From f8cb527f788ab8ed2a8304c9b9aae880126b6576 Mon Sep 17 00:00:00 2001
From: Jeffrey Zhang <zhang.lei.fly@gmail.com>
Date: Wed, 14 Mar 2018 16:57:30 +0800
Subject: [PATCH] Security reinforce for apache server

Disable ServerSignature and Hide apache related infromation.

Change-Id: I9188ddb85988539087c922117bb9f53454b7507c
---
 ansible/roles/aodh/templates/wsgi-aodh.conf.j2             | 2 ++
 ansible/roles/cinder/templates/cinder-wsgi.conf.j2         | 2 ++
 ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 | 2 ++
 ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2   | 2 ++
 ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2       | 2 ++
 ansible/roles/horizon/templates/horizon.conf.j2            | 2 ++
 ansible/roles/keystone/templates/wsgi-keystone.conf.j2     | 2 ++
 ansible/roles/nova/templates/placement-api-wsgi.conf.j2    | 2 ++
 ansible/roles/panko/templates/wsgi-panko.conf.j2           | 2 ++
 ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2       | 4 ++++
 ansible/roles/zun/templates/wsgi-zun.conf.j2               | 2 ++
 11 files changed, 24 insertions(+)

diff --git a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2 b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
index 33294f3a8a..d9f408099e 100644
--- a/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
+++ b/ansible/roles/aodh/templates/wsgi-aodh.conf.j2
@@ -1,6 +1,8 @@
 {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ api_interface_address }}:{{ aodh_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ aodh_api_port }}>
diff --git a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2 b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
index 1935bdcb79..994cf436fb 100644
--- a/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
+++ b/ansible/roles/cinder/templates/cinder-wsgi.conf.j2
@@ -1,6 +1,8 @@
 {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ api_interface_address }}:{{ cinder_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ cinder_api_port }}>
diff --git a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2 b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
index c6926a303d..4018efe447 100644
--- a/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
+++ b/ansible/roles/cloudkitty/templates/wsgi-cloudkitty.conf.j2
@@ -1,6 +1,8 @@
 {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ api_interface_address }}:{{ cloudkitty_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ cloudkitty_api_port }}>
diff --git a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2 b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2
index ffbcb73875..2d3e3aa6d0 100644
--- a/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2
+++ b/ansible/roles/freezer/templates/wsgi-freezer-api.conf.j2
@@ -2,6 +2,8 @@
 {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ api_interface_address }}:{{ freezer_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ freezer_api_port }}>
diff --git a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2 b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
index b518197f43..516bbda245 100644
--- a/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
+++ b/ansible/roles/gnocchi/templates/wsgi-gnocchi.conf.j2
@@ -2,6 +2,8 @@
 {% set wsgi_path = '/usr/bin' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
 Listen {{ api_interface_address }}:{{ gnocchi_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ gnocchi_api_port }}>
diff --git a/ansible/roles/horizon/templates/horizon.conf.j2 b/ansible/roles/horizon/templates/horizon.conf.j2
index d51b8db742..c93fb8de39 100644
--- a/ansible/roles/horizon/templates/horizon.conf.j2
+++ b/ansible/roles/horizon/templates/horizon.conf.j2
@@ -1,6 +1,8 @@
 {% set python_path = '/usr/share/openstack-dashboard' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ api_interface_address }}:{{ horizon_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ horizon_port }}>
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index 83b297a6ad..e8abe072a1 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -3,6 +3,8 @@
 Listen {{ api_interface_address }}:{{ keystone_public_port }}
 Listen {{ api_interface_address }}:{{ keystone_admin_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ keystone_public_port }}>
diff --git a/ansible/roles/nova/templates/placement-api-wsgi.conf.j2 b/ansible/roles/nova/templates/placement-api-wsgi.conf.j2
index 8659842cb5..d4fd8e7f45 100644
--- a/ansible/roles/nova/templates/placement-api-wsgi.conf.j2
+++ b/ansible/roles/nova/templates/placement-api-wsgi.conf.j2
@@ -3,6 +3,8 @@
 {% set wsgi_directory = '/usr/bin' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/bin' %}
 Listen {{ api_interface_address }}:{{ placement_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ placement_api_port }}>
diff --git a/ansible/roles/panko/templates/wsgi-panko.conf.j2 b/ansible/roles/panko/templates/wsgi-panko.conf.j2
index 402e216d5f..8216b492af 100644
--- a/ansible/roles/panko/templates/wsgi-panko.conf.j2
+++ b/ansible/roles/panko/templates/wsgi-panko.conf.j2
@@ -1,6 +1,8 @@
 {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ api_interface_address }}:{{ panko_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ panko_api_port }}>
diff --git a/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2 b/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2
index 280ce5fdb2..0314c0cebc 100644
--- a/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2
+++ b/ansible/roles/vitrage/templates/wsgi-vitrage.conf.j2
@@ -1,6 +1,10 @@
 {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ hostvars[inventory_hostname]['ansible_' + api_interface]['ipv4']['address'] }}:{{ vitrage_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
+TraceEnable off
+
 <VirtualHost *:{{ vitrage_api_port }}>
 
   ## Vhost docroot
diff --git a/ansible/roles/zun/templates/wsgi-zun.conf.j2 b/ansible/roles/zun/templates/wsgi-zun.conf.j2
index c4f2753cbd..b4725120b9 100644
--- a/ansible/roles/zun/templates/wsgi-zun.conf.j2
+++ b/ansible/roles/zun/templates/wsgi-zun.conf.j2
@@ -1,6 +1,8 @@
 {% set python_path = '/usr/lib/python2.7/site-packages' if kolla_install_type == 'binary' else '/var/lib/kolla/venv/lib/python2.7/site-packages' %}
 Listen {{ api_interface_address }}:{{ zun_api_port }}
 
+ServerSignature Off
+ServerTokens Prod
 TraceEnable off
 
 <VirtualHost *:{{ zun_api_port }}>