feat(sécurité): améliore la sécurité de l’application (#911)

docker-compose.yml

@@ -114,6 +114,7 @@ services:
       OAUTH2_PROXY_SKIP_AUTH_STRIP_HEADERS: false
       # l’access token de keycloak a une durée de vie de 5min
       OAUTH2_PROXY_COOKIE_REFRESH: 4m
+      OAUTH2_PROXY_COOKIE_SAMESITE: strict
       # l'url de logout de keycloak, utilisé par utilisateur.vue pour se déconnect de oauth2_proxy ET keycloak
       OAUTH2_PROXY_WHITELIST_DOMAINS: ${KEYCLOAK_HOST},${OAUTH_HOST}
       OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER: true

infra/roles/nginx/files/docker-compose.yml

@@ -3,7 +3,7 @@ version: '3'
 services:
 
   nginx-proxy:
-    image: nginxproxy/nginx-proxy:1.3.1
+    image: nginxproxy/nginx-proxy:1.4.0
     container_name: nginx-proxy
     restart: unless-stopped
     logging:
@@ -21,7 +21,7 @@ services:
       - /var/run/docker.sock:/tmp/docker.sock:ro
 
   nginx-proxy-acme:
-    image: nginxproxy/acme-companion:2.2.8
+    image: nginxproxy/acme-companion:2.2.10
     container_name: nginx-proxy-acme
     restart: unless-stopped
     volumes_from:

infra/roles/nginx/files/proxy.conf

 client_max_body_size 30m;
-gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
 # HTTP 1.1 support
 proxy_http_version 1.1;
 proxy_buffering on;
@@ -17,4 +16,5 @@ proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
 
 # Mitigate httpoxy attack (see README for details)
 proxy_set_header Proxy "";
+server_tokens off;
 

infra/roles/user/files/ssh_hardening.conf

+# Restrict key exchange, cipher, and MAC algorithms, as per sshaudit.com
+# hardening guide.
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,gss-curve25519-sha256-,diffie-hellman-group16-sha512,gss-group16-sha512-,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+
+MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com
+
+HostKeyAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+RequiredRSASize 3072
+
+CASignatureAlgorithms sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256
+
+GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-group16-sha512-
+
+HostbasedAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256
+
+PubkeyAcceptedAlgorithms sk-ssh-ed25519-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com,ssh-ed25519,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-256

infra/roles/user/tasks/main.yml

@@ -42,10 +42,25 @@
   become: True
 - name: Configure le serveur ssh
   block:
+    - name: Copie la configuration extra de ssh
+      ansible.builtin.copy:
+        src: ssh_hardening.conf
+        dest: /etc/ssh/sshd_config_extra_ssh_hardening.conf
+        owner: root
+        group: root
+        mode: u=rw,g=r,o=r
+      become: True
+      notify: Restart SSH
+    - name: Charge la configuration ssh_hardening
+      ansible.builtin.lineinfile:
+        path: /etc/ssh/sshd_config
+        line: 'Include /etc/ssh/sshd_config_extra_ssh_hardening.conf'
+      become: True
+      notify: Restart SSH
     - name: Empêche ssh de charger des configurations dans des sous-fichiers
       ansible.builtin.lineinfile:
         path: /etc/ssh/sshd_config
-        regexp: '^Include '
+        search_string: 'Include /etc/ssh/sshd_config.d/*.conf'
         line: '#Include /etc/ssh/sshd_config.d/*.conf'
       become: True
       notify: Restart SSH