1302442 – [RFE] Allow viewing of custom products over http with the standard HSTS setup.

Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1302442 - [RFE] Allow viewing of custom products over http with the standard HSTS setup.

Summary: [RFE] Allow viewing of custom products over http with the standard HSTS setup.

Keywords:
Status:	CLOSED DUPLICATE of bug 1486297
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Settings
Sub Component:
Version:	6.2.12
Hardware:	x86_64
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	Unspecified
Assignee:	satellite6-bugs
QA Contact:	Katello QA List
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-27 22:20 UTC by Erinn Looney-Triggs
Modified:	2020-03-11 15:01 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-08 14:17:18 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1486297	0	urgent	CLOSED	[RFE] Allow custom configuration for HSTS settings	2021-02-22 00:41:40 UTC

Internal Links: 1486297

Comment 1 Erinn Looney-Triggs 2016-01-28 08:42:04 UTC

This appears to be the root cause of the issue:
https://github.com/theforeman/foreman/pull/1779

Adding in the HSTS headers is a good idea, however, because not all content is served via https, it rapidly becomes a bad idea. Ideally, all content should be served via https, but until that time comes you will probably need to revert the hsts headers.

-Erinn

Comment 2 Preetesh Sharma 2016-05-12 16:56:18 UTC

Customer requested for an update from engineering team as there satellite server is used by multiple client systems and they are unable to access the pulp ISOs because content is serverd over http.

Comment 3 Bryan Kearney 2016-07-26 19:05:47 UTC

Moving 6.2 bugs out to sat-backlog.

Comment 11 Daniel Lobato Garcia 2017-01-26 20:40:20 UTC

I tested this by syncing "Red Hat Directory Server 10 for Red Hat Enterprise Linux 7 Server ISOs x86_64 7Server", then accessing the HTTP url. 

I'm able to access the HTTP ISOs path just by clicking on them without any problem. The /pulp/ path shouldn't have any HSTS because we set this at the application level only on Foreman. 

More info:

Headers from a regular page in Sat (includes HSTS)

HTTP/1.1 200 OK
Date: Thu, 26 Jan 2017 20:33:25 GMT
Server: Apache/2.4.6 (CentOS)
Content-Type: text/html; charset=utf-8
ETag: W/"f1009828deeffd8bce2362a3624700d9-gzip"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: 61f1fb7d-7827-4943-a3a8-36c82822669b
X-Runtime: 10.374906
Content-Security-Policy: default-src 'self'; child-src 'self'; connect-src 'self' ws: wss: centos7-devel.lobatolan.home:3808; img-src 'self' data: *.gravatar.com centos7-devel.lobatolan.home:3808; script-src 'unsafe-eval' 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808; style-src 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808
Strict-Transport-Security: max-age=631152000; includeSubdomains
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Via: 1.1 centos7-devel.lobatolan.home
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9169
Connection: close

--------------------------------

Headers for pages in /pulp (NO HSTS here)

HTTP/1.1 200 OK
Date: Thu, 26 Jan 2017 20:34:14 GMT
Server: Apache/2.4.6 (CentOS)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 611
Connection: close
Content-Type: text/html;charset=UTF-8

---------------------------------

/etc/httpd/conf.d/05-katello-ssl.conf


<VirtualHost *:443>
  ServerName centos7-devel.lobatolan.home

  ## Vhost docroot
  DocumentRoot "/var/www"

  ## Directories, there should at least be a declaration for /var/www

  <Directory "/var/www">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/katello-ssl_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/katello-ssl_access_ssl.log" combined

  ## Server aliases
  ServerAlias katello

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-default-ca.key"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLVerifyClient         optional
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars

  # SSL Proxy directives
  SSLProxyEngine On

  ## Custom fragment
  #
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#
SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
</Location>

<LocationMatch /rhsm|/subscription|/katello/api>
  # if ssl_client_certa is present set the header, otherwise don't override
  # a reverse proxy may already be sending the cert through this header
  SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
  SSLVerifyClient optional
  SSLRenegBufferSize 16777216
  SSLVerifyDepth 2

  # report to CLI and RHSM nicely when Katello is down
  ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
  ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
</LocationMatch>
ProxyPass /pulp !
ProxyPass /streamer !
ProxyPass / http://localhost:3000/ retry=0
ProxyPassReverse / http://localhost:3000
ProxyPassReverse / http://localhost:6006
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'
</VirtualHost>

---------------------------------

/etc/httpd/conf.d/05-katello.conf

<VirtualHost *:80>
  ServerName centos7-devel.lobatolan.home

  ## Vhost docroot
  DocumentRoot "/var/www/html"

  ## Directories, there should at least be a declaration for /var/www/html

  <Directory "/var/www/html">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/katello_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/katello_access.log" combined

  ## Server aliases
  ServerAlias katello

  ## Custom fragment
  #
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#

Alias /pub /var/www/html/pub

<Location /pub>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
  Require all granted
</Location>

Include /etc/pulp/vhosts80/*.conf

<Location /pulp>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
</Location>
ProxyPass /unattended http://localhost:3000/unattended
RewriteEngine On
RewriteCond %{REQUEST_URI} !^\/pulp\/.*
RewriteCond %{REQUEST_URI} !^\/pulp$
RewriteCond %{REQUEST_URI} !^\/pub\/.*
RewriteCond %{REQUEST_URI} !^\/pub$
RewriteCond %{REQUEST_URI} !^\/unattended\/.*
RewriteCond %{REQUEST_URI} !^\/unattended$
RewriteCond %{REQUEST_URI} !^\/streamer\/.*
RewriteCond %{REQUEST_URI} !^\/streamer$
RewriteCond %{HTTPS} off
RewriteRule (.*) https://centos7-devel.lobatolan.home/$1 [L,R=301]

</VirtualHost>


---------------------------------

I'm on nightly so this might have changed but I have accessed regular yum repos in 6.2.6 via HTTP without a problem, so I don't see why ISOS should be any different.

I'll keep on reaching more people see if anyone's seen this problem with HSTS before.

Comment 13 Daniel Lobato Garcia 2017-03-15 09:19:19 UTC

I couldn't reproduce, and asked more people after that comment to reproduce to no avail. Is there any way for Eng to move forward with this BZ?

Comment 14 Daniel Lobato Garcia 2017-03-15 13:43:22 UTC

Actually I'm removing devel_triaged. I thought '-' meant it could not be reproduced by a dev, can anyone confirm?

Comment 15 Tomer Brisker 2017-04-26 10:12:59 UTC

I'm going to go ahead and close this bug as WONTFIX. It would appear that pulp repos are still accessible even with HSTS enabled. I would prefer fixing any pages that don't support https to disabling HSTS.
If you feel this is in error, please reopen this bug and provide further information.

Comment 16 Chris Roberts 2017-11-15 17:08:57 UTC

Reopening as this is happening in 6.2.12

Comment 17 Ben 2017-11-15 17:20:03 UTC

I have a stock Satellite install, updated, as updates have become available, from 6.2.something to 6.2.12.  Today I upgraded my Firefox from 52.4 (RHEL7 standard) to 57.0 at which point my Satellite web GUI now fails to load, giving the message:


Your connection is not secure

The owner of satellite1.<blah blah blah> has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.


What am I supposed to do about this, other than use Chrome, which doesn't seem to complain.

Comment 18 Ben 2017-11-16 14:19:18 UTC

OK, with help from Evgeni Golov I've solved my HSTS/Firefox 57 issue.  

It seems that I needed to go into FF 57's "hamburger" -> Library -> History, and find my site's URL, right click on it and select "Forget About This Site".  This then enabled me to go back to the Satellite web GUI URL, and this time the "Add an exception..." button was there, so I could add an exception for the site's self-signed certificate.  All is now well.

Comment 19 Tomer Brisker 2017-11-26 13:57:47 UTC

Can this be closed again then? seems from comment #18 the issue was with firefox settings?

Comment 20 Ben 2017-11-27 12:31:42 UTC

As far as _I'm_ concerned, yes, thank you.  However I can't speak for the people above whose issue was, I think, different.

Comment 21 Bryan Kearney 2018-01-04 21:10:19 UTC

Tomer:

I would not close this. I think the use case people want is the following:

1) Using a current chrome or firefox, I would like to create custom product which is exposed over http. I would then like to be able to navigate to the url from the publish page, and see the contents in my browser.

2) Using curl, I would like to be able to pull down any content which is exposed over http.

3) Using wget, I would like to be able to pull down any content which is exposed over http.

See also:

https://bugzilla.redhat.com/show_bug.cgi?id=1486297

Comment 22 Bryan Kearney 2018-01-04 21:11:52 UTC

I am changing the name to make things a bit more clear.

Comment 23 Tomer Brisker 2018-01-07 08:47:17 UTC

Stories 2 and 3 are already possible afaict. HSTS is only enforced by browsers, not by curl or wget. 
Story 1 requires disabling HSTS - once you navigate to a secure URL that defines HSTS, it's all-or-nothing for the domain until the user clears their browser's caches. 
I will clone the other bz upstream and add a setting that allows disabling HSTS, which should also be good enough for fixing this without defaulting to an unsecure setting.

Comment 26 Bryan Kearney 2018-01-08 14:17:18 UTC

Closing as a dupe of 1486297

Note You need to log in before you can comment on or make changes to this bug.