I have a Ruby on Rails application that runs under puma v4.3.8. It currently allows a number of weaker TLS ciphers. The application has a config/puma.rb file. I've tried to use ssl_cipher_filter to enforce stronger ciphers.
From what I can see the puma code evals the contents of the config file, which seems ripe for exploitation but that's another discussion. I know I'm editing the correct file because if I put a coding error in it the application fails to start.
I've tried a number of approaches in the puma.rb to set the ssl_cipher_filter and ssl_cipher_list but none of them have had the desired affect, here's a few of those attempts:
ssl_bind('0.0.0.0','443', {ssl_cipher_filter: "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"})
and
#options[:ssl_cipher_filter]="AES#STRENGTH"
and
#options[:ssl_cipher_list]="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
I am using nmap to check which ciphers are supported using the following command
nmap --script ssl-enum-ciphers -p 443 myapp.mydomain.com
I've yet to see any change in the list of ciphers accepted.
Can anyone help me put the correct configuration in place to limit the ciphers offered by puma?
This worked for me, adding this option on puma.rb configuration file:
ssl_cipher_filter: '!aNULL:AES+SHA'
Is is mentioned on https://github.com/puma/puma#controlling-ssl-cipher-suites
Related
I'm running RedMine via WEBrick using the following command line (simplified):
bundle exec rails server webrick -e production -p 3012 -P '/var/lib/redmine/redmine.pid'
I don't like how WEBrick outputs the peer address at the beginning of its access log lines (because I'm running it behind nginx and the peer address is always 127.0.0.1), so I want to change the access log format.
I know that I need to tune the :AccessLog config option for WEBrick, but I don't know how to get my hands on it. WEBrick is run by the rails server command, via the rack abstraction, and I don't see an obvious way to pass the necessary configuration to WEBrick.
So, is there any way to do it? Some command line switch? -c is the only switch that accepts some kind of configuration file, but it references "rackup", and I have no idea how to work with it.
Maybe it can be done by changing configuration files? I tried to modify additional_environment.rb by adding config[:AccessLog] = [ [ $stderr, WEBrick::AccessLog::COMMON_LOG_FORMAT ] ], but it had no effect (although the file was executed), so I assume this file's config is not what is passed to WEBrick.
I'm pretty sure there is some way to configure this option without creating a new Rails application and invoking WEBrick manually, and hopefully even without changing RedMine files.
I am trying to have two Rails applications run on the same Virtual Private Server. I have only one domain name, so if the first app is example.com, the second app I am guessing would need to be example.com/second_app. I tried following this article, since it appeared to be using the same tech as me (Passenger): https://beforeitwasround.com/2013/03/serving-multiple-rails-apps-under-one-virtual-host-with-phusion-passenger.html
Before taking the steps in that article, I deployed my second app to the server using the same instructions as the currently working first app (up to, but not including the part where you add a VirtualHost/config file for the app): https://www.phusionpassenger.com/library/walkthroughs/deploy/ruby/digital_ocean/apache/oss/trusty/deploy_app.html
And I even restarted the primary app using the following command from the first app's directory:
passenger-config restart-app $(pwd)
The first app is still working, however, first_app.com/second_app does not appear to work as described in the first article. I am guessing there is a ton of knowledge assumed, however I am just starting with Rails, and am learning as I go. Do I need to create a VirtualHost/config file for the second app?
My specifics:
VPS: Digital Ocean
Ruby: 2.3.4
Rails: 4.2.5
Ubuntu: 16.04
Apache: 2.4.18
Passenger
So, I figured out what I didn't know to do. That is, I did not restart apache after editing the VirtualHost/config file:
sudo apache2ctl restart
Which then gave me the error:
"AH00526: Syntax error on line 19 of /etc/apache2/sites-enabled/test_app.conf:
Either all Options must start with + or -, or no Option may"
Upon googling the error, It appears that there was a syntax error in the code from the article I read. Which doesn't surprise me, as the article is 4-5 years old. But i'm surprised that it was as easy as changing:
Options Indexes FollowSymLinks -MultiViews
to
Options +Indexes +FollowSymLinks -MultiViews
My second app now correctly shows when I go to the link now! Very psyched.
The deployment was successful and everything is green. But when we try to access the application URL, it gives 502 Bad Gateway error.
Checking for puma process with ps -aux | grep puma doesn't return any process attached to puma server but pgrep returns following.
$pgrep -fl puma
18009 su -s /bin/bash -c bundle exec puma -C /opt/elasticbeanstalk/support/conf/pumaconf.rb webapp
18031 ruby /opt/rubies/ruby-2.0.0-p598/bin/puma -C /opt/elasticbeanstalk/support/conf/pumaconf.rb
I have tried all possible combinations, as shown in every other forum/blog OR support sites of nginx/puma. Following is the status.
Default configuration - Where we have UNIX:// sock file used in the UPSTREAM option of nginx.conf and pumaconf.rb - This gives 502 bad gatway. When checked, puma is not running and it is rebooting every 3rd minute.
As we have used it in DigitalOcean - Change the above UPSTREAM conf URL to tcp://127.0.0.1:3000 in pumaconf.rb and 127.0.0.1:3000 in conf.d/webapp.conf file. - This is also not working, puma is not able to run properly same as above.
My question is,
Why there is no control over running puma with diff. configurations? And why we have to always use the UI, which is not able to run the services properly as per other standard configuration options?
There is no configuration options from UI, to change/verify from the UI. So we have to do it from SSH. But, we have no control over rebooting PUMA from console.
Whenever puma is not running, we are not able to see any logs of what error it is facing. This is really not helpful at all.
Puma is not able to run even with default configurations, so it nginx is not able to talk to Puma and so the EC2 does not really make sense!
Please let us know, how we can resolve this issue, if you have any idea on this.
See this - https://forums.aws.amazon.com/thread.jspa?messageID=608148򔞔
Still no answers on this one, this is like our hands are cuffed and not able to change any configurations!
UPDATE
AWS is somehow stopping and starting PUMA, because i can see the process IDs changing when checking with ps -ef|grep puma. So, I started the puma to work on another port and tried to check if it runs or not.
Started on another port, and then from another console accessing the URL using wget http://127.0.0.1:3000. It prints the following log.
current]$ bundle exec puma -b tcp://127.0.0.1:3001
Puma 2.0.1 starting...
* Min threads: 0, max threads: 16
* Environment: production
* Listening on tcp://127.0.0.1:3001
Rails Error: Unable to access log file. Please ensure that /var/app/current/log/production.log exists and is chmod 0666. The log level has been raised to WARN and the output directed to STDERR until the problem is fixed.
Use Ctrl-C to stop
2015-03-16 13:19:35 +0000: HTTP parse error, malformed request (): #<Puma::HttpParserError: Invalid HTTP format, parsing fails.>
2015-03-16 13:19:35 +0000: ENV: {"rack.version"=>[1, 1], "rack.errors"=>#<IO:<STDERR>>, "rack.multithread"=>true, "rack.multiprocess"=>false, "rack.run_once"=>false, "SCRIPT_NAME"=>"", "CONTENT_TYPE"=>"text/plain", "QUERY_STRING"=>"", "SERVER_PROTOCOL"=>"HTTP/1.1", "SERVER_SOFTWARE"=>"2.0.1", "GATEWAY_INTERFACE"=>"CGI/1.2"}
So, is it compulsory to use SSL? Because I think by default, it is not enabled.
I had this issue after uploading my rails app, I found this line (auto generated) on secrets.yml (config > secrets.yml) :secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
so you have to add it as an environment variable to your environment.
In the environment dashboard go to Configuration > Software > Environment properties and add a new variable with name SECRET_KEY_BASE.
You can set any value but make sure it is a safe key.
This resolved the issue for me, I hope it helps.
I could not fix this problem. Also we supposed to use EC2 free instance only instead of BeanStalk.
We have now moved to Free EC2 instance with RDS and deployed the rails application using Capistrano with Nginx + Unicorn. Though it was not easy[1][2] but finally we got it working.
We have a Ruby v.2.0.0-p247 on Rails v4.0.1 application using pg gem v0.17.0.
The application runs smoothly under Mac OS X Mavericks v10.9 with PostgreSQL Server v9.2.4 installed using HomeBrew but it throws the following exception under Ubuntu v13.04 using PostgreSQL Server 9.1:
PG::UnableToSend: server closed the connection unexpectedly
This probably means the server terminated abnormally before or while processing the request.
The exception occurs after transactional queries (form submission).
I tried the following with database.yml:
Adding reconnect: true
Adding port: 5432
Adding socket: /var/run/postgresq/SOCKET_FILE
And tried the following with PostgreSQL configuration under Ubuntu:
Disabling SSL.
Changing TCP keepalives parameters to pump timeout.
Changing log level to DEBUG and search for possible errors on PostgreSQL Server.
Also tried:
Downgrade to pg gem v0.16.0.
Update all Ubuntu 13.04 packages to latest versions.
What could possible be wrong?
UPDATES:
12/03/2013: Some suggested checking firewall settings. ufw status said that ufw is disabled.
12/08/2013: After trying out with a vanilla Rails app and a lot of mangling with the current application, the problem is originating from rails4/activerecord-session_store gem. Line 47 in lib/active_record/session_store/session.rb is the culprit.
This basically happens when you use an old version of launchy , and as per this issue on launchy's git repo quoting #infertux
In the rare case when exec fails to run the command - typically when the file cannot be opened raising Errno::ENOENT - Launchy would raise an exception but not showing any output
You can check your Gemfile.lock to see if you're using a version of launchy below 2.4.1, and I doubt that you're using letter_opener Gem in your development environment which depends on launchy so updating letter_opener to 1.2.0 will update launchy to a version above 2.4.0 mostly 2.4.2 which has this issue fixed
All credit goes to #infertux
It would really help if you provided your database.yml file
The default connection method is a unix domain socket, not to be confused with a TCP/IP socket. The unix domain socket connection method is used by default.
You should check that the unix user that you are trying to run rails under has sufficient permissions to access the domain socket (typically at /var/run/postgresql/.s.PGSQL.5432)
Try typing the following as your rails user:
psql
If you get a database connection error then its likely a permissions problem if postgres is actually running.
You can check your /etc/postgresql.conf file and have postgres configure the group and permissions on the socket when it starts:
unix_socket_directory = '/var/run/postgresql' # dont worry if yours is different
#unix_socket_group = '' # default is usually ok
#unix_socket_permissions = 0777 # uncomment this if needed
Another option is to add the user to the group that has write access to the socket, vs allowing all users on the machine access with the 0777 permissions setting above. You may want to create a postres_users group for this purpose if the default Ubuntu groups provide insufficient granularity for your needs.
It looks to me like there's confusion about the connection method. PostgreSQL supports the two methods:
Socket
TCP/IP
These are completely, utterly different. :-)
In your question, you show a socket setting, but mention TCP. I suggest to focus on each of these two ways of connecting in isolation and see which produces results. I.e., create two version branches pg-socket and pg-tcpip just to make things clear. Then, clean up your config file and attempt to connect via both methods.
Often, a socket connection is easier because you just need to know the pathname of the socket "file". No fireware settings are necessary (because no TCP/IP networking is involved.)
Update your question after doing this and tell us how each of the two methods did for you.
Have you set keepalives as specified here http://www.postgresql.org/docs/9.2/static/libpq-connect.html#LIBPQ-PARAMKEYWORDS similar issue was solved with it at: https://bitbucket.org/ged/ruby-pg/issue/170/pg-unabletosend-connection-timed-out
I'm working on enabling SSL on a Rails app in a staging environment that uses the Thin gem. It seems like I'm only a few steps away. I've set config.force_ssl = true in config/environments/staging.rb.
Since I haven't told Thin where the SSL certificate and key are, rails puts !! Invalid request. At least I think that's why it's doing that.
I found that Thin can accept arguments to determine the location of the SSL certificate and key files, as in this answer. However, I can't figure out where to tell Rails to start Thin with these arguments. How do I do this?
If you're starting from the command line, you can run thin start --ssl instead of rails server (plus any other options listed in How can I pass SSL options into "rails server" in Rails 3.0?)