From a66f73df3c978fa0deeebdbcb6995ae132065062 Mon Sep 17 00:00:00 2001
From: Stanislav <3510971+FF7C7@users.noreply.github.com>
Date: Tue, 19 Jun 2018 23:29:53 +0300
Subject: [PATCH 1/5] hide nginx and php version

---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 76f9df4..ad7d0c3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -75,7 +75,9 @@ RUN apt-get update \
     && rm /etc/nginx/sites-enabled/default \
     && apt-get purge -y --auto-remove $PASSBOLT_DEV_PACKAGES \
     && rm -rf /var/lib/apt/lists/* \
-    && rm /usr/local/bin/composer
+    && rm /usr/local/bin/composer \
+    && echo 'php_flag[expose_php] = off' > /usr/local/etc/php-fpm.d/expose.conf \
+    && sed -i 's/# server_tokens/server_tokens/' /etc/nginx/nginx.conf
 
 COPY conf/passbolt.conf /etc/nginx/conf.d/default.conf
 COPY conf/supervisord.conf /etc/supervisor/supervisord.conf

From 714b96939abacf5bf48d280dda990521b97e4f84 Mon Sep 17 00:00:00 2001
From: Diego Lendoiro <diego@passbolt.com>
Date: Wed, 8 Aug 2018 10:03:42 +0200
Subject: [PATCH 2/5] added specs

---
 spec/docker_image/image_spec.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/spec/docker_image/image_spec.rb b/spec/docker_image/image_spec.rb
index 175a2f1..c2a23a9 100644
--- a/spec/docker_image/image_spec.rb
+++ b/spec/docker_image/image_spec.rb
@@ -17,6 +17,7 @@ describe 'Dockerfile' do
   end
 
   let(:nginx_conf)      { '/etc/nginx/nginx.conf' }
+  let(:php_conf)        { '/usr/local/etc/php-fpm.d/expose.conf' }
   let(:site_conf)       { '/etc/nginx/conf.d/default.conf' }
   let(:passbolt_home)   { '/var/www/passbolt' }
   let(:passbolt_tmp)    { '/var/www/passbolt/tmp' }
@@ -71,6 +72,16 @@ describe 'Dockerfile' do
     end
   end
 
+  describe 'php config' do
+    it 'exists' do
+      expect(file(php_conf)).to exist
+    end
+
+    it 'does not expose php version' do
+      expect(file(php_conf).content).to match '^php_flag\[expose_php\]\s+=\s+off$'
+    end
+  end
+
   describe 'nginx configuration' do
     it 'is installed correctly' do
       expect(file(nginx_conf)).to exist
@@ -93,6 +104,10 @@ describe 'Dockerfile' do
     it 'points to the correct root folder' do
       expect(file(site_conf).content).to match 'root /var/www/passbolt/webroot'
     end
+
+    it 'has server tokens off' do
+      expect(file(nginx_conf).content).to match(/^\s+server_tokens off;/)
+    end
   end
 
   describe 'ports exposed' do

From 4ed53e5f4358e65ca5339ac01f8dabc0dffed303 Mon Sep 17 00:00:00 2001
From: Diego Lendoiro <diego@passbolt.com>
Date: Wed, 8 Aug 2018 11:36:54 +0200
Subject: [PATCH 3/5] correct regex

---
 spec/docker_image/image_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/docker_image/image_spec.rb b/spec/docker_image/image_spec.rb
index c2a23a9..59272c6 100644
--- a/spec/docker_image/image_spec.rb
+++ b/spec/docker_image/image_spec.rb
@@ -78,7 +78,7 @@ describe 'Dockerfile' do
     end
 
     it 'does not expose php version' do
-      expect(file(php_conf).content).to match '^php_flag\[expose_php\]\s+=\s+off$'
+      expect(file(php_conf).content).to match(/^php_flag\[expose_php\]\s+=\s+off$/)
     end
   end
 

From 54f471e31bf95c9c942f22246fedebe4bd9f7de5 Mon Sep 17 00:00:00 2001
From: Diego Lendoiro <diego@passbolt.com>
Date: Wed, 8 Aug 2018 11:37:27 +0200
Subject: [PATCH 4/5] tests for nginx and php versions

---
 spec/docker_runtime/runtime_spec.rb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb
index 2b6d10a..fce90cb 100644
--- a/spec/docker_runtime/runtime_spec.rb
+++ b/spec/docker_runtime/runtime_spec.rb
@@ -49,7 +49,6 @@ describe 'passbolt_api service' do
   let(:passbolt_host)     { @container.json['NetworkSettings']['IPAddress'] }
   let(:uri)               { "/healthcheck/status.json" }
   let(:curl)              { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/#{uri}" }
-  let(:conf_app)          { "curl -sk -o /dev/null -w '%{http_code}' -H 'Host: passbolt.local' https://#{passbolt_host}/conf/app.php" }
 
   describe 'php service' do
     it 'is running supervised' do
@@ -114,4 +113,15 @@ describe 'passbolt_api service' do
     end
   end
 
+  describe 'hide information' do
+    let(:curl) { "curl -Isk -H 'Host: passbolt.local' https://#{passbolt_host}/" }
+    it 'hides php version' do
+      expect(command("#{curl} | grep 'X-Powered-By: PHP'").stdout).to be_empty
+    end
+
+    it 'hides nginx version' do
+      expect(command("#{curl} | grep 'Server:'").stdout).to match 'Server: nginx'
+    end
+  end
+
 end

From ab5001559e6d33fbab17c1c06a98f56bccdaf153 Mon Sep 17 00:00:00 2001
From: Diego Lendoiro <diego@passbolt.com>
Date: Wed, 8 Aug 2018 11:47:02 +0200
Subject: [PATCH 5/5] regex to check nginx does not provide version

---
 spec/docker_runtime/runtime_spec.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec/docker_runtime/runtime_spec.rb b/spec/docker_runtime/runtime_spec.rb
index fce90cb..f0cbc77 100644
--- a/spec/docker_runtime/runtime_spec.rb
+++ b/spec/docker_runtime/runtime_spec.rb
@@ -120,7 +120,7 @@ describe 'passbolt_api service' do
     end
 
     it 'hides nginx version' do
-      expect(command("#{curl} | grep 'Server:'").stdout).to match 'Server: nginx'
+      expect(command("#{curl} | grep 'Server:'").stdout).to match /^Server: nginx$/
     end
   end