How do I enable HSTS on Bamboo
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
If your organization has a requirement for HTTP Strict Transport Security (HSTS) and needs to be implemented on Bamboo. Additional security headers are normally added when using a reverse proxy looking to offload the Application server from that operation. If using NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. On Apache, you may use the mod_headers module to set response headers.
This article covers the implementation of HSTS headers directly on the Tomcat version bundled with Bamboo.
HSTS definition should be configured at the Application level. I.e. <BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml
.
Changes to Tomcat's default conf/web.xml
may not be reflected correctly during Bamboo runtime.
On recent versions of Bamboo, the httpHeaderSecurity stanza sample codes may not be available by default on the Application's web.xml
file. If that's the case, add the provided code as the first definition of the Filter Definitions
or Filter Mappings
blocks in the web.xml
file, accordingly.
ソリューション
- Secure Bamboo using SSL - HSTS will not work on non-SSL connections, hence it is necessary to configure Bamboo to listen to SSL
- Make a backup copy of your current
web.xml
in<BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml
Search for the following filter definition:
security <filter><filter> <filter-name>security</filter-name> <filter-class>com.atlassian.seraph.filter.SecurityFilter</filter-class> </filter>
Add the following lines to the httpHeaderSecurity <filter> stanza in the
web.xml
file immediately after the security filter:httpHeaderSecurity <filter><filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter>
Still, on the same file, search for the following filter mapping:
security <filter-mapping><filter-mapping> <filter-name>security</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>
Add the following lines to the httpHeaderSecurity <filter-mapping> stanza in the
web.xml
file immediately after the security filter mapping:httpHeaderSecurity <filter-mapping><filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>
- Restart Bamboo
検証
To test if the configuration change is working, look for the "Strict-Transport-Security" string in the HTTP headers. This can be done in several ways. One way is to capture the HTTP traffic in a HAR file and look for it in the headers. Another way is to use curl. Here is an example command and response:
$ curl -s -k -D- https://<Bamboo_URL>:<https_port> | grep -i Strict
Strict-Transport-Security: max-age=31536000;includeSubDomains
If Bamboo does not start after this change, revert to the original copy of your web.xml
file, or the original provided by the install as in Cannot start Bamboo due to invalid web.xml file.