Bug 1302442
Summary: | [RFE] Allow viewing of custom products over http with the standard HSTS setup. | ||
---|---|---|---|
Product: | Red Hat Satellite | Reporter: | Erinn Looney-Triggs <erinn.looneytriggs> |
Component: | Settings | Assignee: | satellite6-bugs <satellite6-bugs> |
Status: | CLOSED DUPLICATE | QA Contact: | Katello QA List <katello-qa-list> |
Severity: | high | Docs Contact: | |
Priority: | urgent | ||
Version: | 6.2.12 | CC: | ben.argyle, bkearney, chrobert, dlobatog, erik-fedora, hartsjc, jswensso, kseifried, mhulan, prsharma, sabnave, tbrisker |
Target Milestone: | Unspecified | Keywords: | FutureFeature, PrioBumpField, PrioBumpGSS, PrioBumpPM, Reopened, UserExperience |
Target Release: | Unused | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-01-08 14:17:18 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 1
Erinn Looney-Triggs
2016-01-28 08:42:04 UTC
Customer requested for an update from engineering team as there satellite server is used by multiple client systems and they are unable to access the pulp ISOs because content is serverd over http. Moving 6.2 bugs out to sat-backlog. I tested this by syncing "Red Hat Directory Server 10 for Red Hat Enterprise Linux 7 Server ISOs x86_64 7Server", then accessing the HTTP url. I'm able to access the HTTP ISOs path just by clicking on them without any problem. The /pulp/ path shouldn't have any HSTS because we set this at the application level only on Foreman. More info: Headers from a regular page in Sat (includes HSTS) HTTP/1.1 200 OK Date: Thu, 26 Jan 2017 20:33:25 GMT Server: Apache/2.4.6 (CentOS) Content-Type: text/html; charset=utf-8 ETag: W/"f1009828deeffd8bce2362a3624700d9-gzip" Cache-Control: max-age=0, private, must-revalidate X-Request-Id: 61f1fb7d-7827-4943-a3a8-36c82822669b X-Runtime: 10.374906 Content-Security-Policy: default-src 'self'; child-src 'self'; connect-src 'self' ws: wss: centos7-devel.lobatolan.home:3808; img-src 'self' data: *.gravatar.com centos7-devel.lobatolan.home:3808; script-src 'unsafe-eval' 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808; style-src 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808 Strict-Transport-Security: max-age=631152000; includeSubdomains X-Content-Type-Options: nosniff X-Download-Options: noopen X-Frame-Options: sameorigin X-Permitted-Cross-Domain-Policies: none X-XSS-Protection: 1; mode=block Via: 1.1 centos7-devel.lobatolan.home Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 9169 Connection: close -------------------------------- Headers for pages in /pulp (NO HSTS here) HTTP/1.1 200 OK Date: Thu, 26 Jan 2017 20:34:14 GMT Server: Apache/2.4.6 (CentOS) Vary: Accept-Encoding Content-Encoding: gzip Content-Length: 611 Connection: close Content-Type: text/html;charset=UTF-8 --------------------------------- /etc/httpd/conf.d/05-katello-ssl.conf <VirtualHost *:443> ServerName centos7-devel.lobatolan.home ## Vhost docroot DocumentRoot "/var/www" ## Directories, there should at least be a declaration for /var/www <Directory "/var/www"> Options SymLinksIfOwnerMatch AllowOverride None Require all granted </Directory> ## Logging ErrorLog "/var/log/httpd/katello-ssl_error_ssl.log" ServerSignature Off CustomLog "/var/log/httpd/katello-ssl_access_ssl.log" combined ## Server aliases ServerAlias katello ## SSL directives SSLEngine on SSLCertificateFile "/etc/pki/katello/certs/katello-default-ca.crt" SSLCertificateKeyFile "/etc/pki/katello/private/katello-default-ca.key" SSLCACertificatePath "/etc/pki/tls/certs" SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt" SSLVerifyClient optional SSLVerifyDepth 3 SSLOptions +StdEnvVars # SSL Proxy directives SSLProxyEngine On ## Custom fragment # # WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL, # CHANGES WILL LIKELY BE OVERWRITTEN. # SSLUsername SSL_CLIENT_S_DN_CN Alias /pub /var/www/html/pub <Location /pub> <IfModule mod_passenger.c> PassengerEnabled off </IfModule> Options +FollowSymLinks +Indexes </Location> <LocationMatch /rhsm|/subscription|/katello/api> # if ssl_client_certa is present set the header, otherwise don't override # a reverse proxy may already be sending the cert through this header SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1 RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present SSLVerifyClient optional SSLRenegBufferSize 16777216 SSLVerifyDepth 2 # report to CLI and RHSM nicely when Katello is down ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }' ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }' </LocationMatch> ProxyPass /pulp ! ProxyPass /streamer ! ProxyPass / http://localhost:3000/ retry=0 ProxyPassReverse / http://localhost:3000 ProxyPassReverse / http://localhost:6006 ProxyPreserveHost on RequestHeader set X_FORWARDED_PROTO 'https' </VirtualHost> --------------------------------- /etc/httpd/conf.d/05-katello.conf <VirtualHost *:80> ServerName centos7-devel.lobatolan.home ## Vhost docroot DocumentRoot "/var/www/html" ## Directories, there should at least be a declaration for /var/www/html <Directory "/var/www/html"> Options SymLinksIfOwnerMatch AllowOverride None Require all granted </Directory> ## Logging ErrorLog "/var/log/httpd/katello_error.log" ServerSignature Off CustomLog "/var/log/httpd/katello_access.log" combined ## Server aliases ServerAlias katello ## Custom fragment # # WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL, # CHANGES WILL LIKELY BE OVERWRITTEN. # Alias /pub /var/www/html/pub <Location /pub> <IfModule mod_passenger.c> PassengerEnabled off </IfModule> Options +FollowSymLinks +Indexes Require all granted </Location> Include /etc/pulp/vhosts80/*.conf <Location /pulp> <IfModule mod_passenger.c> PassengerEnabled off </IfModule> Options +FollowSymLinks +Indexes </Location> ProxyPass /unattended http://localhost:3000/unattended RewriteEngine On RewriteCond %{REQUEST_URI} !^\/pulp\/.* RewriteCond %{REQUEST_URI} !^\/pulp$ RewriteCond %{REQUEST_URI} !^\/pub\/.* RewriteCond %{REQUEST_URI} !^\/pub$ RewriteCond %{REQUEST_URI} !^\/unattended\/.* RewriteCond %{REQUEST_URI} !^\/unattended$ RewriteCond %{REQUEST_URI} !^\/streamer\/.* RewriteCond %{REQUEST_URI} !^\/streamer$ RewriteCond %{HTTPS} off RewriteRule (.*) https://centos7-devel.lobatolan.home/$1 [L,R=301] </VirtualHost> --------------------------------- I'm on nightly so this might have changed but I have accessed regular yum repos in 6.2.6 via HTTP without a problem, so I don't see why ISOS should be any different. I'll keep on reaching more people see if anyone's seen this problem with HSTS before. I couldn't reproduce, and asked more people after that comment to reproduce to no avail. Is there any way for Eng to move forward with this BZ? Actually I'm removing devel_triaged. I thought '-' meant it could not be reproduced by a dev, can anyone confirm? I'm going to go ahead and close this bug as WONTFIX. It would appear that pulp repos are still accessible even with HSTS enabled. I would prefer fixing any pages that don't support https to disabling HSTS. If you feel this is in error, please reopen this bug and provide further information. Reopening as this is happening in 6.2.12 I have a stock Satellite install, updated, as updates have become available, from 6.2.something to 6.2.12. Today I upgraded my Firefox from 52.4 (RHEL7 standard) to 57.0 at which point my Satellite web GUI now fails to load, giving the message: Your connection is not secure The owner of satellite1.<blah blah blah> has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site. This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate. What am I supposed to do about this, other than use Chrome, which doesn't seem to complain. OK, with help from Evgeni Golov I've solved my HSTS/Firefox 57 issue. It seems that I needed to go into FF 57's "hamburger" -> Library -> History, and find my site's URL, right click on it and select "Forget About This Site". This then enabled me to go back to the Satellite web GUI URL, and this time the "Add an exception..." button was there, so I could add an exception for the site's self-signed certificate. All is now well. Can this be closed again then? seems from comment #18 the issue was with firefox settings? As far as _I'm_ concerned, yes, thank you. However I can't speak for the people above whose issue was, I think, different. Tomer: I would not close this. I think the use case people want is the following: 1) Using a current chrome or firefox, I would like to create custom product which is exposed over http. I would then like to be able to navigate to the url from the publish page, and see the contents in my browser. 2) Using curl, I would like to be able to pull down any content which is exposed over http. 3) Using wget, I would like to be able to pull down any content which is exposed over http. See also: https://bugzilla.redhat.com/show_bug.cgi?id=1486297 I am changing the name to make things a bit more clear. Stories 2 and 3 are already possible afaict. HSTS is only enforced by browsers, not by curl or wget. Story 1 requires disabling HSTS - once you navigate to a secure URL that defines HSTS, it's all-or-nothing for the domain until the user clears their browser's caches. I will clone the other bz upstream and add a setting that allows disabling HSTS, which should also be good enough for fixing this without defaulting to an unsecure setting. Closing as a dupe of 1486297 |