Secure Middleware (#37)

adding secure middleware to enforce security headers, most
of the options can be configured via env variables

adding prefix for mcs env variables

adding http redirect to https, adding csp report only, etc

solving conflicts

passing tls port configured by cli to secure middleware

update go.sum

adding default port, tlsport, host and tlshostname

fix tlsport bug

restapi/client-admin.go

@@ -38,7 +38,7 @@ func NewAdminClient(url, accessKey, secretKey string) (*madmin.AdminClient, *pro
 		AccessKey:   accessKey,
 		SecretKey:   secretKey,
 		AppName:     appName,
-		AppVersion:  Version,
+		AppVersion:  McsVersion,
 		AppComments: []string{appName, runtime.GOOS, runtime.GOARCH},
 	})
 	if err != nil {

restapi/config.go

@@ -17,11 +17,18 @@
 package restapi
 
 import (
+	"fmt"
+	"strconv"
 	"strings"
 
 	"github.com/minio/minio/pkg/env"
 )
 
+var Port = "9090"
+var TLSPort = "9443"
+var Hostname = "localhost"
+var TLSHostname = "localhost"
+
 func getAccessKey() string {
 	return env.Get(McsAccessKey, "minioadmin")
 }
@@ -57,3 +64,142 @@ func getMinIOEndpointIsSecure() bool {
 	}
 	return false
 }
+
+func getProductionMode() bool {
+	return strings.ToLower(env.Get(McsProductionMode, "on")) == "on"
+}
+
+func GetHostname() string {
+	return strings.ToLower(env.Get(McsHostname, Hostname))
+}
+
+func GetPort() int {
+	port, err := strconv.Atoi(env.Get(McsPort, Port))
+	if err != nil {
+		port = 9090
+	}
+	return port
+}
+
+func GetSSLHostname() string {
+	return strings.ToLower(env.Get(McsTLSHostname, TLSHostname))
+}
+
+func GetSSLPort() int {
+	port, err := strconv.Atoi(env.Get(McsTLSPort, TLSPort))
+	if err != nil {
+		port = 9443
+	}
+	return port
+}
+
+// Get secure middleware env variable configurations
+func getSecureAllowedHosts() []string {
+	allowedHosts := env.Get(McsSecureAllowedHosts, "")
+	if allowedHosts != "" {
+		return strings.Split(allowedHosts, ",")
+	} else {
+		return []string{}
+	}
+}
+
+// AllowedHostsAreRegex determines, if the provided AllowedHosts slice contains valid regular expressions. Default is false.
+func getSecureAllowedHostsAreRegex() bool {
+	return strings.ToLower(env.Get(McsSecureAllowedHostsAreRegex, "off")) == "on"
+}
+
+// If FrameDeny is set to true, adds the X-Frame-Options header with the value of `DENY`. Default is true.
+func getSecureFrameDeny() bool {
+	return strings.ToLower(env.Get(McsSecureFrameDeny, "on")) == "on"
+}
+
+// If ContentTypeNosniff is true, adds the X-Content-Type-Options header with the value `nosniff`. Default is true.
+func getSecureContentTypeNonSniff() bool {
+	return strings.ToLower(env.Get(McsSecureContentTypeNoSniff, "on")) == "on"
+}
+
+// If BrowserXssFilter is true, adds the X-XSS-Protection header with the value `1; mode=block`. Default is true.
+func getSecureBrowserXssFilter() bool {
+	return strings.ToLower(env.Get(McsSecureBrowserXssFilter, "on")) == "on"
+}
+
+// ContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value. Default is "".
+// Passing a template string will replace `$NONCE` with a dynamic nonce value of 16 bytes for each request which can be
+// later retrieved using the Nonce function.
+func getSecureContentSecurityPolicy() string {
+	return env.Get(McsSecureContentSecurityPolicy, "")
+}
+
+// ContentSecurityPolicyReportOnly allows the Content-Security-Policy-Report-Only header value to be set with a custom value. Default is "".
+func getSecureContentSecurityPolicyReportOnly() string {
+	return env.Get(McsSecureContentSecurityPolicyReportOnly, "")
+}
+
+// HostsProxyHeaders is a set of header keys that may hold a proxied hostname value for the request.
+func getSecureHostsProxyHeaders() []string {
+	allowedHosts := env.Get(McsSecureHostsProxyHeaders, "")
+	if allowedHosts != "" {
+		return strings.Split(allowedHosts, ",")
+	} else {
+		return []string{}
+	}
+}
+
+// If SSLRedirect is set to true, then only allow HTTPS requests. Default is true.
+func getSSLRedirect() bool {
+	return strings.ToLower(env.Get(McsSecureSSLRedirect, "on")) == "on"
+}
+
+// SSLHost is the host name that is used to redirect HTTP requests to HTTPS. Default is "", which indicates to use the same host.
+func getSecureSSLHost() string {
+	return env.Get(McsSecureSSLHost, fmt.Sprintf("%s:%s", TLSHostname, TLSPort))
+}
+
+// STSSeconds is the max-age of the Strict-Transport-Security header. Default is 0, which would NOT include the header.
+func getSecureSTSSeconds() int64 {
+	seconds, err := strconv.Atoi(env.Get(McsSecureSTSSeconds, "0"))
+	if err != nil {
+		seconds = 0
+	}
+	return int64(seconds)
+}
+
+// If STSIncludeSubdomains is set to true, the `includeSubdomains` will be appended to the Strict-Transport-Security header. Default is false.
+func getSecureSTSIncludeSubdomains() bool {
+	return strings.ToLower(env.Get(McsSecureSTSIncludeSubdomains, "off")) == "on"
+}
+
+// If STSPreload is set to true, the `preload` flag will be appended to the Strict-Transport-Security header. Default is false.
+func getSecureSTSPreload() bool {
+	return strings.ToLower(env.Get(McsSecureSTSPreload, "off")) == "on"
+}
+
+// If SSLTemporaryRedirect is true, the a 302 will be used while redirecting. Default is false (301).
+func getSecureSSLTemporaryRedirect() bool {
+	return strings.ToLower(env.Get(McsSecureSSLTemporaryRedirect, "off")) == "on"
+}
+
+// STS header is only included when the connection is HTTPS.
+func getSecureForceSTSHeader() bool {
+	return strings.ToLower(env.Get(McsSecureForceSTSHeader, "off")) == "on"
+}
+
+// PublicKey implements HPKP to prevent MITM attacks with forged certificates. Default is "".
+func getSecurePublicKey() string {
+	return env.Get(McsSecurePublicKey, "")
+}
+
+// ReferrerPolicy allows the Referrer-Policy header with the value to be set with a custom value. Default is "".
+func getSecureReferrerPolicy() string {
+	return env.Get(McsSecureReferrerPolicy, "")
+}
+
+// FeaturePolicy allows the Feature-Policy header with the value to be set with a custom value. Default is "".
+func getSecureFeaturePolicy() string {
+	return env.Get(McsSecureFeaturePolicy, "")
+}
+
+// FeaturePolicy allows the Feature-Policy header with the value to be set with a custom value. Default is "".
+func getSecureExpectCTHeader() string {
+	return env.Get(McsSecureExpectCTHeader, "")
+}

restapi/configure_mcs.go

@@ -35,6 +35,7 @@ import (
 	"github.com/go-openapi/errors"
 	"github.com/go-openapi/runtime"
 	"github.com/minio/mcs/restapi/operations"
+	"github.com/unrolled/secure"
 )
 
 //go:generate swagger generate server --target ../../mcs --name Mcs --spec ../swagger.yml
@@ -122,7 +123,34 @@ func setupMiddlewares(handler http.Handler) http.Handler {
 func setupGlobalMiddleware(handler http.Handler) http.Handler {
 	// serve static files
 	next := FileServerMiddleware(handler)
-	return next
+	// Secure middleware, this middleware wrap all the previous handlers and add
+	// HTTP security headers
+	secureOptions := secure.Options{
+		AllowedHosts:          getSecureAllowedHosts(),
+		AllowedHostsAreRegex:  getSecureAllowedHostsAreRegex(),
+		HostsProxyHeaders:     getSecureHostsProxyHeaders(),
+		SSLRedirect:           getSSLRedirect(),
+		SSLHost:               getSecureSSLHost(),
+		STSSeconds:            getSecureSTSSeconds(),
+		STSIncludeSubdomains:  getSecureSTSIncludeSubdomains(),
+		STSPreload:            getSecureSTSPreload(),
+		SSLTemporaryRedirect:  getSecureSSLTemporaryRedirect(),
+		SSLHostFunc:           nil,
+		ForceSTSHeader:        getSecureForceSTSHeader(),
+		FrameDeny:             getSecureFrameDeny(),
+		ContentTypeNosniff:    getSecureContentTypeNonSniff(),
+		BrowserXssFilter:      getSecureBrowserXssFilter(),
+		ContentSecurityPolicy: getSecureContentSecurityPolicy(),
+		ContentSecurityPolicyReportOnly: getSecureContentSecurityPolicyReportOnly(),
+		PublicKey:             getSecurePublicKey(),
+		ReferrerPolicy:        getSecureReferrerPolicy(),
+		FeaturePolicy:         getSecureFeaturePolicy(),
+		ExpectCTHeader:        getSecureExpectCTHeader(),
+		IsDevelopment:         !getProductionMode(),
+	}
+	secureMiddleware := secure.New(secureOptions)
+	app := secureMiddleware.Handler(next)
+	return app
 }
 
 // FileServerMiddleware serves files from the static folder

restapi/consts.go

@@ -17,8 +17,33 @@
 package restapi
 
 const (
-	Version        = `0.1.0`
-	McsAccessKey   = "MCS_ACCESS_KEY"
-	McsSecretKey   = "MCS_SECRET_KEY"
-	McsMinIOServer = "MCS_MINIO_SERVER"
+	McsVersion        = `0.1.0`
+	McsAccessKey      = "MCS_ACCESS_KEY"
+	McsSecretKey      = "MCS_SECRET_KEY"
+	McsMinIOServer    = "MCS_MINIO_SERVER"
+	McsProductionMode = "MCS_PRODUCTION_MODE"
+	McsHostname       = "MCS_HOSTNAME"
+	McsPort           = "MCS_PORT"
+	McsTLSHostname    = "MCS_TLS_HOSTNAME"
+	McsTLSPort        = "MCS_TLS_PORT"
+
+	McsSecureAllowedHosts                    = "MCS_SECURE_ALLOWED_HOSTS"
+	McsSecureAllowedHostsAreRegex            = "MCS_SECURE_ALLOWED_HOSTS_ARE_REGEX"
+	McsSecureFrameDeny                       = "MCS_SECURE_FRAME_DENY"
+	McsSecureContentTypeNoSniff              = "MCS_SECURE_CONTENT_TYPE_NO_SNIFF"
+	McsSecureBrowserXssFilter                = "MCS_SECURE_BROWSER_XSS_FILTER"
+	McsSecureContentSecurityPolicy           = "MCS_SECURE_CONTENT_SECURITY_POLICY"
+	McsSecureContentSecurityPolicyReportOnly = "MCS_SECURE_CONTENT_SECURITY_POLICY_REPORT_ONLY"
+	McsSecureHostsProxyHeaders               = "MCS_SECURE_HOSTS_PROXY_HEADERS"
+	McsSecureSTSSeconds                      = "MCS_SECURE_STS_SECONDS"
+	McsSecureSTSIncludeSubdomains            = "MCS_SECURE_STS_INCLUDE_SUB_DOMAINS"
+	McsSecureSTSPreload                      = "MCS_SECURE_STS_PRELOAD"
+	McsSecureSSLRedirect                     = "MCS_SECURE_SSL_REDIRECT"
+	McsSecureSSLHost                         = "MCS_SECURE_SSL_HOST"
+	McsSecureSSLTemporaryRedirect            = "MCS_SECURE_SSL_TEMPORARY_REDIRECT"
+	McsSecureForceSTSHeader                  = "MCS_SECURE_FORCE_STS_HEADER"
+	McsSecurePublicKey                       = "MCS_SECURE_PUBLIC_KEY"
+	McsSecureReferrerPolicy                  = "MCS_SECURE_REFERRER_POLICY"
+	McsSecureFeaturePolicy                   = "MCS_SECURE_FEATURE_POLICY"
+	McsSecureExpectCTHeader                  = "MCS_SECURE_EXPECT_CT_HEADER"
 )