Page MenuHomeVyOS Platform

Openconnect - HTTPS security headers are missing
Closed, ResolvedPublicBUG

Description

in our template of configuration , there are some missing https security headers that are important in the default configuration :

HTTP headers

included-http-headers = Strict-Transport-Security: max-age=31536000 ; includeSubDomains
included-http-headers = X-Frame-Options: deny
included-http-headers = X-Content-Type-Options: nosniff
included-http-headers = Content-Security-Policy: default-src ´none´
included-http-headers = X-Permitted-Cross-Domain-Policies: none
included-http-headers = Referrer-Policy: no-referrer
included-http-headers = Clear-Site-Data: “cache”,“cookies”,“storage”
included-http-headers = Cross-Origin-Embedder-Policy: require-corp
included-http-headers = Cross-Origin-Opener-Policy: same-origin
included-http-headers = Cross-Origin-Resource-Policy: same-origin
included-http-headers = X-XSS-Protection: 0
included-http-headers = Pragma: no-cache
included-http-headers = Cache-control: no-store, no-cache

I've verified it , also it's missing 1.4/1.3 , this topic is based this forum thread :

https://forum.vyos.io/t/ocserv-ocserv-config-tmpl-missing-security-headers-from-original-package/12989

Details

Version
VyOS 1.5-rolling-202311160736
Is it a breaking change?
Perfectly compatible

Event Timeline

fernando changed the task status from Open to In progress.Dec 2 2023, 12:36 PM
fernando triaged this task as Normal priority.
fernando changed the task status from In progress to Needs testing.Dec 4 2023, 6:45 PM

tested on 1.5/1.4 :

vyos@dco1:~$ show openconnect-server sessions
Interface    Username    IP             Remote IP     RX       TX         State      Uptime
-----------  ----------  -------------  ------------  -------  ---------  ---------  --------
sslvpn0      tst         172.20.20.198  192.168.0.40  21.4 KB  152 bytes  connected  1m:10s

client :
POST https://172.16.50.16/auth
Please enter your password.
Password:
POST https://172.16.50.16/auth
Got CONNECT response: HTTP/1.1 200 CONNECTED
CSTP connected. DPD 60, Keepalive 300
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(PSK)-(AES-256-GCM).
Configured as 172.20.20.198, with SSL connected and DTLS connected
Viacheslav moved this task from Open to Finished on the VyOS 1.4 Sagitta board.

some improvements were added in this task , enable or disable the http security headers in the openconnect configuration :

set vpn openconnect http-security-headers

it was added on 1.3.x , tested with basic example :

vyos@vyos:~$ show configuration commands  | match vpn
set vpn openconnect authentication local-users username user4 password 'SecretPassword'
set vpn openconnect authentication mode 'local'
set vpn openconnect http-security-headers
set vpn openconnect network-settings client-ip-settings subnet '100.64.0.0/24'
set vpn openconnect network-settings name-server '10.1.1.1'
set vpn openconnect network-settings name-server '10.1.1.2'
set vpn openconnect ssl ca-cert-file '/config/auth/ca.crt'
set vpn openconnect ssl cert-file '/config/auth/server.crt'
set vpn openconnect ssl key-file '/config/auth/server.key'

I wiil replicate the same 1.4/1.5