Feature #22165
closedAllow custom configuration for HSTS settings
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1486297
Description of problem:
Foreman/Satellite currently unconditionally sets the HSTS header to "Strict-Transport-Security: max-age=631152000; includeSubdomains", see https://github.com/theforeman/foreman/blob/develop/config/initializers/secure_headers.rb
While generally a good idea, HSTS has the issue that browsers will refuse to talk unencrypted to the Satellite at all after seeing the HSTS header once.
However, we want /pub/ and /pulp/repos/…/custom/ to be available via HTTP too.
This is not a problem for yum/dnf/wget/curl, as those neither implement nor ever see the HSTS header from Foreman, but regular users quite often want to browse the repos with their browsers and that is not possible with HSTS on (as /pulp/repos/ requires a client cert from the Katello CA when accessed via HTTPS).
As HSTS works based on domains/hostnames, you cannot exclude /pub/ and /pulp/repos/ from it.
The best solution that comes into my mind would be allowing to disable and/or change the HSTS settings, so that the users at least can decide if they want HSTS or not (but still leave it on by default).
Version-Release number of selected component (if applicable):
6.2.11
How reproducible:
100%
Steps to Reproduce:
1. curl -I https://sat.example.com
Actual results:
Strict-Transport-Security: max-age=631152000; includeSubdomains
Expected results:
Depending on the settings
Additional info:
The error you see in Firefox is:
An error occurred during a connection to sat.example.com. SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
The error you see in Chrome is:
This site can’t provide a secure connection sat.example.com didn’t accept your login certificate, or one may not have been provided.
Try contacting the system admin.
ERR_BAD_SSL_CLIENT_AUTH_CERT
Updated by The Foreman Bot almost 7 years ago
- Status changed from New to Ready For Testing
- Assignee set to Tomer Brisker
- Pull request https://github.com/theforeman/foreman/pull/5154 added
Updated by The Foreman Bot almost 7 years ago
- Pull request https://github.com/theforeman/puppet-foreman/pull/614 added
Updated by Marek Hulán almost 7 years ago
- Translation missing: en.field_release set to 330
Updated by Anonymous almost 7 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset dbdac61f788dc22bb58c002b34fe31abcb188aec.