How to configure Phusion Passenger X-frame options? - ruby-on-rails

I'm trying to iframe a site I built (using Rails) and deployed on an ubuntu instance on AWS using Phusion Passenger.
I looked more into it and found that I need to change my X-frame options, a HTTP header from 'SAME ORIGIN' to 'ALLOWALL'. I already added this line into my config/application.rb file and my config/environments/production.rb
config.action_dispatch.default_headers.merge!({'X-Frame-Options' => 'ALLOWALL'})
Even then, when I open my site, I still get these settings in my Network Headers:
Status:200 OK
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.0.11
This leads me to believe that there's a Phusion Passenger config file somewhere that I need to change the X-Frame-Options for. Any clues or help would be great, thanks!

X-Frame-Options header should be set in your vhost (usually Apache or Nginx). For security reasons, if possible, only allow HTTPS whitelisted domains and whitelisted paths.
<virtualHost *:443>
# ... Host and Passenger configuration ...
<Location "/your-iframable-path">
Header always set X-Frame-Options "ALLOW-FROM https://domain-using-iframe"
</Location>
</virtualHost>

I had the same problem. After trying for a long time, I found the solution to it.
Passenger uses a template for it's nginx configuration. When starting passenger, you pass the template to it using the --nginx-config-template parameter.
Now, to configure the X-Frame-Options header for passenger, simply edit the template file. Add the following line under the http { block of the template file:
add_header X-Frame-Options "SAMEORIGIN";
And make sure to run
sudo service passenger restart
To make the changes go live.
:)

Related

Apache + PHP-FPM Set proxy timeout only to specific path

I have Apache 2.4 with PHP 5.5 without using php_mod but with PHP-FPM and mod_proxy_fcgi, so I added the following to the vhost:
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:7000/home/var/www/site/$1
This worked well but when I had some problems with timeouts I added the following code in order to fix this issue to the vhost file:
<Proxy fcgi://127.0.0.1:7000>
ProxySet timeout=3600
</Proxy>
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:7000/home/var/www/site/$1
However, I would like to add this timeout only to the administration panel of the website, which is www.site.com/admin/xxx. I tried to add the location tag like below, but it didn't worked (Apache fails when restarting).
<LocationMatch ^/admin/.*\.php(/.*)?$>
<Proxy fcgi://127.0.0.1:7000>
ProxySet timeout=3600
</Proxy>
</LocationMatch >
ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:7000/home/var/www/site/$1
First of all, is that possible? Then which would be the correct syntax?
Many thanks for your time
Just use the Proxy wildcard with /admin/*
While this will allow ANY script beneath admin to run with the settings defined, behind an admin (and I assume login) wall, it shouldn't be an issue.
<Proxy "fcgi://127.0.0.1:7000/home/var/www/site/admin/*">
ProxySet timeout=3600
</Proxy>
Use ProxySet outside of a Proxy directive
ProxySet within a Proxy directive can be used without defining the url/balancer/worker. But, you should still be able to use ProxySet within a Location directive.
<LocationMatch ^/admin/.*\.php(/.*)?$>
ProxySet "fcgi://127.0.0.1:7000" timeout=3600
</LocationMatch>
If apache is still failing on startup, check the apache logs, or run strace -Ff apachectl start to find the problem, it may just be a bug in that version of apache.
However, I strongly suspect your LocationMatch regex ^/admin/.*\.php(/.*)?$ to be the cause of the apache failure.

How to use geminabox with Apache web server

I want to use geminabox with Apache web server. I have searched a lot on web but could not find any concrete information. Can some one please let me know how to do this ? Will appreciate detailed suggestions.
An easy way to use Geminabox with Apache is to configure a HTTP Reverse Proxy.
For this configuration, you just need two files:
1) The config.ru just like the example in the README.md file in the geminabox repository:
require "rubygems"
require "geminabox"
Geminabox.data = "include here the data path"
run Geminabox::Server
To run the server use rackup command. This will start the server in the 9292 port. If you want to change the port number use rackup -p XXXX.
2) In the Apache side, make sure that you have the mod_proxy and the mod_proxy_http installed. If yes, just include the following lines into your Apache config file:
ProxyRequests Off
ProxyPass / http://localhost:9292/
ProxyPassReverse / http://localhost:9292/
Restart the Apache and it is done!
geminabox is a ruby application, and just like all ruby applications, Apache does not support them out of the box.
With that said, a simple Google of how to use ruby applications with Apache lead me to this, which lead me to this. I have no experience with this tool. However, it is suggested by the rails team, so it has to have some merit.
I did work with Apache VirtualHost.
In folder /etc/httpd/conf.d/ create a file gems.conf, so add it to the file:
<VirtualHost *:80>
ServerName gems.mydomain
ServerAlias gems.local
DocumentRoot /var/railsapps/gems/public
</VirtualHost>
Where /var/railsapps/gems is the folder that have the config.ru.
The domain gems.mydomain must be in your DNS or /etc/hosts

Proxy requests to virtual host in by path prefix

I'm running multiple Rails applications on TorqueBox. Each application is mounted on a different web context, e.g., localhost:8080/app1 and localhost:8080/app2 (configured via TorqueBox). Apache is configured to accept requests to app1.domain.com and app2.domain.com via virtual hosts. However, I'm running into problems where some application paths (form submission paths and others) expect to be preceeded by /app1, e.g., http://app1.domain.com/app1/rest/of/path instead of the correct http://app1.domain.com/rest/of/path.
How can I configure Apache so that the requests to http://app1.domain.com/app1/... are made to the correct path (i.e., without the leading /app1)? I've tried doing this with redirects but that doesn't work since they force a GET request and the POST data is lost in the process.
This is my current Apache config:
LoadModule proxy_module /usr/lib/apache2/modules/mod_proxy.so
LoadModule proxy_http_module /usr/lib/apache2/modules/mod_proxy_http.so
ProxyRequests Off
ProxyPreserveHost On
NameVirtualHost *:80
<VirtualHost *:80> # There are multiple vhosts like this one, for different apps.
ServerName app1.domain.com
ProxyPass / http://127.0.0.1:8080/app1/
ProxyPassReverse / http://127.0.0.1:8080/app1/
</VirtualHost>
I solved this problem by using a web host instead of a web context in the TorqueBox configuration. After that, getting the Apache configuration to work was no problem since different apps were not under specific context paths.
So, instead of this (in config/torquebox.rb):
TorqueBox.configure do
web do
context '/app1'
end
end
You should do this:
TorqueBox.configure do
web do
host 'app1.domain.tld'
end
end

Rails not rendering assets over SSL (404 Not Found error)

I am kind of new to Rails and am struggling with an issue that is preventing my assets to be found if I try to access my test app using an SSL connection.
As an example of what I am referring to, if you try to access
http://domain.com/testapp the default rails page loads fine and I have no issues at all.
You can also access a page I created using this route
http://domain.com/testapp/static_pages/home
However the same address, if accessed via HTTPS is returning 404 errors for all of my assets. I am also unable to access any routes (they all return 404).
https://domain.com/testapp
https://domain.com/testapp/static_pages/home
I am currently using an Apache server with Passenger installed, and here is what my virtual host configuration looks like:
<Directory /var/www/testapp/public>
PassengerEnabled on
PassengerAppRoot /var/www/testapp
RailsBaseURI /testapp
</Directory>
Any ideas of why this might be happening?
Thanks,
Rog
Thanks all, I finally figured out what was going on so in the interest of others having the same issue, the virtual host configuration was only being applied to the default port (80) so I had to specify port 443 as well.
<VirtualHost *:80 *:443>
<Directory /var/www/testapp/public>
PassengerEnabled on
PassengerAppRoot /var/www/testapp
RailsBaseURI /testapp
</Directory>
</VirtualHost>
For people using Media Temple's DV server, this configurations has to be specified in two separate files (make sure you remove the VirtualHost tags).
vhost.conf
vhost_ssl.conf
And don't forget to restart apache.
/usr/sbin/apachectl -K graceful

Configuring Ruby On Rails App in a subdirectory under Apache

I've got apache2.2 on windows. I'm trying to serve both subversion (/svn) and redmine (/redmine). I have svn running fine with this config:
<Location /svn>
DAV svn
SVNParentPath C:/svn_repository
...
</Location>
This is working great--my svn users can hit http://mybox/svn just fine.
Now I want to add another directory for a rails app (RedMine):
I followed the advice in this question to setup a mongrel server and have apache proxy clients through to it. It works fine if I make it the root--but I'm having trouble making it in a subdirectory:
<Location /redmine>
ProxyPass http://localhost:3000/
ProxyPassReverse http://localhost:3000/
</Location>
Any suggestions?
Here's what I had to change:
I removed the trailing slash:
<Location /redmine>
ProxyPass http://localhost:3000
ProxyPassReverse http://localhost:3000/
</Location>
And in my rails app:
# added to end of file C:\redmine\config\environment.rb
ActionController::AbstractRequest.relative_url_root = "/redmine"
Now it's working!
I wasn't completely happy with this approach--I ran into some redirect issues. This is another attempt which seems to be working well so far.
Fast CGI and Fast CGI without VirtualHosts
Tuning Fast CGI
This second approach seems better.
UPDATE:
As noted in the comments, for more recent apps running on Rails 2.3.2+, use this instead:
config.action_controller.relative_url_root = '/redmine'
I put it in the new additional_environment.rb file.
In case you still wish to use Mongrel + Apache using a reverse proxy here is how I solved the same issue on our system (Win2k3, Apache 2.2, trunk of Redmine). The secret is to install your mongrel service using --prefix /redmine which tells it to serve it from http://localhost:port/redmine
In Apache httpd.conf (or suitable include file):
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
<IfModule mod_proxy.c>
ProxyRequests Off
#No need to forward on static content - let apache do it faster
ProxyPass /redmine/images !
ProxyPass /redmine/stylesheets !
ProxyPass /redmine/javascript !
# Remove the following entry on public sites as this is insecure
ProxyPass /redmine/plugin_assets !
ProxyPass /redmine/help !
ProxyPass /redmine http://localhost:4000/redmine
ProxyPassReverse /redmine http://localhost:4000/redmine
ProxyPreserveHost On
#continue with other static files that should be served by apache
Alias /redmine/images C:/Repositories/redmine/public/images/
Alias /redmine/stylesheets C:/Repositories/redmine/public/stylesheets/
Alias /redmine/javascript C:/Repositories/redmine/public/javascript/
# Remove the following on public sites as this is insecure
Alias /redmine/plugin_assets C:/Repositories/redmine/public/plugin_assets/
Alias /redmine/help C:/Repositories/redmine/public/help/
</IfModule>
# Make sure apache can see public and all subfolders - not suitable for public sites
<Directory "C:/Repositories/redmine/public/">
Allow from all
Order allow,deny
</Directory>
Mongrel is installed as such:
mongrel_rails service::install --prefix /redmine -N redmine_prod -p 4000 -e production -c C:\Repositories\redmine
Hope that helps someone. Initially, I tried setting up Apache + fastcgi etc but I lost more precious hair - it's not Windows friendly.
P.s. I found this PDF a very useful referene: http://www.napcsweb.com/howto/rails/deployment/RailsWithApacheAndMongrel.pdf
/Damien
Passenger (http://modrails.com) is a better alternative to fastcgi because it's very easy to configure I would recommend using this for hosting your rails apps using a similar configuration to what you have now
I agree with Radar. Passenger is really easy to set up, lets Rails apps share memory, removes the burden of managing a cluster of mongrels and requires virtually no configuration. All you need are a special 'config.ru' file with a RackUp config and a DocumentRoot pointing to RAILS_ROOT/public set in Apache.

Resources