5

When deploying application to Elastic Beanstalk, is it possible to disable the error page that is shown by Phusion Passenger (Standalone)? Especially in production. This page includes a stack trace as well as exposed environment variables ... which is dangerous in my opinion.

Quick way to reproduce this would be introduce a syntax error (it's not the only way).

I can see here (link) that it's possible ... just not sure how you'd do the same on EB. To avoid broken links in the future, I'll just quote the conversation here ... one guy asks:

I seem to recall reading somewhere that it's possible to disable the passenger boot error page that shows if you're missing gems, etc. If I recall correctly, I think the Phusion guys were saying that the default behavior in the production environment would be to suppress this error page that shows the stack trace, etc. Is there a way to disable this error page with the current version of Passenger?

To which one of the Phusion guys reply ...

Right now you can just edit the templates in lib/phusion_passenger/templates. All errors are also logged to the web server log file.

While the response is a positive sign, it doesn't really solve my problem ... which is how to do it on EB and we all (almost) know that EB is a bit more tight-boxed that your typical self administered server.

King'ori Maina
  • 4,440
  • 3
  • 26
  • 38

1 Answers1

2

You need to add a Passenger directive to prevent Passenger from exposing potentially exploitable details about your web server. The way to do this is to add a directive on your web server configuration to prevent Passenger from showing a backtrace and dump environment variables on your users. For instance if your Rails app is deployed using Apache then you just need to add the following directive on your Virtualhost configuration block

<VirtualHost *:80>
  ...
  PassengerFriendlyErrorPages off

As for AWS EBS, I'm not particularly familiar with it but a quick Google search revealed that you have to put this config in your Apache Vhosts config which is in the .ebextensions directory. You've probably done this already since you've already deployed your app successfully. I'll show it anyway for the benefit of others. For instance if you're using Apache you might have something like this under .ebextensions/vhosts.config

files:
  "/etc/httpd/conf.d/vhosts.conf":
    mode: "000644"
    owner: root
    group: root
    encoding: plain
    content: |
      NameVirtualHost *:80

      <VirtualHost *:80>
        ServerName www.example.com
        ServerAlias example.com
        DocumentRoot /var/www/ruby/example/
      </VirtualHost>

      PassengerFriendlyErrorPages off

Update: You can find the documentation to turn off 'friendly error pages' here

Kibet Yegon
  • 2,763
  • 2
  • 25
  • 32
  • Thanks for the response. Apologies ... just realised I wasn't clear on the type that I'm using. I've since updated the Q to reflect this I'm using the Passenger Standalone version ... not Passenger for Nginx or Passenger for Apache. Nevertheless ... the `.ebextensions` comment has given me an idea. – King'ori Maina May 30 '14 at 10:25
  • Its still possible to do that if you're using Passenger Standalone. I've linked the documentation for this on my answer. – Kibet Yegon May 30 '14 at 13:23
  • Sorry, this won't work. Phusion Passenger at the core still uses Nginx (so no Apache configs). I've been reading on this in the morning and you pointed me in the right direction though. There's a lot on configuration on the Phusion Passenger here http://www.modrails.com/documentation/Users%20guide%20Standalone.html#config_file ... there are two ways other than passing arguments at the command line ... 1) Using a `passenger-standalone.json` file at the root of the app or 2) editing the templates that are used to generate the Nginx equivalent of what you shared for Apache. – King'ori Maina May 30 '14 at 17:21
  • My bad, I linked the wrong documentation. The one I linked was specific to Apache. Hope you figured it out. – Kibet Yegon May 30 '14 at 19:09
  • @King'oriMaina, did you work out an solution on this for Passenger Standalone? Perhaps you could post it as an answer? – Mark Berry Jun 06 '14 at 20:07
  • @MarkBerry Unfortunately, not yet. The closest I've gotten so far is that, as per the docs, it's possible to use the advanced config ... that does exactly what I want ... which pretty much means editing is a JSON template that the Nginx core uses. You can edit this to change that behaviour. The caveat is that this template might change with the version of standalone going forward which might break the app hence, I don't think it's suitable for production :-( Still searching. – King'ori Maina Jun 06 '14 at 20:59
  • 1
    I have been looking around in my instance, which is 64bit Amazon Linux 2014.03 v1.0.2 running Ruby 2.0 (Passenger Standalone). In the /opt/elasticbeanstalk/support/conf/passenger file, I see `# Disable passenger friendly page for production stage STARTOPTS="$STARTOPTS --no-friendly-error-pages"`, which *looks* like it is already trying to do what you want? It only applies to `production`. – Mark Berry Jun 06 '14 at 23:46
  • @MarkBerry Yes that's exactly what I want and I'd have expected the AWS guys to set the environment to 'production' or pick it from `RAILS_ENV`. The Phusion guys confirm (as you imply) that what I'm requesting for is the expected behaviour as well. Anyway, checked out the file on mine and there's actually no `--no-friendly-error-pages` option passed in in the call to start Passenger. I'm running on 64bit Amazon Linux 2014.03 **v1.0.1** running Ruby 2.0 (Passenger Standalone) so maybe that difference is part of the patch version bump. – King'ori Maina Jun 07 '14 at 10:20
  • There is logic in that file on mine to only work in production. Still learning the AWS patching process myself but I would think there is a way to go to 1.0.2 (though I don't know what other changes that might bring with it). – Mark Berry Jun 08 '14 at 21:02
  • @MarkBerry Been hoping to update you on this but have been unable to trigger an update to the environment to bump it to 1.0.3 which is the now latest. Unfortunately the only way forward seems to create a new environment then swap URLs (upgrading the app is easy but upgrading the environment isn't as easy). Even tried rebuilding the environment :( but I'm still stuck at 1.0.1. Anyway, this will have to wait. When the time comes and I confirm this behaviour I'll post an update. – King'ori Maina Jun 09 '14 at 11:21
  • @King'oriMaina, quick update: I discovered when setting up Beanstalk single-instance for SSL that AWS specifically recommends using a passenger-standalone.json file to turn on the correct flags in the Nginx config template (possibly already customized for Beanstalk?). See http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/SSLRuby.SingleInstance.html#Passenger. It looks like `friendly_error_pages` is one of the options that the template recognizes. Template: `$(passenger-config about resourcesdir)/templates/standalone/config.erb`. – Mark Berry Jul 15 '15 at 18:11
  • Hey @MarkBerry thanks for the update. Unfortunately I don't have this setup anymore more ... but I'm sure anyone else having trouble will find this conversation helpful. – King'ori Maina Jul 22 '15 at 18:04
  • The documentation is moved [here](https://www.phusionpassenger.com/library/config/apache/reference/#passengerfriendlyerrorpages). As of the latest version, (according to documentation) `PassengerFriendlyErrorPages` defaults to `off` when `PassengerAppEnv` isn't `development`, and `PassengerAppEnv` automatically picks up `RailsEnv`, so hopefully latest Passenger users won't meet this issue ever again… – Franklin Yu Mar 27 '17 at 06:31