Bug 1302442

This appears to be the root cause of the issue:
https://github.com/theforeman/foreman/pull/1779

Adding in the HSTS headers is a good idea, however, because not all content is served via https, it rapidly becomes a bad idea. Ideally, all content should be served via https, but until that time comes you will probably need to revert the hsts headers.

-Erinn

Customer requested for an update from engineering team as there satellite server is used by multiple client systems and they are unable to access the pulp ISOs because content is serverd over http.

Moving 6.2 bugs out to sat-backlog.

I tested this by syncing "Red Hat Directory Server 10 for Red Hat Enterprise Linux 7 Server ISOs x86_64 7Server", then accessing the HTTP url. 

I'm able to access the HTTP ISOs path just by clicking on them without any problem. The /pulp/ path shouldn't have any HSTS because we set this at the application level only on Foreman. 

More info:

Headers from a regular page in Sat (includes HSTS)

HTTP/1.1 200 OK
Date: Thu, 26 Jan 2017 20:33:25 GMT
Server: Apache/2.4.6 (CentOS)
Content-Type: text/html; charset=utf-8
ETag: W/"f1009828deeffd8bce2362a3624700d9-gzip"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: 61f1fb7d-7827-4943-a3a8-36c82822669b
X-Runtime: 10.374906
Content-Security-Policy: default-src 'self'; child-src 'self'; connect-src 'self' ws: wss: centos7-devel.lobatolan.home:3808; img-src 'self' data: *.gravatar.com centos7-devel.lobatolan.home:3808; script-src 'unsafe-eval' 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808; style-src 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808
Strict-Transport-Security: max-age=631152000; includeSubdomains
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Via: 1.1 centos7-devel.lobatolan.home
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9169
Connection: close

--------------------------------

Headers for pages in /pulp (NO HSTS here)

HTTP/1.1 200 OK
Date: Thu, 26 Jan 2017 20:34:14 GMT
Server: Apache/2.4.6 (CentOS)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 611
Connection: close
Content-Type: text/html;charset=UTF-8

---------------------------------

/etc/httpd/conf.d/05-katello-ssl.conf


<VirtualHost *:443>
  ServerName centos7-devel.lobatolan.home

  ## Vhost docroot
  DocumentRoot "/var/www"

  ## Directories, there should at least be a declaration for /var/www

  <Directory "/var/www">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/katello-ssl_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/katello-ssl_access_ssl.log" combined

  ## Server aliases
  ServerAlias katello

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-default-ca.key"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLVerifyClient         optional
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars

  # SSL Proxy directives
  SSLProxyEngine On

  ## Custom fragment
  #
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#
SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
</Location>

<LocationMatch /rhsm|/subscription|/katello/api>
  # if ssl_client_certa is present set the header, otherwise don't override
  # a reverse proxy may already be sending the cert through this header
  SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
  SSLVerifyClient optional
  SSLRenegBufferSize 16777216
  SSLVerifyDepth 2

  # report to CLI and RHSM nicely when Katello is down
  ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
  ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
</LocationMatch>
ProxyPass /pulp !
ProxyPass /streamer !
ProxyPass / http://localhost:3000/ retry=0
ProxyPassReverse / http://localhost:3000
ProxyPassReverse / http://localhost:6006
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'
</VirtualHost>

---------------------------------

/etc/httpd/conf.d/05-katello.conf

<VirtualHost *:80>
  ServerName centos7-devel.lobatolan.home

  ## Vhost docroot
  DocumentRoot "/var/www/html"

  ## Directories, there should at least be a declaration for /var/www/html

  <Directory "/var/www/html">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/katello_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/katello_access.log" combined

  ## Server aliases
  ServerAlias katello

  ## Custom fragment
  #
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#

Alias /pub /var/www/html/pub

<Location /pub>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
  Require all granted
</Location>

Include /etc/pulp/vhosts80/*.conf

<Location /pulp>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
</Location>
ProxyPass /unattended http://localhost:3000/unattended
RewriteEngine On
RewriteCond %{REQUEST_URI} !^\/pulp\/.*
RewriteCond %{REQUEST_URI} !^\/pulp$
RewriteCond %{REQUEST_URI} !^\/pub\/.*
RewriteCond %{REQUEST_URI} !^\/pub$
RewriteCond %{REQUEST_URI} !^\/unattended\/.*
RewriteCond %{REQUEST_URI} !^\/unattended$
RewriteCond %{REQUEST_URI} !^\/streamer\/.*
RewriteCond %{REQUEST_URI} !^\/streamer$
RewriteCond %{HTTPS} off
RewriteRule (.*) https://centos7-devel.lobatolan.home/$1 [L,R=301]

</VirtualHost>


---------------------------------

I'm on nightly so this might have changed but I have accessed regular yum repos in 6.2.6 via HTTP without a problem, so I don't see why ISOS should be any different.

I'll keep on reaching more people see if anyone's seen this problem with HSTS before.

I couldn't reproduce, and asked more people after that comment to reproduce to no avail. Is there any way for Eng to move forward with this BZ?

Actually I'm removing devel_triaged. I thought '-' meant it could not be reproduced by a dev, can anyone confirm?

I'm going to go ahead and close this bug as WONTFIX. It would appear that pulp repos are still accessible even with HSTS enabled. I would prefer fixing any pages that don't support https to disabling HSTS.
If you feel this is in error, please reopen this bug and provide further information.

Reopening as this is happening in 6.2.12

I have a stock Satellite install, updated, as updates have become available, from 6.2.something to 6.2.12.  Today I upgraded my Firefox from 52.4 (RHEL7 standard) to 57.0 at which point my Satellite web GUI now fails to load, giving the message:


Your connection is not secure

The owner of satellite1.<blah blah blah> has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.


What am I supposed to do about this, other than use Chrome, which doesn't seem to complain.

OK, with help from Evgeni Golov I've solved my HSTS/Firefox 57 issue.  

It seems that I needed to go into FF 57's "hamburger" -> Library -> History, and find my site's URL, right click on it and select "Forget About This Site".  This then enabled me to go back to the Satellite web GUI URL, and this time the "Add an exception..." button was there, so I could add an exception for the site's self-signed certificate.  All is now well.

Can this be closed again then? seems from comment #18 the issue was with firefox settings?

As far as _I'm_ concerned, yes, thank you.  However I can't speak for the people above whose issue was, I think, different.

Tomer:

I would not close this. I think the use case people want is the following:

1) Using a current chrome or firefox, I would like to create custom product which is exposed over http. I would then like to be able to navigate to the url from the publish page, and see the contents in my browser.

2) Using curl, I would like to be able to pull down any content which is exposed over http.

3) Using wget, I would like to be able to pull down any content which is exposed over http.

See also:

https://bugzilla.redhat.com/show_bug.cgi?id=1486297

I am changing the name to make things a bit more clear.

Stories 2 and 3 are already possible afaict. HSTS is only enforced by browsers, not by curl or wget. 
Story 1 requires disabling HSTS - once you navigate to a secure URL that defines HSTS, it's all-or-nothing for the domain until the user clears their browser's caches. 
I will clone the other bz upstream and add a setting that allows disabling HSTS, which should also be good enough for fixing this without defaulting to an unsecure setting.

Closing as a dupe of 1486297