Passenger 5 Headers and Environment variables

322 views
Skip to first unread message

ke...@reflexionhealth.com

unread,
Mar 16, 2015, 8:45:22 PM3/16/15
to phusion-...@googlegroups.com
I'm using Passenger with Nginx, and have just updated from v4.0.58 to v5.0.4.
Passenger was installed on the system with using the passenger and nginx-extras packages from the Ubuntu Trusty Passenger PPA.

The 5.0.0 version removed the Nginx passenger_set_cgi_param and supposedly replaced it with passenger_set_header and passenger_env_var
I was using passenger_set_cgi_param to pass the Nginx $ssl_client_cert and $ssl_client_verify.

Previous configuration:

    server {
        ... Nginx stuff ...

        passenger_set_cgi_param SSL_CLIENT_S_CERT $ssl_client_cert;
        passenger_set_cgi_param SSL_CLIENT_VERIFY $ssl_client_verify;
    }

To handle the change, I have updated the application to expect the values in the headers (Strong opinions on this later), and changed the config:

    server {
        ... Nginx stuff ...

        passenger_set_header SSL_CLIENT_S_CERT $ssl_client_cert;
        passenger_set_header SSL_CLIENT_VERIFY $ssl_client_verify;
    }


PROBLEMS

  1. The passenger_set_header directive doesn't actually work!  (Note, I only have one context in this config file: the server context, and NO location, etc contexts)
  2. The passenger_env_var directive only works during application loading!  Because of this behavior it is not possible to pass variables in the environment instead of as a header.
  3. Sending Security Parameters through Headers seems like a Very Bad Idea(TM), because Clients are ALLOWED to provide Headers, and Clients SHOULDN'T be allowed to provide their own validation success.
    • Although passenger_set_header SHOULD override a value set by the client, (which it doesn't, because It doesn't work: see #1), a developer is likely to forget to set passenger_set_header in all relevant contexts.  This is especially true because it is not inherited across contexts; it'd be easy to forget when adding a new context.
  4. The passenger_set_header directive isn't inherited across contexts! (First see #3, then: ) This means the configuration for these variables have to be set in every single server context.  That is a lot of text duplication and means that if you wanted to consistently change what a header is named, you'd have to change the name in as many places as you have contexts.
  5. The v4.0.X versions of the passenger and nginx-extras packages are no longer available in the PPA, so it is hard to revert to the old version.


All Help, Reasoning, and Ideas to help with any of the problems are incredibly appreciated.

Thanks,
  -- Kevin

Hongli Lai

unread,
Mar 19, 2015, 12:57:04 PM3/19/15
to phusion-passenger
On Tue, Mar 17, 2015 at 1:45 AM, <ke...@reflexionhealth.com> wrote:
> passenger_set_header SSL_CLIENT_S_CERT $ssl_client_cert;
> passenger_set_header SSL_CLIENT_VERIFY $ssl_client_verify;

This is not the correct format. passenger_set_cgi_param accepted names
in CGI format, but passenger_set_header accepts names in HTTP header
format. If anything, it should be something like "X-SSL-Client-S-Cert"
instead of "SSL_CLIENT_S_CERT".


> The passenger_set_header directive doesn't actually work! (Note, I only
> have one context in this config file: the server context, and NO location,
> etc contexts)

What do you mean? Do they not show up in the request headers at all?


> The passenger_env_var directive only works during application loading!
> Because of this behavior it is not possible to pass variables in the
> environment instead of as a header.

This is correct. Setting environment variables per-request is too
expensive is and not thread-safe.


> Although passenger_set_header SHOULD override a value set by the client,
> (which it doesn't, because It doesn't work: see #1), a developer is likely
> to forget to set passenger_set_header in all relevant contexts. This is
> especially true because it is not inherited across contexts; it'd be easy to
> forget when adding a new context.
>
> The passenger_set_header directive isn't inherited across contexts! (First
> see #3, then: ) This means the configuration for these variables have to be
> set in every single server context. That is a lot of text duplication and
> means that if you wanted to consistently change what a header is named,
> you'd have to change the name in as many places as you have contexts.

We'll have a look at the context inheritance thing.

As for headers vs CGI environment: it's not possible to continue
supporting the CGI environment mechanism because the protocol between
Passenger and Nginx is now also HTTP.


> The v4.0.X versions of the passenger and nginx-extras packages are no longer
> available in the PPA, so it is hard to revert to the old version.

Version 4 is actually still available:
https://blog.phusion.nl/2015/03/08/passenger-4-apt-repository-now-available/

--
Phusion | Web Application deployment, scaling, and monitoring solutions

Web: http://www.phusion.nl/
E-mail: in...@phusion.nl
Chamber of commerce no: 08173483 (The Netherlands)
Reply all
Reply to author
Forward
0 new messages