Websocket, Cloudflare tunnel, apache httpd and a bit of security

Table of Contents

Here we are

Why

I've recently updated part of my private infrastructure to better handle some security aspects and I opened the Pandora's box

Starting point 

This one of the scenarios (what made me crazy) where websocket are in use , grafana, since version 8.~ starts to use websocket to update dashboards

 

The original idea was to define a "role" for each aspect

Used as global security header , this will take care to implement the same level of security for each application exposed

Used to "obfuscate" the origin and implement a sort of protection even if it's the free version of Cloudflare 

Firewall linux based cause i need to make same acl and fw rules

VMware ESXi Vmware esxi as a "flat" platform to abstract hardware brands, extend portability, backups, etc etc

Top Kubernetes Management Platforms | Datamation Kubernetes for all the workloads can be run as immutable images

Virtual machines when i need disk pressure 

The code used for workers was the following

const securityHeaders = {
"Content-Security-Policy":"upgrade-insecure-requests",
"Strict-Transport-Security":"max-age=3600;includeSubdomains",
"X-Xss-Protection":"1; mode=block",
"X-Frame-Options":"DENY",
"X-Content-Type-Options":"nosniff",
"Permissions-Policy":"geolocation=()",
"Referrer-Policy":"strict-origin-when-cross-origin"
};

async function addHeaders(req) {
constresponse=awaitfetch(req),
newHeaders=newHeaders(response.headers),
setHeaders=Object.assign({},securityHeaders);

if (newHeaders.has("Content-Type") &&!newHeaders.get("Content-Type").includes("text/html")) {
returnnewResponse(response.body,{
status: response.status,
statusText: response.statusText,
headers: newHeaders
});
}

Object.keys(setHeaders).forEach(name=>newHeaders.set(name,setHeaders[name]));

returnnewResponse(response.body,{
status: response.status,
statusText: response.statusText,
headers: newHeaders
});
}

addEventListener("fetch", event => event.respondWith(addHeaders(event.request)));
 
Anyway now there is a specific topic in cloudflare portal about the alter headers for security ... https://developers.cloudflare.com/workers/examples/security-headers/
 
 
Reshape
 
 

Issue

 

Fixs

 

 

You should also read: