From e1f14bc8a1baa19fb306c41ee12533f247285c5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Tue, 3 Dec 2024 11:56:38 +0100 Subject: [PATCH 1/3] feat: add SECURITY_MODE setting to security templates --- src/common/core/templates/templates/high.json | 2 ++ src/common/core/templates/templates/low.json | 2 ++ src/common/core/templates/templates/medium.json | 2 ++ 3 files changed, 6 insertions(+) diff --git a/src/common/core/templates/templates/high.json b/src/common/core/templates/templates/high.json index 624f1ffbf..b32c15327 100644 --- a/src/common/core/templates/templates/high.json +++ b/src/common/core/templates/templates/high.json @@ -2,6 +2,7 @@ "name": "Advanced security level with focus on robust security measures and comprehensive protection", "settings": { "SERVER_NAME": "www.example.com", + "SECURITY_MODE": "block", "USE_REVERSE_PROXY": "yes", "REVERSE_PROXY_HOST": "http://upstream-server:8080", "REVERSE_PROXY_URL": "/", @@ -73,6 +74,7 @@ "subtitle": "Configure your web service facing your clients", "settings": [ "SERVER_NAME", + "SECURITY_MODE", "AUTO_LETS_ENCRYPT", "USE_LETS_ENCRYPT_STAGING", "USE_LETS_ENCRYPT_WILDCARD", diff --git a/src/common/core/templates/templates/low.json b/src/common/core/templates/templates/low.json index 35b7804ff..681b38c4a 100644 --- a/src/common/core/templates/templates/low.json +++ b/src/common/core/templates/templates/low.json @@ -2,6 +2,7 @@ "name": "Basic security level that provides essential settings for web application protection", "settings": { "SERVER_NAME": "www.example.com", + "SECURITY_MODE": "block", "USE_REVERSE_PROXY": "yes", "REVERSE_PROXY_HOST": "http://upstream-server:8080", "REVERSE_PROXY_URL": "/", @@ -71,6 +72,7 @@ "subtitle": "Configure your web service facing your clients", "settings": [ "SERVER_NAME", + "SECURITY_MODE", "AUTO_LETS_ENCRYPT", "USE_LETS_ENCRYPT_STAGING", "USE_LETS_ENCRYPT_WILDCARD", diff --git a/src/common/core/templates/templates/medium.json b/src/common/core/templates/templates/medium.json index 8a0b4d06e..ccd39d9a6 100644 --- a/src/common/core/templates/templates/medium.json +++ b/src/common/core/templates/templates/medium.json @@ -2,6 +2,7 @@ "name": "Balanced security level that offers a mix of security features and performance optimizations", "settings": { "SERVER_NAME": "www.example.com", + "SECURITY_MODE": "block", "USE_REVERSE_PROXY": "yes", "REVERSE_PROXY_HOST": "http://upstream-server:8080", "REVERSE_PROXY_URL": "/", @@ -73,6 +74,7 @@ "subtitle": "Configure your web service facing your clients", "settings": [ "SERVER_NAME", + "SECURITY_MODE", "AUTO_LETS_ENCRYPT", "USE_LETS_ENCRYPT_STAGING", "USE_LETS_ENCRYPT_WILDCARD", From a661d16c38f35c1abf7e5ac26144052c35343d31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Tue, 3 Dec 2024 12:07:54 +0100 Subject: [PATCH 2/3] fix: remove GENERATE_SELF_SIGNED_SSL setting from UI templates --- src/common/core/templates/templates/ui.json | 1 - 1 file changed, 1 deletion(-) diff --git a/src/common/core/templates/templates/ui.json b/src/common/core/templates/templates/ui.json index b1ae6c631..2a0836d03 100644 --- a/src/common/core/templates/templates/ui.json +++ b/src/common/core/templates/templates/ui.json @@ -6,7 +6,6 @@ "CORS_ALLOW_ORIGIN": "self", "INTERCEPTED_ERROR_CODES": "400 404 405 413 429 500 501 502 503 504", "MAX_CLIENT_SIZE": "50m", - "GENERATE_SELF_SIGNED_SSL": "yes", "KEEP_UPSTREAM_HEADERS": "Content-Security-Policy Strict-Transport-Security X-Frame-Options X-Content-Type-Options Referrer-Policy", "REVERSE_PROXY_KEEPALIVE": "yes" } From 2fdbff85a97ead4694d1c3c3c6985c3ce27ab8e9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Th=C3=A9ophile=20Diot?= Date: Tue, 3 Dec 2024 12:08:09 +0100 Subject: [PATCH 3/3] fix: convert user creation and update dates to timezone-aware datetime --- src/ui/app/models/ui_database.py | 4 ++-- src/ui/app/routes/setup.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/ui/app/models/ui_database.py b/src/ui/app/models/ui_database.py index 23f23c576..2b035048b 100644 --- a/src/ui/app/models/ui_database.py +++ b/src/ui/app/models/ui_database.py @@ -54,8 +54,8 @@ def get_ui_user(self, *, username: Optional[str] = None, as_dict: bool = False) "method": ui_user.method, "theme": ui_user.theme, "totp_secret": ui_user.totp_secret, - "creation_date": ui_user.creation_date, - "update_date": ui_user.update_date, + "creation_date": ui_user.creation_date.astimezone(), + "update_date": ui_user.update_date.astimezone(), "roles": [role.role_name for role in ui_user.roles], "recovery_codes": [recovery_code.code for recovery_code in ui_user.recovery_codes], } diff --git a/src/ui/app/routes/setup.py b/src/ui/app/routes/setup.py index a12555565..5758c9f69 100644 --- a/src/ui/app/routes/setup.py +++ b/src/ui/app/routes/setup.py @@ -248,8 +248,8 @@ def setup_loading(): db_config = DB.get_config(filtered_settings=("SERVER_NAME", "USE_UI", "REVERSE_PROXY_URL")) ui_service = {} - ui_admin = DB.get_ui_user() - admin_old_enough = ui_admin and ui_admin.creation_date < datetime.now().astimezone() - timedelta(minutes=5) + ui_admin = DB.get_ui_user(as_dict=True) + admin_old_enough = ui_admin and ui_admin["creation_date"] < datetime.now().astimezone() - timedelta(minutes=5) for server_name in db_config["SERVER_NAME"].split(" "): if server_name and db_config.get(f"{server_name}_USE_UI", "no") == "yes":