I have foreman running under apache/passenger. I upgraded from 1.6.3 to 1.7.2 this week…
On this apache, I created a vhost on port 80 to serve yum mirrors via http.
I have this in /etc/httpd/conf.d/05-foreman.d/repositories.conf :
PassengerMaxPoolSize 12 #PassengerPoolIdleTime 3600
Alias /repositories "/data/repositories"
<Directory "/data/repositories">
PassengerEnabled off
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Unfortunately, I discovered with latest 1.7 release that there is a call to a ruby gem called ruby193-rubygem-secure_headers, that will automatically enable HSTS.
This is fine if I access the foreman web interface, but once I do that, I can't access my http vhost hosting the repositories anymore, it's redirecting me to the https version of the site, that is running under passenger/foreman and that is empty…
Hence, I'm wondering if there's a way to disable HSTS on this specific setup, and preferably without touching the foreman code ?
I've read in the doc this could be achieved by changing something in the ruby code (http://www.rubydoc.info/gems/secure_headers/1.3.4/frames) and I think this would be in /usr/share/foreman/app/controllers/application_controller.rb , but I'd prefer not changing the vhost or some foreman parameters …
You can configure the secure headers options in
/usr/share/foreman/config/initializers/secure_headers.rb , in
particular you probably want to change
config.hsts[:include_subdomains] to false. After that just restart the
foreman or httpd services and you should be good to go. I will open a
ticket to add docs for this, as it's not easily configurable.
···
On Fri, Feb 20, 2015 at 12:11 PM, SCHAER Frederic wrote:
> Hi,
>
>
>
> I have foreman running under apache/passenger. I upgraded from 1.6.3 to
> 1.7.2 this week…
>
> On this apache, I created a vhost on port 80 to serve yum mirrors via http.
>
>
>
> I have this in /etc/httpd/conf.d/05-foreman.d/repositories.conf :
>
> PassengerMaxPoolSize 12
>
> #PassengerPoolIdleTime 3600
>
> # PassengerMaxRequests 1000
>
> PassengerStatThrottleRate 120
>
> PassengerMinInstances 6
>
> PassengerPreStart http://xyz/
>
> PassengerPreStart https://xyz/
>
>
>
> Alias /repositories "/data/repositories"
>
>
>
> PassengerEnabled off
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> Order allow,deny
>
> Allow from all
>
>
>
>
>
> Unfortunately, I discovered with latest 1.7 release that there is a call to
> a ruby gem called ruby193-rubygem-secure_headers, that will automatically
> enable HSTS.
>
> This is fine if I access the foreman web interface, but once I do that, I
> can’t access my http vhost hosting the repositories anymore, it’s
> redirecting me to the https version of the site, that is running under
> passenger/foreman and that is empty…
>
>
>
> Hence, I’m wondering if there’s a way to disable HSTS on this specific
> setup, and preferably without touching the foreman code ?
>
> I’ve read in the doc this could be achieved by changing something in the
> ruby code (http://www.rubydoc.info/gems/secure_headers/1.3.4/frames) and I
> think this would be in
> /usr/share/foreman/app/controllers/application_controller.rb , but I’d
> prefer not changing the vhost or some foreman parameters …
>
>
>
> Any idea ?
>
>
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
Thanks, this seems to work - it's not really easy to manage with puppet though.
I also created another vhost with another servername to see if this would impact that other vhost, but actually I can't seem to be able to re-enable hsts on foreman even after reverting the change in the config and restarting apache… ?
I even try to clean again my browser cache, accessing the https url and the http one afterwards: no hsts anymore…
Is there a cache somewhere for the ruby applications (on the server side) ?
Regards
-----Message d'origine-----
···
De : foreman-users@googlegroups.com [mailto:foreman-users@googlegroups.com] De la part de Daniel Lobato
Envoyé : samedi 21 février 2015 16:17
À : foreman-users@googlegroups.com
Objet : Re: [foreman-users] foreman 1.7.2 : disable "secure headers" hsts ?
Hi Frederic,
You can configure the secure headers options in
/usr/share/foreman/config/initializers/secure_headers.rb , in
particular you probably want to change
config.hsts[:include_subdomains] to false. After that just restart the
foreman or httpd services and you should be good to go. I will open a
ticket to add docs for this, as it’s not easily configurable.
PassengerEnabled off
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Unfortunately, I discovered with latest 1.7 release that there is a call to
a ruby gem called ruby193-rubygem-secure_headers, that will automatically
enable HSTS.
This is fine if I access the foreman web interface, but once I do that, I
can’t access my http vhost hosting the repositories anymore, it’s
redirecting me to the https version of the site, that is running under
passenger/foreman and that is empty…
Hence, I’m wondering if there’s a way to disable HSTS on this specific
setup, and preferably without touching the foreman code ?
I’ve read in the doc this could be achieved by changing something in the
ruby code (File: README — Documentation for secure_headers (1.3.4)) and I
think this would be in
/usr/share/foreman/app/controllers/application_controller.rb , but I’d
prefer not changing the vhost or some foreman parameters …
