Age | Commit message (Collapse) | Author | Files | Lines |
|
This changes the nginx configuration so the HTTP response headers
for the phosphor-webui web applicaton will allow wss (secure
WebSocket) connections back to the host. This is needed for the
Serial Over Lan (SOL) function.
A recent fix used Content-Security-Policy default-src 'self'
which unfortunately does not allow to wss connections. For
details see https://github.com/openbmc/openbmc/issues/3409
Tested: The web app SOL function works
Resolves: openbmc/openbmc#3409
(From meta-ibm rev: ba115c67c50b8e9691bbdbc4132dfef563c327c0)
Change-Id: Ic46693c1c17ce83f422bc388ef1338894eeadb4d
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The nginx service would generate a self-certificate upon restart (if
there's not already an existing certificate), but not upon reload.
Enable this for reload as well : the phosphor certificate management app
requires services that want to generate self-signed certificates to do
it upon reload (if reload is supported).
(From meta-ibm rev: bbcf9e563c1a1215434c89fc1cc626a7b3d7fdb6)
Change-Id: Ib3625f256fbae1721e4a9f8ac318287a2b6c03fd
Signed-off-by: Deepak Kodihalli <dkodihal@in.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Nginx now adds security-related headers to HTTP responses per
https://www.owasp.org/index.php/OWASP_Secure_Headers_Project
and consistent with openbmc/bmcweb (see header file
include/security_headers_middleware.hpp).
Tested:
curl -D headers http://${bmc}
redirects to https
No security headers apply, and none are sent
curl https://${bmc}
contains security headers and works properly
curl https://${bmc}/xyz/openbmc_project/software
contains Strict-Transport-Security header, and works
curl ... -X POST -T ${image} https://${bmc}/upload/image"
works
firefox http redirects to https
firefox https://${bmc}/ logs in and works
Resolves openbmc/openbmc#3195
(From meta-ibm rev: 8202b2639cba28a71640db48e38f6b7f1d3eaed0)
Change-Id: Ie20169abbca02471fa5dc89bebba8a6cdf722cd6
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
When we use the webui/rest from the remote host, we connect to the nginx
and the system log at the BMC always contains `127.0.0.1` as the remote
address in corresponded records.
This commit resolve it.
Tested:
- Login to the WebUI
- `journalctl` should contain record like:
```
Sep 12 11:11:33 phosphor-gevent[1374]: YOR-IP-ADDRESS user:root
POST http://127.0.0.1:8081/login json:None 200 OK
```
(From meta-ibm rev: 77722e5c97faf43c6f41b52bfcadc140273eab5c)
Change-Id: Ib9a5bdaec5c5f07eceb0ba2b0ee4d572a85e889d
Signed-off-by: Alexander Filippov <a.filippov@yadro.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
The new subtree model brings the subtrees up from the openbmc-machines
layer.
Change-Id: I58a03ae1be374bc79ae1438e65e888375d12d0c0
Signed-off-by: Dave Cobbley <david.j.cobbley@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|