How do I enable HSTS on Bamboo
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
要約
If your organization has a requirement for HTTP Strict Transport Security (HSTS) and needs to be implemented on Bamboo. Additional security headers are normally added when using a reverse proxy looking to offload the Application server from that operation. If using NGINX, refer to HTTP Strict Transport Security (HSTS) and NGINX. On Apache, you may use the mod_headers module to set response headers.
This article covers the implementation of HSTS headers directly on the Tomcat version bundled with Bamboo.
HSTS definition should be configured at the Application level. I.e. <BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml.
Changes to Tomcat's default conf/web.xml may not be reflected correctly during Bamboo runtime.
On recent versions of Bamboo, the httpHeaderSecurity stanza sample codes may not be available by default on the Application's web.xml file. If that's the case, add the provided code as the first definition of the Filter Definitions or Filter Mappings blocks in the web.xml file, accordingly.
ソリューション
- Secure Bamboo using SSL - HSTS will not work on non-SSL connections, hence it is necessary to configure Bamboo to listen to SSL
- Make a backup copy of your current
web.xmlin<BAMBOO-INSTALL>/atlassian-bamboo/WEB-INF/web.xml Search for the following filter definition:
security <filter><filter> <filter-name>security</filter-name> <filter-class>com.atlassian.seraph.filter.SecurityFilter</filter-class> </filter>Add the following lines to the httpHeaderSecurity <filter> stanza in the
web.xmlfile immediately after the security filter:httpHeaderSecurity <filter><filter> <filter-name>httpHeaderSecurity</filter-name> <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class> <async-supported>true</async-supported> <init-param> <param-name>hstsEnabled</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>hstsMaxAgeSeconds</param-name> <param-value>31536000</param-value> </init-param> <init-param> <param-name>hstsIncludeSubDomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>antiClickJackingOption</param-name> <param-value>SAMEORIGIN</param-value> </init-param> </filter>Still, on the same file, search for the following filter mapping:
security <filter-mapping><filter-mapping> <filter-name>security</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>Add the following lines to the httpHeaderSecurity <filter-mapping> stanza in the
web.xmlfile immediately after the security filter mapping:httpHeaderSecurity <filter-mapping><filter-mapping> <filter-name>httpHeaderSecurity</filter-name> <url-pattern>/*</url-pattern> <dispatcher>REQUEST</dispatcher> <dispatcher>FORWARD</dispatcher> </filter-mapping>- Restart Bamboo
検証
To test if the configuration change is working, look for the "Strict-Transport-Security" string in the HTTP headers. This can be done in several ways. One way is to capture the HTTP traffic in a HAR file and look for it in the headers. Another way is to use curl. Here is an example command and response:
$ curl -s -k -D- https://<Bamboo_URL>:<https_port> | grep -i Strict
Strict-Transport-Security: max-age=31536000;includeSubDomainsIf Bamboo does not start after this change, revert to the original copy of your web.xml file, or the original provided by the install as in Cannot start Bamboo due to invalid web.xml file.