Hi,
I have foreman running under apache/passenger. I upgraded from 1.6.3 to 1.7.2 this week…
On this apache, I created a vhost on port 80 to serve yum mirrors via http.
I have this in /etc/httpd/conf.d/05-foreman.d/repositories.conf :
PassengerMaxPoolSize 12
#PassengerPoolIdleTime 3600
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
PassengerMinInstances 6
PassengerPreStart http://xyz/
PassengerPreStart https://xyz/
Alias /repositories "/data/repositories"
<Directory "/data/repositories">
PassengerEnabled off
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Unfortunately, I discovered with latest 1.7 release that there is a call to a ruby gem called ruby193-rubygem-secure_headers, that will automatically enable HSTS.
This is fine if I access the foreman web interface, but once I do that, I can't access my http vhost hosting the repositories anymore, it's redirecting me to the https version of the site, that is running under passenger/foreman and that is empty…
Hence, I'm wondering if there's a way to disable HSTS on this specific setup, and preferably without touching the foreman code ?
I've read in the doc this could be achieved by changing something in the ruby code (http://www.rubydoc.info/gems/secure_headers/1.3.4/frames) and I think this would be in /usr/share/foreman/app/controllers/application_controller.rb , but I'd prefer not changing the vhost or some foreman parameters …
Any idea ?
Thanks
Hi Frederic,
You can configure the secure headers options in
/usr/share/foreman/config/initializers/secure_headers.rb , in
particular you probably want to change
config.hsts[:include_subdomains] to false. After that just restart the
foreman or httpd services and you should be good to go. I will open a
ticket to add docs for this, as it's not easily configurable.
Here is some documentation to help you configure your secure headers
as you need: https://github.com/twitter/secureheaders
Thanks!
···
On Fri, Feb 20, 2015 at 12:11 PM, SCHAER Frederic wrote:
> Hi,
>
>
>
> I have foreman running under apache/passenger. I upgraded from 1.6.3 to
> 1.7.2 this week…
>
> On this apache, I created a vhost on port 80 to serve yum mirrors via http.
>
>
>
> I have this in /etc/httpd/conf.d/05-foreman.d/repositories.conf :
>
> PassengerMaxPoolSize 12
>
> #PassengerPoolIdleTime 3600
>
> # PassengerMaxRequests 1000
>
> PassengerStatThrottleRate 120
>
> PassengerMinInstances 6
>
> PassengerPreStart http://xyz/
>
> PassengerPreStart https://xyz/
>
>
>
> Alias /repositories "/data/repositories"
>
>
>
> PassengerEnabled off
>
> Options Indexes FollowSymLinks
>
> AllowOverride None
>
> Order allow,deny
>
> Allow from all
>
>
>
>
>
> Unfortunately, I discovered with latest 1.7 release that there is a call to
> a ruby gem called ruby193-rubygem-secure_headers, that will automatically
> enable HSTS.
>
> This is fine if I access the foreman web interface, but once I do that, I
> can’t access my http vhost hosting the repositories anymore, it’s
> redirecting me to the https version of the site, that is running under
> passenger/foreman and that is empty…
>
>
>
> Hence, I’m wondering if there’s a way to disable HSTS on this specific
> setup, and preferably without touching the foreman code ?
>
> I’ve read in the doc this could be achieved by changing something in the
> ruby code (http://www.rubydoc.info/gems/secure_headers/1.3.4/frames) and I
> think this would be in
> /usr/share/foreman/app/controllers/application_controller.rb , but I’d
> prefer not changing the vhost or some foreman parameters …
>
>
>
> Any idea ?
>
>
>
> Thanks
>
> --
> You received this message because you are subscribed to the Google Groups
> "Foreman users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to foreman-users+unsubscribe@googlegroups.com.
> To post to this group, send email to foreman-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/foreman-users.
> For more options, visit https://groups.google.com/d/optout.
–
Daniel Lobato
@elobatoss
blog.daniellobato.me
daniellobato.me
GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
Hi,
Thanks, this seems to work - it's not really easy to manage with puppet though.
I also created another vhost with another servername to see if this would impact that other vhost, but actually I can't seem to be able to re-enable hsts on foreman even after reverting the change in the config and restarting apache… ?
I even try to clean again my browser cache, accessing the https url and the http one afterwards: no hsts anymore…
Is there a cache somewhere for the ruby applications (on the server side) ?
Regards
-----Message d'origine-----
···
De : foreman-users@googlegroups.com [mailto:foreman-users@googlegroups.com] De la part de Daniel Lobato
Envoyé : samedi 21 février 2015 16:17
À : foreman-users@googlegroups.com
Objet : Re: [foreman-users] foreman 1.7.2 : disable "secure headers" hsts ?
Hi Frederic,
You can configure the secure headers options in
/usr/share/foreman/config/initializers/secure_headers.rb , in
particular you probably want to change
config.hsts[:include_subdomains] to false. After that just restart the
foreman or httpd services and you should be good to go. I will open a
ticket to add docs for this, as it’s not easily configurable.
Here is some documentation to help you configure your secure headers
as you need: https://github.com/twitter/secureheaders
Thanks!
On Fri, Feb 20, 2015 at 12:11 PM, SCHAER Frederic frederic.schaer@cea.fr wrote:
Hi,
I have foreman running under apache/passenger. I upgraded from 1.6.3 to
1.7.2 this week…
On this apache, I created a vhost on port 80 to serve yum mirrors via http.
I have this in /etc/httpd/conf.d/05-foreman.d/repositories.conf :
PassengerMaxPoolSize 12
#PassengerPoolIdleTime 3600
PassengerMaxRequests 1000
PassengerStatThrottleRate 120
PassengerMinInstances 6
PassengerPreStart http://xyz/
PassengerPreStart https://xyz/
Alias /repositories “/data/repositories”
<Directory “/data/repositories”>
PassengerEnabled off
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
Unfortunately, I discovered with latest 1.7 release that there is a call to
a ruby gem called ruby193-rubygem-secure_headers, that will automatically
enable HSTS.
This is fine if I access the foreman web interface, but once I do that, I
can’t access my http vhost hosting the repositories anymore, it’s
redirecting me to the https version of the site, that is running under
passenger/foreman and that is empty…
Hence, I’m wondering if there’s a way to disable HSTS on this specific
setup, and preferably without touching the foreman code ?
I’ve read in the doc this could be achieved by changing something in the
ruby code (http://www.rubydoc.info/gems/secure_headers/1.3.4/frames) and I
think this would be in
/usr/share/foreman/app/controllers/application_controller.rb , but I’d
prefer not changing the vhost or some foreman parameters …
Any idea ?
Thanks
–
You received this message because you are subscribed to the Google Groups
"Foreman users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
–
Daniel Lobato
@elobatoss
blog.daniellobato.me
daniellobato.me
GPG: http://keys.gnupg.net/pks/lookup?op=get&search=0x7A92D6DD38D6DE30
–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/d/optout.
