Product Knowledge Base

Space shortcuts

Page tree

Versions Compared

Old Version 7

changes.mady.by.user Andreas Püschel

Saved on

compared with

New Version Current

changes.mady.by.user Andreas Püschel

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Check your JobScheduler release to identify the Jetty version used:
    • Releases since 1.12.7 make use of Jetty 9.4.x due to vulnerability issues in previous Jetty releases:
      Jira
      serverSOS JIRA
      columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
      serverId6dc67751-9d67-34cd-985b-194a8cdc9602
      keyJOC-521
    • Should you operate a JobScheduler release earlier than release 1.12.7 then please get in contact as this suggests to update to a later 1.12 LTS release or to a newer JobScheduler branch. Do not use the below instructions as they do not apply to earlier Jetty releases and as you should be more concerned about the Jetty vulnerability issues than use of security related Headers.
  • Open the file  $JETTY_BASE/start.ini
    • Find the file start.ini 
      • for Linux e.g. from /home/[user]/sos-berlin.com/joc
      • for Windows e.g. from C:\ProgramData\sos-berlin.com\joc
    • Add to this file the line:
      • Code Block
        languagetext
        titleChanges to start.ini
         --module=rewrite
  • Open the file  $JETTY_HOME/etc/jetty-rewrite.xml
    • Find a full sample of this file: jetty-rewrite.xml
    • Find the file jetty-rewrite.xml 
      • for Linux e.g. from /opt/sos-berlin.com/joc/jetty/etc
      • for Windows e.g. from C:\Program Files\sos-berlin.com\joc\jetty\etc 
    • Add to this file the lines:
      • Code Block
        languagexml
        titleChanges to jetty-rewrite.xml
        linenumberstrue
        collapsetrue
        	<!-- see rewrite-compactpath.xml for example how to add a rule -->

        <!-- Add security related headers for use with JOC Cockpit -->
        <Call name="addRule">
            <Arg>
                <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">*</Set>
                    <Set name="name">X-XSS-Protection</Set>
                    <Set name="value">1; mode=block</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addRule">
            <Arg>
                <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">*</Set>
                    <Set name="name">X-Content-Type-Options</Set>
                    <Set name="value">nosniff</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addRule">
            <Arg>
                <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">*</Set>
                    <Set name="name">Content-Security-Policy</Set>
                    <Set name="value">script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addRule">
            <Arg>
                <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">*</Set>
                    <Set name="name">X-Frame-Options</Set>
                    <Set name="value">sameorigin</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addRule">
            <Arg>
                <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">*</Set>
                    <Set name="name">Strict-Transport-Security</Set>
                    <Set name="value">max-age=31536000;includeSubDomains</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addRule">
            <Arg>
                <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">*</Set>
                    <Set name="name">Permissions-Policy</Set>
                    <Set name="value">accelerometer=(none), ambient-light-sensor=(none), animations=(none), autoplay=(none), camera=(none), cookie=(none), document-stream-insertion=(none), domain=(none), encrypted-media=(none), fullscreen=(none), geolocation=(none), gyroscope=(none); image-compression=(none), legacy-image-formats=(none), magnetometer=(none), max-downscaling-image=(none), microphone=(none), midi=(none), payment=(none), picture-in-picture=(none), speaker=(none), sync-script=(none), sync-xhr=(none), unsized-media=(none), usb=(none), vertical-scroll=(none), vr=(none)</Set>
                </New>
            </Arg>
        </Call>
        <Call name="addRule">
            <Arg>
                <New id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                    <Set name="pattern">*</Set>
                    <Set name="name">Referrer-Policy</Set>
                    <Set name="value">strict-origin-when-cross-origin</Set>
                </New>
            </Arg>
        </Call>
      • In the jetty-rewrite.xml file insert the above XML elements within the element hierarchy like this:
        • <Call name="insertHandler">
          • <Arg>
            • <New class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
              • <Call name="addRule">
                • ...
              • </Call>
  • Restart JOC Cockpit.

...