The Jenkins environment needs to be secured

[zadigus]

We need to protect the environment with https protocol. This needs to happen in our manifest.

• enable https

• secure environment

  • enable security headers
    • enable HSTS
    • X-FrameOptions
    • X-XSS-Protection
    • Referrer-Policy
    • X-Content-Type-Options
    • Content-Security-Policy
    • Feature-Policy
  • redirect from http to https
  • setup a secure ssl cipher suite
  • only enable tls1.2 and tls1.3
  • setup the dhparams
  • make the jenkins session cookie secure
  • make the jenkins session cookie httponly
  • make the jenkins session cookie SameSite=strict

• enable IPv4

• bind ssl

• close from outside world; browsing the jenkins environment with port 8080 should not work; browsing that address should only be allowed from the nginx node

• clarify letsencrypt. Our current "integration" seems to use some fake/dummy certificate from let's encrypt (LE). Ideally we need our automatic process to get a valid certificate and setup the configuration as part of our jps flow, if that's not possible we need to re-evaluate how we want to proceed

• organize automatic ssl certificate renewal with certbot

[zadigus]

https://stackoverflow.com/questions/56124771/how-to-close-docker-environment-from-the-outside-world/56130045#56130045

[zadigus]

After discussions with @shikamu, it turns out it's not necessary to secure this environment with https. It would be better but it is not extremely necessary. The importance of this issue is therefore very low.

[zadigus]

https://www.studytonight.com/jenkins/securing-jenkins

[zadigus]

The stuff we tried to integrate last Nov 15 2019 is now working with the jps manifest.

[zadigus]

There's also the following code to activate in ssl.conf

location / {
# we need a domain name for this:
#proxy_set_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

[zadigus]

ssl on tu mets plus par exemple
tu mets tout sur la ligne du listen il me semble, genre listen 443 http2 ssl;
mais moi jte propose de faire la chose suivante:

1. tu fais ton bordel avec let's encrypt pour qu'il nous ponde le certificat
2. après osef de la config qu'il nous génère, on prend notre config et on injecte juste son certificat
   et ça ça doit marcher
   ya juste un truc qu'il faudrait encore intégrer au jps
   ça peut être fait n'importe quand mais avant de restart nginx:
   faut lancer cette commande:
   openssl dhparam -out /etc/nginx/dhparam.pem 4096

le chemin peut être changé mais après faut changer le ssl.conf, on a cette ligne: ssl_dhparam /etc/nginx/dhparam.pem;
ça peut prendre 2-3 minutes pour exécuter la commande

[shikamu]

@shikamu (note to self), look at jetty/jetty.project#4247 there seems to be information about the samesite cookie thing. The server that we are running jenkins on is jetty server.