Bug 1302442 - [RFE] Allow viewing of custom products over http with the standard HSTS setup.
[RFE] Allow viewing of custom products over http with the standard HSTS setup.
Status: CLOSED DUPLICATE of bug 1486297
Product: Red Hat Satellite 6
Classification: Red Hat
Component: Settings (Show other bugs)
6.2.12
x86_64 Linux
urgent Severity high (vote)
: Unspecified
: --
Assigned To: satellite6-bugs
Katello QA List
: FutureFeature, PrioBumpField, PrioBumpGSS, PrioBumpPM, Reopened, UserExperience
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-27 17:20 EST by Erinn Looney-Triggs
Modified: 2018-01-08 09:31 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-01-08 09:17:18 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 1 Erinn Looney-Triggs 2016-01-28 03:42:04 EST
This appears to be the root cause of the issue:
https://github.com/theforeman/foreman/pull/1779

Adding in the HSTS headers is a good idea, however, because not all content is served via https, it rapidly becomes a bad idea. Ideally, all content should be served via https, but until that time comes you will probably need to revert the hsts headers.

-Erinn
Comment 2 Preetesh Sharma 2016-05-12 12:56:18 EDT
Customer requested for an update from engineering team as there satellite server is used by multiple client systems and they are unable to access the pulp ISOs because content is serverd over http.
Comment 3 Bryan Kearney 2016-07-26 15:05:47 EDT
Moving 6.2 bugs out to sat-backlog.
Comment 11 Daniel Lobato Garcia 2017-01-26 15:40:20 EST
I tested this by syncing "Red Hat Directory Server 10 for Red Hat Enterprise Linux 7 Server ISOs x86_64 7Server", then accessing the HTTP url. 

I'm able to access the HTTP ISOs path just by clicking on them without any problem. The /pulp/ path shouldn't have any HSTS because we set this at the application level only on Foreman. 

More info:

Headers from a regular page in Sat (includes HSTS)

HTTP/1.1 200 OK
Date: Thu, 26 Jan 2017 20:33:25 GMT
Server: Apache/2.4.6 (CentOS)
Content-Type: text/html; charset=utf-8
ETag: W/"f1009828deeffd8bce2362a3624700d9-gzip"
Cache-Control: max-age=0, private, must-revalidate
X-Request-Id: 61f1fb7d-7827-4943-a3a8-36c82822669b
X-Runtime: 10.374906
Content-Security-Policy: default-src 'self'; child-src 'self'; connect-src 'self' ws: wss: centos7-devel.lobatolan.home:3808; img-src 'self' data: *.gravatar.com centos7-devel.lobatolan.home:3808; script-src 'unsafe-eval' 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808; style-src 'unsafe-inline' 'self' centos7-devel.lobatolan.home:3808
Strict-Transport-Security: max-age=631152000; includeSubdomains
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Frame-Options: sameorigin
X-Permitted-Cross-Domain-Policies: none
X-XSS-Protection: 1; mode=block
Via: 1.1 centos7-devel.lobatolan.home
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9169
Connection: close

--------------------------------

Headers for pages in /pulp (NO HSTS here)

HTTP/1.1 200 OK
Date: Thu, 26 Jan 2017 20:34:14 GMT
Server: Apache/2.4.6 (CentOS)
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 611
Connection: close
Content-Type: text/html;charset=UTF-8

---------------------------------

/etc/httpd/conf.d/05-katello-ssl.conf


<VirtualHost *:443>
  ServerName centos7-devel.lobatolan.home

  ## Vhost docroot
  DocumentRoot "/var/www"

  ## Directories, there should at least be a declaration for /var/www

  <Directory "/var/www">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/katello-ssl_error_ssl.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/katello-ssl_access_ssl.log" combined

  ## Server aliases
  ServerAlias katello

  ## SSL directives
  SSLEngine on
  SSLCertificateFile      "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLCertificateKeyFile   "/etc/pki/katello/private/katello-default-ca.key"
  SSLCACertificatePath    "/etc/pki/tls/certs"
  SSLCACertificateFile    "/etc/pki/katello/certs/katello-default-ca.crt"
  SSLVerifyClient         optional
  SSLVerifyDepth          3
  SSLOptions +StdEnvVars

  # SSL Proxy directives
  SSLProxyEngine On

  ## Custom fragment
  #
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#
SSLUsername SSL_CLIENT_S_DN_CN

Alias /pub /var/www/html/pub
<Location /pub>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
</Location>

<LocationMatch /rhsm|/subscription|/katello/api>
  # if ssl_client_certa is present set the header, otherwise don't override
  # a reverse proxy may already be sending the cert through this header
  SetEnvIf SSL_CLIENT_CERT "^..*" client_cert_present=1
  RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" env=!client_cert_present
  SSLVerifyClient optional
  SSLRenegBufferSize 16777216
  SSLVerifyDepth 2

  # report to CLI and RHSM nicely when Katello is down
  ErrorDocument 500 '{"displayMessage": "Internal error, contact administrator", "errors": ["Internal error, contact administrator"], "status": "500" }'
  ErrorDocument 503 '{"displayMessage": "Service unavailable or restarting, try later", "errors": ["Service unavailable or restarting, try later"], "status": "503" }'
</LocationMatch>
ProxyPass /pulp !
ProxyPass /streamer !
ProxyPass / http://localhost:3000/ retry=0
ProxyPassReverse / http://localhost:3000
ProxyPassReverse / http://localhost:6006
ProxyPreserveHost on
RequestHeader set X_FORWARDED_PROTO 'https'
</VirtualHost>

---------------------------------

/etc/httpd/conf.d/05-katello.conf

<VirtualHost *:80>
  ServerName centos7-devel.lobatolan.home

  ## Vhost docroot
  DocumentRoot "/var/www/html"

  ## Directories, there should at least be a declaration for /var/www/html

  <Directory "/var/www/html">
    Options SymLinksIfOwnerMatch
    AllowOverride None
    Require all granted
  </Directory>

  ## Logging
  ErrorLog "/var/log/httpd/katello_error.log"
  ServerSignature Off
  CustomLog "/var/log/httpd/katello_access.log" combined

  ## Server aliases
  ServerAlias katello

  ## Custom fragment
  #
# WARNING: THIS CONFIGURATION WAS GENERATED BY KATELLO-CONFIGURE TOOL,
# CHANGES WILL LIKELY BE OVERWRITTEN.
#

Alias /pub /var/www/html/pub

<Location /pub>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
  Require all granted
</Location>

Include /etc/pulp/vhosts80/*.conf

<Location /pulp>
  <IfModule mod_passenger.c>
    PassengerEnabled off
  </IfModule>
  Options +FollowSymLinks +Indexes
</Location>
ProxyPass /unattended http://localhost:3000/unattended
RewriteEngine On
RewriteCond %{REQUEST_URI} !^\/pulp\/.*
RewriteCond %{REQUEST_URI} !^\/pulp$
RewriteCond %{REQUEST_URI} !^\/pub\/.*
RewriteCond %{REQUEST_URI} !^\/pub$
RewriteCond %{REQUEST_URI} !^\/unattended\/.*
RewriteCond %{REQUEST_URI} !^\/unattended$
RewriteCond %{REQUEST_URI} !^\/streamer\/.*
RewriteCond %{REQUEST_URI} !^\/streamer$
RewriteCond %{HTTPS} off
RewriteRule (.*) https://centos7-devel.lobatolan.home/$1 [L,R=301]

</VirtualHost>


---------------------------------

I'm on nightly so this might have changed but I have accessed regular yum repos in 6.2.6 via HTTP without a problem, so I don't see why ISOS should be any different.

I'll keep on reaching more people see if anyone's seen this problem with HSTS before.
Comment 13 Daniel Lobato Garcia 2017-03-15 05:19:19 EDT
I couldn't reproduce, and asked more people after that comment to reproduce to no avail. Is there any way for Eng to move forward with this BZ?
Comment 14 Daniel Lobato Garcia 2017-03-15 09:43:22 EDT
Actually I'm removing devel_triaged. I thought '-' meant it could not be reproduced by a dev, can anyone confirm?
Comment 15 Tomer Brisker 2017-04-26 06:12:59 EDT
I'm going to go ahead and close this bug as WONTFIX. It would appear that pulp repos are still accessible even with HSTS enabled. I would prefer fixing any pages that don't support https to disabling HSTS.
If you feel this is in error, please reopen this bug and provide further information.
Comment 16 Chris Roberts 2017-11-15 12:08:57 EST
Reopening as this is happening in 6.2.12
Comment 17 Ben 2017-11-15 12:20:03 EST
I have a stock Satellite install, updated, as updates have become available, from 6.2.something to 6.2.12.  Today I upgraded my Firefox from 52.4 (RHEL7 standard) to 57.0 at which point my Satellite web GUI now fails to load, giving the message:


Your connection is not secure

The owner of satellite1.<blah blah blah> has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.


What am I supposed to do about this, other than use Chrome, which doesn't seem to complain.
Comment 18 Ben 2017-11-16 09:19:18 EST
OK, with help from Evgeni Golov I've solved my HSTS/Firefox 57 issue.  

It seems that I needed to go into FF 57's "hamburger" -> Library -> History, and find my site's URL, right click on it and select "Forget About This Site".  This then enabled me to go back to the Satellite web GUI URL, and this time the "Add an exception..." button was there, so I could add an exception for the site's self-signed certificate.  All is now well.
Comment 19 Tomer Brisker 2017-11-26 08:57:47 EST
Can this be closed again then? seems from comment #18 the issue was with firefox settings?
Comment 20 Ben 2017-11-27 07:31:42 EST
As far as _I'm_ concerned, yes, thank you.  However I can't speak for the people above whose issue was, I think, different.
Comment 21 Bryan Kearney 2018-01-04 16:10:19 EST
Tomer:

I would not close this. I think the use case people want is the following:

1) Using a current chrome or firefox, I would like to create custom product which is exposed over http. I would then like to be able to navigate to the url from the publish page, and see the contents in my browser.

2) Using curl, I would like to be able to pull down any content which is exposed over http.

3) Using wget, I would like to be able to pull down any content which is exposed over http.

See also:

https://bugzilla.redhat.com/show_bug.cgi?id=1486297
Comment 22 Bryan Kearney 2018-01-04 16:11:52 EST
I am changing the name to make things a bit more clear.
Comment 23 Tomer Brisker 2018-01-07 03:47:17 EST
Stories 2 and 3 are already possible afaict. HSTS is only enforced by browsers, not by curl or wget. 
Story 1 requires disabling HSTS - once you navigate to a secure URL that defines HSTS, it's all-or-nothing for the domain until the user clears their browser's caches. 
I will clone the other bz upstream and add a setting that allows disabling HSTS, which should also be good enough for fixing this without defaulting to an unsecure setting.
Comment 26 Bryan Kearney 2018-01-08 09:17:18 EST
Closing as a dupe of 1486297

Note You need to log in before you can comment on or make changes to this bug.