Merge pull request #26 from prudhvigodithi/main

CDK Code improvements and add Nginx security

infrastructure/lib/constructs/opensearchNginxProxyCognito.ts

@@ -14,15 +14,14 @@ import {
     SecurityGroup,
     SubnetType,
     Vpc,
-    AmazonLinuxGeneration,
-    AmazonLinuxImage, MachineImage
+    MachineImage
 } from 'aws-cdk-lib/aws-ec2';
 import { Effect, ManagedPolicy, PolicyStatement, Role, ServicePrincipal } from 'aws-cdk-lib/aws-iam';
 import {Aspects, CfnOutput, Duration, Tag, Tags} from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import {
     ApplicationLoadBalancer, ApplicationProtocol,
-    ListenerCertificate, Protocol,
+    ListenerCertificate, Protocol, SslPolicy,
 } from "aws-cdk-lib/aws-elasticloadbalancingv2";
 import Project from "../enums/project";
 import {ARecord, RecordTarget} from "aws-cdk-lib/aws-route53";
@@ -107,6 +106,7 @@ export class OpenSearchMetricsNginxCognito extends Construct {
             const listener = openSearchCognitoApplicationLoadBalancer.addListener(`OpenSearchMetricsCognito-NginxProxyAlbListener`, {
                 port: 443,
                 protocol: ApplicationProtocol.HTTPS,
+                sslPolicy: SslPolicy.RECOMMENDED_TLS,
                 certificates: [listenerCertificate]
             });
 
@@ -142,12 +142,6 @@ export class OpenSearchMetricsNginxCognito extends Construct {
             description: 'VPC CIDR',
         });
 
-        this.asg.connections.allowFrom(
-            Peer.prefixList(Project.RESTRICTED_PREFIX),
-            Port.tcp(443),
-            "Allow All"
-        );
-
         const instanceName = `OpenSearchMetricsCognito-NginxProxyHost`;
         Aspects.of(this.asg).add(new Tag('name', instanceName, {
             applyToLaunchedInstances: true,
@@ -179,13 +173,17 @@ export class OpenSearchMetricsNginxCognito extends Construct {
                 rewrite ^/$ https://$host/_dashboards redirect;
                 ssl_certificate /etc/nginx/cert.crt;
                 ssl_certificate_key /etc/nginx/cert.key;
-            
                 ssl on;
                 ssl_session_cache builtin:1000 shared:SSL:10m;
-                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+                ssl_protocols TLSv1.2 TLSv1.3;
                 ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
                 ssl_prefer_server_ciphers on;
-            
+                
+                add_header Strict-Transport-Security "max-age=47304000; includeSubDomains";
+                add_header X-Content-Type-Options "nosniff";
+                add_header X-Frame-Options "DENY";  
+                add_header Cache-Control "no-store, no-cache";
+                
                 set $os_endpoint ${opensearchDashboardUrlProps.opensearchDashboardVpcUrl};
                 set $cognito_endpoint ${cognitoUrl};
             

infrastructure/lib/infrastructure-stack.ts

@@ -1,12 +1,12 @@
 import {App, Fn, Stack, StackProps} from 'aws-cdk-lib';
 import { Construct } from 'constructs';
 import { VpcStack } from "./stacks/vpc";
-import {jenkinsAccess, OpenSearchDomainStack} from "./stacks/opensearch";
+import {OpenSearchDomainStack} from "./stacks/opensearch";
 import Project from './enums/project';
 import {OpenSearchHealthRoute53} from "./stacks/route53";
 import {OpenSearchMetricsWorkflowStack} from "./stacks/metricsWorkflow";
 import {OpenSearchMetricsNginxReadonly} from "./stacks/opensearchNginxProxyReadonly";
-import {ArnPrincipal, IPrincipal} from "aws-cdk-lib/aws-iam";
+import {ArnPrincipal} from "aws-cdk-lib/aws-iam";
 import {OpenSearchWAF} from "./stacks/waf";
 import {OpenSearchMetricsNginxCognito} from "./constructs/opensearchNginxProxyCognito";
 

infrastructure/lib/stacks/opensearch.ts

@@ -176,7 +176,6 @@ export class OpenSearchDomainStack extends Stack {
         });
 
         this.domain.node.addDependency(serviceLinkedRole);
-
         if(props.enableNginxCognito) {
             const metricsHostedZone = new OpenSearchHealthRoute53(this, "OpenSearchMetricsCognito-HostedZone", {
                 hostedZone: Project.METRICS_COGNITO_HOSTED_ZONE,

infrastructure/lib/stacks/opensearchNginxProxyReadonly.ts

@@ -159,13 +159,17 @@ export class OpenSearchMetricsNginxReadonly extends Stack {
                 rewrite ^/$ https://$host/_dashboards redirect;
                 ssl_certificate /etc/nginx/cert.crt;
                 ssl_certificate_key /etc/nginx/cert.key;
-            
                 ssl on;
                 ssl_session_cache builtin:1000 shared:SSL:10m;
-                ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+                ssl_protocols TLSv1.2 TLSv1.3;
                 ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
                 ssl_prefer_server_ciphers on;
-            
+           
+                add_header Strict-Transport-Security "max-age=47304000; includeSubDomains";
+                add_header X-Content-Type-Options "nosniff";
+                add_header X-Frame-Options "DENY";  
+                add_header Cache-Control "no-store, no-cache";
+                
                 set $os_endpoint ${nginxProps.opensearchDashboardUrlProps.opensearchDashboardVpcUrl};
                 set $frontend_endpoint localhost:8081;
                 proxy_cookie_domain $frontend_endpoint $host;