Adding HTTP headers for rabbitmq_management
482 views
Skip to first unread message
Doyle Hunter
May 13, 2015, 5:09:10 PM5/13/15
to rabbitm...@googlegroups.com
I am trying to implement RabbitMQ in an enterprise environment. Despite the fact that it will only used internally, IS Operations requires that there not be any unresolved security vulnerabilities from a Qualys scan. Unfortunately, the scan comes up with vulnerabilities for "Framable Page." It recommends setting an X-Frame-Options header. I can do this with IIS, but I don't know where to start with Erlang/WebMachine/MochiWeb/RabbitMQ. Is this something I could configure easily or would it require changing Erlang code and recompiling the rabbitmq_management plugin?
At this point, I'm probably just going to have to disable the plugin so I can move forward, but I'd like to enable it later if I can get a resolution for this security concern.
I'd appreciate any helpful feedback.
Michael Klishin
May 13, 2015, 5:15:58 PM5/13/15
to Doyle Hunter, rabbitm...@googlegroups.com
On 14 May 2015 at 00:09:13, Doyle Hunter (doylel...@gmail.com) wrote:
> Is this something I could configure easily or would it require
> changing Erlang code and recompiling the rabbitmq_management
> plugin?
It would require building the plugin from source. If you have IIS running
> Is this something I could configure easily or would it require
> changing Erlang code and recompiling the rabbitmq_management
> plugin?
in front of RabbitMQ, can't you configure extra response headers there?
Nginx and Apache can add custom headers to proxied responses, for example.
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Doyle Hunter
May 13, 2015, 6:17:17 PM5/13/15
to rabbitm...@googlegroups.com, doylel...@gmail.com
Wow. I wasn't expecting such a speedy reply.
I will be running it on a Windows Server, but I hadn't considered using IIS as a proxy for the plugin. If I did that, I suppose I would need to set the listener IP address to 127.0.0.1 in the rabbitmq_management config file to keep the plugin from being seen remotely? I'll have to dig into IIS's Application Request Routing and the URL Rewrite Module to try this out.
If I chose to try an Erlang code solution and submitted a pull request, is this a change that might be accepted? Or better yet, is it something that your team might consider implementing? Although I'd prefer this solution to the proxy option, I wouldn't want to have to keep applying a change to the base code every time a new version of RabbitMQ came out.
I gather the X-Frame-Options is considered old school now and the new resolution for this issue will be a Content-Security-Policy: frame-ancestors header.
Thanks for your help
Michael Klishin
May 13, 2015, 6:31:11 PM5/13/15
to Doyle Hunter, rabbitm...@googlegroups.com
On 14 May 2015 at 01:17:19, Doyle Hunter (doylel...@gmail.com) wrote:
> If I did that, I suppose I would need to set the listener IP address
> to 127.0.0.1 in the rabbitmq_management config file to keep
> the plugin from being seen remotely?
Yes, doing that makes sense.
> If I did that, I suppose I would need to set the listener IP address
> to 127.0.0.1 in the rabbitmq_management config file to keep
> the plugin from being seen remotely?
> If I chose to try an Erlang code solution and submitted a pull request,
> is this a change that might be accepted? Or better yet, is it something
> that your team might consider implementing? Although I'd prefer
> this solution to the proxy option, I wouldn't want to have to keep
> applying a change to the base code every time a new version of RabbitMQ
> came out.
Do you configure extra headers via config file? If so, what to do about "variables"?
This is a feature with quite a feature creep potential and our team is tiny.
I genuinely believe that if all you need is adding a few headers to every response,
using a proxy (whether it is IIS or something else) is the way to go.
That said, we're happy to hear how you'd approach it.
Joel Webb
Jan 31, 2020, 10:56:53 AM1/31/20
to rabbitmq-users
Has this been resolved in the 3.8.2 Release?
As of 3.8.0 this security issue still existed. The answer I received from Pivitol was that we needed to run the web interface behind NGinX. However, that is bad form in my opinion as it just adds complexity to the solution as opposed to simply modifying the header in the erlang.
Luke Bakken
Jan 31, 2020, 11:49:28 AM1/31/20
to rabbitmq-users
Hello,
I can't find the string X-Frame-Options in the source code -
the following header obsoletes the above:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
CSP is supported as of this merge - https://github.com/rabbitmq/rabbitmq-management/pull/625
CSP is supported as of this merge - https://github.com/rabbitmq/rabbitmq-management/pull/625
So, we will not be adding support for X-Frame-Options it seems.
Thanks,
Luke
Joel Webb
Jan 31, 2020, 11:54:29 AM1/31/20
to rabbitm...@googlegroups.com
What release is this fix in Luke?
--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/a4XVwFUlQeo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/20cb929b-3709-4dd2-ba39-262b0439a1c2%40googlegroups.com.
Luke Bakken
Jan 31, 2020, 12:00:15 PM1/31/20
to rabbitmq-users
Hi Joel,
If you click the merge commit link in that PR ...
... where you can expand the tags associated with the commit:
- v3.8.3-beta.2
- v3.8.3-beta.1
- v3.8.2
- v3.8.2-rc.1
- v3.8.1
- v3.8.1-rc.1
- v3.8.1-beta.2
- v3.8.1-beta.1
- v3.8.0
- v3.8.0-rc.3
- v3.8.0-rc.2
- v3.8.0-rc.1
- v3.8.0-beta.7
- v3.8.0-beta.6
- v3.8.0-beta.5
- v3.8.0-beta.4
- v3.8.0-beta.3
- v3.8.0-beta.2
- v3.8.0-beta.1
So it looks like customizing these headers is supported as of version 3.8.0.
Thanks -
Luke
Joel Webb
Jan 31, 2020, 12:04:25 PM1/31/20
to rabbitm...@googlegroups.com
I'm confused. it is in master, and I see what you pointed to. But it looks like it is in the 3.8.3 beta version and higher.
Additionally, what do I put in the config in order to enable it. Because from the code, it looks like it is on by default:
--
You received this message because you are subscribed to a topic in the Google Groups "rabbitmq-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rabbitmq-users/a4XVwFUlQeo/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/2b557849-e59f-4c49-ba6a-602e4b4a5e66%40googlegroups.com.
Luke Bakken
Jan 31, 2020, 1:10:35 PM1/31/20
to rabbitmq-users
Hi Joel,
As for your other question, the content-security-policy header is added to API request responses but not to the response headers for static content. This is probably an oversight but I will confirm with the team.
Here's the default view that I see when viewing the commit in GitHub via this URL https://github.com/rabbitmq/rabbitmq-management/commit/d6fad95bef38837b5fe016090202505b4cd2077c
Note the expander:
Here is the view with the tags expanded. Note that v3.8.0, v3.8.1 and v3.8.2 are in the list:
As for your other question, the content-security-policy header is added to API request responses but not to the response headers for static content. This is probably an oversight but I will confirm with the team.
I have filed an issue here if you would like to follow along - https://github.com/rabbitmq/rabbitmq-management/issues/767
Thanks,
Luke
On Friday, January 31, 2020 at 9:04:25 AM UTC-8, Joel Webb wrote:
Joel Webb
Mar 25, 2020, 4:15:08 PM3/25/20
to rabbitmq-users
Following up.
Was this added to the static content?
I've upgraded to 3.8.3 and added the content_security_policy and strict_transport_security
Luke Bakken
Mar 25, 2020, 5:01:35 PM3/25/20
to rabbitmq-users
Hi Joel,
Yes, please see this response - https://groups.google.com/d/msg/rabbitmq-users/a4XVwFUlQeo/5jb0WNFRAgAJ
You do not need to add any settings to RabbitMQ to enable the header for static content.
You can see the headers returned for static content using version 3.8.3:
~\issues\rmq-generic\rabbitmq_server-3.8.3> curl -4vvv localhost:15672
* Trying 127.0.0.1:15672...
* Connected to localhost (127.0.0.1) port 15672 (#0)
> GET / HTTP/1.1
> Host: localhost:15672
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-length: 2884
< content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'
< content-type: text/html
< date: Wed, 25 Mar 2020 20:59:09 GMT
< etag: "1365895299"
< last-modified: Wed, 25 Mar 2020 20:58:08 GMT
< server: Cowboy
< vary: origin
<
<!DOCTYPE html>
<html>
* Trying 127.0.0.1:15672...
* Connected to localhost (127.0.0.1) port 15672 (#0)
> GET / HTTP/1.1
> Host: localhost:15672
> User-Agent: curl/7.69.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< content-length: 2884
< content-security-policy: script-src 'self' 'unsafe-eval' 'unsafe-inline'; object-src 'self'
< content-type: text/html
< date: Wed, 25 Mar 2020 20:59:09 GMT
< etag: "1365895299"
< last-modified: Wed, 25 Mar 2020 20:58:08 GMT
< server: Cowboy
< vary: origin
<
<!DOCTYPE html>
<html>
Reply all
Reply to author
Forward
0 new messages