chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.OptionalSettings + 58, // 93: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.bucket:type_name -> google.protobuf.StringValue + 58, // 94: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.client:type_name -> google.protobuf.StringValue + 58, // 95: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.base_path:type_name -> google.protobuf.StringValue + 50, // 96: chef.automate.infra.config.External.Elasticsearch.Backup.S3Settings.settings:type_name -> chef.automate.infra.config.Backups.S3.Elasticsearch + 58, // 97: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.bucket:type_name -> google.protobuf.StringValue + 58, // 98: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.client:type_name -> google.protobuf.StringValue + 58, // 99: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.base_path:type_name -> google.protobuf.StringValue + 55, // 100: chef.automate.infra.config.External.Elasticsearch.Backup.GCSSettings.settings:type_name -> chef.automate.infra.config.Backups.GCS.Elasticsearch + 58, // 101: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.OptionalSettings.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 102: chef.automate.infra.config.External.Elasticsearch.Backup.FsSettings.OptionalSettings.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 103: chef.automate.infra.config.External.Elasticsearch.Authentication.BasicAuth.username:type_name -> google.protobuf.StringValue + 58, // 104: chef.automate.infra.config.External.Elasticsearch.Authentication.BasicAuth.password:type_name -> google.protobuf.StringValue + 58, // 105: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.username:type_name -> google.protobuf.StringValue + 58, // 106: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.password:type_name -> google.protobuf.StringValue + 58, // 107: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.access_key:type_name -> google.protobuf.StringValue + 58, // 108: chef.automate.infra.config.External.Elasticsearch.Authentication.AwsElasticsearchAuth.secret_key:type_name -> google.protobuf.StringValue + 60, // 109: chef.automate.infra.config.External.Opensearch.Backup.enable:type_name -> google.protobuf.BoolValue + 58, // 110: chef.automate.infra.config.External.Opensearch.Backup.location:type_name -> google.protobuf.StringValue + 33, // 111: chef.automate.infra.config.External.Opensearch.Backup.fs:type_name -> chef.automate.infra.config.External.Opensearch.Backup.FsSettings + 34, // 112: chef.automate.infra.config.External.Opensearch.Backup.s3:type_name -> chef.automate.infra.config.External.Opensearch.Backup.S3Settings + 35, // 113: chef.automate.infra.config.External.Opensearch.Backup.gcs:type_name -> chef.automate.infra.config.External.Opensearch.Backup.GCSSettings + 58, // 114: chef.automate.infra.config.External.Opensearch.Authentication.scheme:type_name -> google.protobuf.StringValue + 37, // 115: chef.automate.infra.config.External.Opensearch.Authentication.basic_auth:type_name -> chef.automate.infra.config.External.Opensearch.Authentication.BasicAuth + 38, // 116: chef.automate.infra.config.External.Opensearch.Authentication.aws_os:type_name -> chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth + 58, // 117: chef.automate.infra.config.External.Opensearch.SSL.root_cert:type_name -> google.protobuf.StringValue + 58, // 118: chef.automate.infra.config.External.Opensearch.SSL.server_name:type_name -> google.protobuf.StringValue + 58, // 119: chef.automate.infra.config.External.Opensearch.SSL.root_cert_file:type_name -> google.protobuf.StringValue + 58, // 120: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.path:type_name -> google.protobuf.StringValue + 36, // 121: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.settings:type_name -> chef.automate.infra.config.External.Opensearch.Backup.FsSettings.OptionalSettings + 58, // 122: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.bucket:type_name -> google.protobuf.StringValue + 58, // 123: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.client:type_name -> google.protobuf.StringValue + 58, // 124: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.base_path:type_name -> google.protobuf.StringValue + 51, // 125: chef.automate.infra.config.External.Opensearch.Backup.S3Settings.settings:type_name -> chef.automate.infra.config.Backups.S3.Opensearch + 58, // 126: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.bucket:type_name -> google.protobuf.StringValue + 58, // 127: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.client:type_name -> google.protobuf.StringValue + 58, // 128: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.base_path:type_name -> google.protobuf.StringValue + 56, // 129: chef.automate.infra.config.External.Opensearch.Backup.GCSSettings.settings:type_name -> chef.automate.infra.config.Backups.GCS.Opensearch + 58, // 130: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.OptionalSettings.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 131: chef.automate.infra.config.External.Opensearch.Backup.FsSettings.OptionalSettings.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 132: chef.automate.infra.config.External.Opensearch.Authentication.BasicAuth.username:type_name -> google.protobuf.StringValue + 58, // 133: chef.automate.infra.config.External.Opensearch.Authentication.BasicAuth.password:type_name -> google.protobuf.StringValue + 58, // 134: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.username:type_name -> google.protobuf.StringValue + 58, // 135: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.password:type_name -> google.protobuf.StringValue + 58, // 136: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.access_key:type_name -> google.protobuf.StringValue + 58, // 137: chef.automate.infra.config.External.Opensearch.Authentication.AwsOpensearchAuth.secret_key:type_name -> google.protobuf.StringValue + 60, // 138: chef.automate.infra.config.External.Postgresql.Backup.enable:type_name -> google.protobuf.BoolValue + 58, // 139: chef.automate.infra.config.External.Postgresql.Authentication.scheme:type_name -> google.protobuf.StringValue + 42, // 140: chef.automate.infra.config.External.Postgresql.Authentication.password:type_name -> chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication + 58, // 141: chef.automate.infra.config.External.Postgresql.SSL.mode:type_name -> google.protobuf.StringValue + 58, // 142: chef.automate.infra.config.External.Postgresql.SSL.cert:type_name -> google.protobuf.StringValue + 58, // 143: chef.automate.infra.config.External.Postgresql.SSL.key:type_name -> google.protobuf.StringValue + 58, // 144: chef.automate.infra.config.External.Postgresql.SSL.root_cert:type_name -> google.protobuf.StringValue + 60, // 145: chef.automate.infra.config.External.Postgresql.SSL.enable:type_name -> google.protobuf.BoolValue + 43, // 146: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.superuser:type_name -> chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User + 43, // 147: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.dbuser:type_name -> chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User + 58, // 148: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User.username:type_name -> google.protobuf.StringValue + 58, // 149: chef.automate.infra.config.External.Postgresql.Authentication.PasswordAuthentication.User.password:type_name -> google.protobuf.StringValue + 58, // 150: chef.automate.infra.config.External.Automate.Authentication.scheme:type_name -> google.protobuf.StringValue + 58, // 151: chef.automate.infra.config.External.Automate.Authentication.token:type_name -> google.protobuf.StringValue + 58, // 152: chef.automate.infra.config.External.Automate.SSL.root_cert:type_name -> google.protobuf.StringValue + 58, // 153: chef.automate.infra.config.External.Automate.SSL.server_name:type_name -> google.protobuf.StringValue + 58, // 154: chef.automate.infra.config.Backups.Filesystem.path:type_name -> google.protobuf.StringValue + 58, // 155: chef.automate.infra.config.Backups.Filesystem.es_max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 156: chef.automate.infra.config.Backups.Filesystem.es_max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue + 49, // 157: chef.automate.infra.config.Backups.S3.credentials:type_name -> chef.automate.infra.config.Backups.S3.AWSCredentials + 50, // 158: chef.automate.infra.config.Backups.S3.es:type_name -> chef.automate.infra.config.Backups.S3.Elasticsearch + 52, // 159: chef.automate.infra.config.Backups.S3.bucket:type_name -> chef.automate.infra.config.Backups.S3.Bucket + 53, // 160: chef.automate.infra.config.Backups.S3.ssl:type_name -> chef.automate.infra.config.Backups.S3.SSL + 51, // 161: chef.automate.infra.config.Backups.S3.os:type_name -> chef.automate.infra.config.Backups.S3.Opensearch + 54, // 162: chef.automate.infra.config.Backups.GCS.credentials:type_name -> chef.automate.infra.config.Backups.GCS.GCPCredentials + 55, // 163: chef.automate.infra.config.Backups.GCS.es:type_name -> chef.automate.infra.config.Backups.GCS.Elasticsearch + 57, // 164: chef.automate.infra.config.Backups.GCS.bucket:type_name -> chef.automate.infra.config.Backups.GCS.Bucket + 56, // 165: chef.automate.infra.config.Backups.GCS.os:type_name -> chef.automate.infra.config.Backups.GCS.Opensearch + 58, // 166: chef.automate.infra.config.Backups.S3.AWSCredentials.access_key:type_name -> google.protobuf.StringValue + 58, // 167: chef.automate.infra.config.Backups.S3.AWSCredentials.secret_key:type_name -> google.protobuf.StringValue + 58, // 168: chef.automate.infra.config.Backups.S3.AWSCredentials.session_token:type_name -> google.protobuf.StringValue + 60, // 169: chef.automate.infra.config.Backups.S3.Elasticsearch.compress:type_name -> google.protobuf.BoolValue + 60, // 170: chef.automate.infra.config.Backups.S3.Elasticsearch.server_side_encryption:type_name -> google.protobuf.BoolValue + 58, // 171: chef.automate.infra.config.Backups.S3.Elasticsearch.buffer_size:type_name -> google.protobuf.StringValue + 58, // 172: chef.automate.infra.config.Backups.S3.Elasticsearch.canned_acl:type_name -> google.protobuf.StringValue + 58, // 173: chef.automate.infra.config.Backups.S3.Elasticsearch.storage_class:type_name -> google.protobuf.StringValue + 58, // 174: chef.automate.infra.config.Backups.S3.Elasticsearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 175: chef.automate.infra.config.Backups.S3.Elasticsearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 176: chef.automate.infra.config.Backups.S3.Elasticsearch.chunk_size:type_name -> google.protobuf.StringValue + 58, // 177: chef.automate.infra.config.Backups.S3.Elasticsearch.read_timeout:type_name -> google.protobuf.StringValue + 61, // 178: chef.automate.infra.config.Backups.S3.Elasticsearch.max_retries:type_name -> google.protobuf.Int32Value + 60, // 179: chef.automate.infra.config.Backups.S3.Elasticsearch.use_throttle_retries:type_name -> google.protobuf.BoolValue + 58, // 180: chef.automate.infra.config.Backups.S3.Elasticsearch.protocol:type_name -> google.protobuf.StringValue + 58, // 181: chef.automate.infra.config.Backups.S3.Elasticsearch.region:type_name -> google.protobuf.StringValue + 58, // 182: chef.automate.infra.config.Backups.S3.Elasticsearch.role_arn:type_name -> google.protobuf.StringValue + 60, // 183: chef.automate.infra.config.Backups.S3.Opensearch.compress:type_name -> google.protobuf.BoolValue + 60, // 184: chef.automate.infra.config.Backups.S3.Opensearch.server_side_encryption:type_name -> google.protobuf.BoolValue + 58, // 185: chef.automate.infra.config.Backups.S3.Opensearch.buffer_size:type_name -> google.protobuf.StringValue + 58, // 186: chef.automate.infra.config.Backups.S3.Opensearch.canned_acl:type_name -> google.protobuf.StringValue + 58, // 187: chef.automate.infra.config.Backups.S3.Opensearch.storage_class:type_name -> google.protobuf.StringValue + 58, // 188: chef.automate.infra.config.Backups.S3.Opensearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 189: chef.automate.infra.config.Backups.S3.Opensearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 190: chef.automate.infra.config.Backups.S3.Opensearch.chunk_size:type_name -> google.protobuf.StringValue + 58, // 191: chef.automate.infra.config.Backups.S3.Opensearch.read_timeout:type_name -> google.protobuf.StringValue + 61, // 192: chef.automate.infra.config.Backups.S3.Opensearch.max_retries:type_name -> google.protobuf.Int32Value + 60, // 193: chef.automate.infra.config.Backups.S3.Opensearch.use_throttle_retries:type_name -> google.protobuf.BoolValue + 58, // 194: chef.automate.infra.config.Backups.S3.Opensearch.protocol:type_name -> google.protobuf.StringValue + 58, // 195: chef.automate.infra.config.Backups.S3.Opensearch.region:type_name -> google.protobuf.StringValue + 58, // 196: chef.automate.infra.config.Backups.S3.Opensearch.role_arn:type_name -> google.protobuf.StringValue + 58, // 197: chef.automate.infra.config.Backups.S3.Bucket.endpoint:type_name -> google.protobuf.StringValue + 58, // 198: chef.automate.infra.config.Backups.S3.Bucket.base_path:type_name -> google.protobuf.StringValue + 58, // 199: chef.automate.infra.config.Backups.S3.Bucket.name:type_name -> google.protobuf.StringValue + 58, // 200: chef.automate.infra.config.Backups.S3.SSL.root_cert:type_name -> google.protobuf.StringValue + 58, // 201: chef.automate.infra.config.Backups.GCS.GCPCredentials.json:type_name -> google.protobuf.StringValue + 60, // 202: chef.automate.infra.config.Backups.GCS.Elasticsearch.compress:type_name -> google.protobuf.BoolValue + 60, // 203: chef.automate.infra.config.Backups.GCS.Elasticsearch.application_name:type_name -> google.protobuf.BoolValue + 58, // 204: chef.automate.infra.config.Backups.GCS.Elasticsearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 205: chef.automate.infra.config.Backups.GCS.Elasticsearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 206: chef.automate.infra.config.Backups.GCS.Elasticsearch.chunk_size:type_name -> google.protobuf.StringValue + 58, // 207: chef.automate.infra.config.Backups.GCS.Elasticsearch.read_timeout:type_name -> google.protobuf.StringValue + 60, // 208: chef.automate.infra.config.Backups.GCS.Elasticsearch.connect_timeout:type_name -> google.protobuf.BoolValue + 60, // 209: chef.automate.infra.config.Backups.GCS.Opensearch.compress:type_name -> google.protobuf.BoolValue + 60, // 210: chef.automate.infra.config.Backups.GCS.Opensearch.application_name:type_name -> google.protobuf.BoolValue + 58, // 211: chef.automate.infra.config.Backups.GCS.Opensearch.max_snapshot_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 212: chef.automate.infra.config.Backups.GCS.Opensearch.max_restore_bytes_per_sec:type_name -> google.protobuf.StringValue + 58, // 213: chef.automate.infra.config.Backups.GCS.Opensearch.chunk_size:type_name -> google.protobuf.StringValue + 58, // 214: chef.automate.infra.config.Backups.GCS.Opensearch.read_timeout:type_name -> google.protobuf.StringValue + 60, // 215: chef.automate.infra.config.Backups.GCS.Opensearch.connect_timeout:type_name -> google.protobuf.BoolValue + 58, // 216: chef.automate.infra.config.Backups.GCS.Bucket.base_path:type_name -> google.protobuf.StringValue + 58, // 217: chef.automate.infra.config.Backups.GCS.Bucket.name:type_name -> google.protobuf.StringValue + 218, // [218:218] is the sub-list for method output_type + 218, // [218:218] is the sub-list for method input_type + 218, // [218:218] is the sub-list for extension type_name + 218, // [218:218] is the sub-list for extension extendee + 0, // [0:218] is the sub-list for field type_name } func init() { file_config_shared_global_proto_init() } diff --git a/api/config/shared/global.proto b/api/config/shared/global.proto index fe14b7467d6..8be63671518 100644 --- a/api/config/shared/global.proto +++ b/api/config/shared/global.proto @@ -407,4 +407,5 @@ message Nginx { message Http { google.protobuf.BoolValue include_x_forwarded_for = 1; + google.protobuf.StringValue x_xss_protection = 2; } \ No newline at end of file diff --git a/components/automate-builder-api-proxy/habitat/config/nginx.conf b/components/automate-builder-api-proxy/habitat/config/nginx.conf index 82cf2f9e585..368fe536f30 100644 --- a/components/automate-builder-api-proxy/habitat/config/nginx.conf +++ b/components/automate-builder-api-proxy/habitat/config/nginx.conf @@ -50,7 +50,7 @@ http { add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; - add_header X-XSS-Protection "1; mode=block"; + add_header X-XSS-Protection {{cfg.http.x_xss_protection}}; add_header Alternate-Protocol 443:npn-spdy/3; add_header "X-UA-Compatible" "IE=Edge"; diff --git a/components/automate-load-balancer/habitat/config/automate-cs-nginx-location.conf b/components/automate-load-balancer/habitat/config/automate-cs-nginx-location.conf index e74c15d0848..4e59dd5b34f 100644 --- a/components/automate-load-balancer/habitat/config/automate-cs-nginx-location.conf +++ b/components/automate-load-balancer/habitat/config/automate-cs-nginx-location.conf @@ -20,7 +20,7 @@ location @bookshelf_cached { proxy_hide_header Cache-Control; add_header X-Proxy-Cache $upstream_cache_status; - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; diff --git a/components/automate-load-balancer/habitat/config/nginx.conf b/components/automate-load-balancer/habitat/config/nginx.conf index 77ed8ef04bb..1835cd46166 100644 --- a/components/automate-load-balancer/habitat/config/nginx.conf +++ b/components/automate-load-balancer/habitat/config/nginx.conf @@ -118,7 +118,7 @@ http { return 403; } add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; add_header X-Content-Type-Options "nosniff" always; # TODO: I hate redirecting to https://host:443/ but handlebars has its limits :( return 301 https://$server_name:{{ cfg.service.https_port }}$request_uri; @@ -177,7 +177,7 @@ http { # Implement secure headers in accordance w/ owasp best practices # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Headers - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options DENY; @@ -204,11 +204,11 @@ http { location /automate.conf.js { add_header Cache-Control "private, no-cache, no-store"; - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; {{#if ../cfg.ngx.http.enable_csp_header ~}} - add_header Content-Security-Policy "default-src 'self';frame-ancestors 'self';"; + add_header Content-Security-Policy {{cfg.ngx.http.content_security_policy}}; {{/if ~}} alias {{../pkg.svc_config_path}}/automate.conf.js; break; @@ -256,9 +256,9 @@ http { # Required to make persistent connections happen proxy_set_header Connection ""; add_header X-Content-Type-Options "nosniff" always; - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; {{#if ../cfg.ngx.http.enable_csp_header ~}} - add_header Content-Security-Policy "default-src 'self';frame-ancestors 'self';"; + add_header Content-Security-Policy {{cfg.ngx.http.content_security_policy}}; {{/if ~}} } @@ -268,9 +268,9 @@ http { # Required to make persistent connections happen proxy_set_header Connection ""; add_header X-Content-Type-Options "nosniff" always; - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; {{#if ../cfg.ngx.http.enable_csp_header ~}} - add_header Content-Security-Policy "default-src 'self';frame-ancestors 'self';"; + add_header Content-Security-Policy {{cfg.ngx.http.content_security_policy}}; {{/if ~}} } @@ -281,9 +281,9 @@ http { # Required to make persistent connections happen proxy_set_header Connection ""; add_header X-Content-Type-Options "nosniff" always; - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; {{#if ../cfg.ngx.http.enable_csp_header ~}} - add_header Content-Security-Policy "default-src 'self';frame-ancestors 'self';"; + add_header Content-Security-Policy {{cfg.ngx.http.content_security_policy}}; {{/if ~}} } @@ -293,9 +293,9 @@ http { # Required to make persistent connections happen proxy_set_header Connection ""; add_header X-Content-Type-Options "nosniff" always; - add_header x-xss-protection "1; mode=block" always; + add_header x-xss-protection {{cfg.ngx.http.x_xss_protection}} always; {{#if ../cfg.ngx.http.enable_csp_header ~}} - add_header Content-Security-Policy "default-src 'self';frame-ancestors 'self';"; + add_header Content-Security-Policy {{cfg.ngx.http.content_security_policy}}; {{/if ~}} } @@ -307,10 +307,10 @@ http { proxy_set_header Connection ""; # Required to make persistent connections happen add_header X-Frame-Options sameorigin; # forbid other