No red ink server name protection is dead (#10753)

* Kill default server script because it’s broken * set elb timeout setting * Merge branch master into server_name-protection-is-dead [ci skip]

No red ink server name protection is dead (#10753)
eb62340c · Cam Saul · GitHub · 694eb6f3 · eb62340c · eb62340c
Unverified Commit eb62340c authored 5 years ago by Cam Saul Committed by GitHub 5 years ago
--- a/bin/aws-eb-docker/.ebextensions/01_metabase.config
+++ b/bin/aws-eb-docker/.ebextensions/01_metabase.config
@@ -4,9 +4,8 @@
 # Comment out a variable to disable a feature
 #####
 container_commands:
-    #customize_env: 
+    #customize_env:
        #env:
-            #NGINX_SERVER_NAME: metabase.example.com
            #NGINX_FORCE_SSL: 1
            #PAPERTRAIL_HOSTNAME: $HOSTNAME
            #PAPERTRAIL_HOST: foobar.papertrailapp.com
@@ -20,26 +19,21 @@ container_commands:
        command: ".ebextensions/metabase_config/metabase-setup.sh server_https"
        ignoreErrors: true

-    02_server_name:
-        command: ".ebextensions/metabase_config/metabase-setup.sh server_name"
-        test: test $NGINX_SERVER_NAME
-        ignoreErrors: true
-
-    03_log_x_real_ip:
+    02_log_x_real_ip:
        command: ".ebextensions/metabase_config/metabase-setup.sh log_x_real_ip"
        ignoreErrors: true

-    04_install_papertrail:
+    03_install_papertrail:
        command: ".ebextensions/metabase_config/metabase-setup.sh install_papertrail"
        test: test $PAPERTRAIL_HOST
        ignoreErrors: true

-    05_try_papertrail:
+    04_try_papertrail:
        command: "/sbin/service remote_syslog restart"
        test: test -e /etc/log_files.yml
        ignoreErrors: true

-    06_try_nginx:
+    05_try_nginx:
        command: "/sbin/service nginx restart"
        test: nginx -t
        ignoreErrors: false

--- a/bin/aws-eb-docker/.ebextensions/metabase_config/metabase-setup.sh
+++ b/bin/aws-eb-docker/.ebextensions/metabase_config/metabase-setup.sh
@@ -31,21 +31,6 @@ pt_local_host () {
    sed -i "s/.*hostname:.*/hostname: $PAPERTRAIL_HOSTNAME/" /etc/log_files.yml
 }

-# nginx server name
-server_name () {
-    [[ "$NGINX_SERVER_NAME" ]] && cp_default_server
-    cd /etc/nginx/sites-available/
-    if [[ "$NGINX_SERVER_NAME" ]] ; then
-        if ! grep -q server_name elasticbeanstalk-nginx-docker-proxy.conf ; then
-            sed -i "s|listen 80\;|listen 80\;\n        server_name $NGINX_SERVER_NAME \*\.$NGINX_SERVER_NAME\;\n|" elasticbeanstalk-nginx-docker-proxy.conf
-        fi
-    else
-        # no hostname passed, disable default_server
-        sed -i '/server_name/d' elasticbeanstalk-nginx-docker-proxy.conf
-        [[ -e /etc/nginx/sites-enabled/default_server ]] && rm /etc/nginx/sites-enabled/default_server
-    fi
-}
-
 # enable https redirect
 server_https () {
    cd /etc/nginx/sites-available/
@@ -156,13 +141,6 @@ install_papertrail () {
    [[ "$PAPERTRAIL_HOSTNAME" ]] && pt_local_host
 }

-# enable default_server to drop DNS poisoning
-cp_default_server () {
-    cp .ebextensions/metabase_config/nginx/default_server /etc/nginx/sites-available/default_server
-    [[ ! -e /etc/nginx/sites-enabled/default_server ]] &&
-        ln -s /etc/nginx/sites-available/default_server /etc/nginx/sites-enabled/default_server
-}
-
 # update nginx logging to include x_real_ip
 log_x_real_ip () {
    cp .ebextensions/metabase_config/nginx/log_x_real_ip.conf /etc/nginx/conf.d/log_x_real_ip.conf
@@ -173,9 +151,6 @@ log_x_real_ip () {
 }

 case $1 in
-server_name)
-    server_name
-    ;;
 server_https)
    server_https
    ;;

--- a/bin/aws-eb-docker/.ebextensions/metabase_config/nginx/default_server
+++ b/bin/aws-eb-docker/.ebextensions/metabase_config/nginx/default_server
-# /etc/nginx/sites-available/default_server
-server {
-    listen 80 default_server;
-
-    location /api/health {
-        access_log off;
-        proxy_pass            http://docker;
-        proxy_http_version    1.1;
-        proxy_set_header    Connection            $connection_upgrade;
-        proxy_set_header    Upgrade               $http_upgrade;
-        proxy_set_header    Host                  $host;
-        proxy_set_header    X-Real-IP             $remote_addr;
-        proxy_set_header    X-Forwarded-For       $proxy_add_x_forwarded_for;
-    }
-
-    location / {
-        return 444;
-    }
-}
--- a/docs/operations-guide/running-metabase-on-elastic-beanstalk-old.md
+++ b/docs/operations-guide/running-metabase-on-elastic-beanstalk-old.md
@@ -295,13 +295,3 @@ This provides a simple way to use the Papertrail logging service for collecting
 * Scroll to the bottom of the page and click `Apply` in the lower right, then wait for your application to update.

 *NOTE:* sometimes these settings will not apply until you restart your application server, which you can do by either choosing `Restart App Server(s)` from the Actions dropdown or by deploying the same version again.
-
-
-# Protecting against invalid hostname access
-
-For the truly paranoid, we provide a setting in the AWS EB deployment which enforces an nginx check of the hostname of the incoming request and terminates the request if the client is not requesting the exact hostname that we expect.  This is nice for preventing random internet traffic from stumbling upon your Metabase instance.
-
-1. Click on `Configuration` on the left hand sidebar
-* Scroll down to `Software Configuration` under the _Web Tier_ section and click the gear icon to edit those settings.
-* Under `Environment Properties` add an entry for `NGINX_SERVER_NAME` with a value corresponding to the exact domain name you are using for your Metabase instance.
-* Scroll to the bottom of the page and click `Apply` in the lower right, then wait for your application to update.
--- a/docs/operations-guide/running-metabase-on-elastic-beanstalk.md
+++ b/docs/operations-guide/running-metabase-on-elastic-beanstalk.md
@@ -281,13 +281,3 @@ This provides a simple way to use the Papertrail logging service for collecting
 * Scroll to the bottom of the page and click `Apply` in the lower right, then wait for your application to update.

 *NOTE:* sometimes these settings will not apply until you restart your application server, which you can do by either choosing `Restart App Server(s)` from the Actions dropdown or by deploying the same version again.
-
-
-# Protecting against invalid hostname access
-
-For the truly paranoid, we provide a setting in the AWS EB deployment which enforces an nginx check of the hostname of the incoming request and terminates the request if the client is not requesting the exact hostname that we expect.  This is nice for preventing random internet traffic from stumbling upon your Metabase instance.
-
-1. Click on `Configuration` on the left hand sidebar
-* Scroll down to `Software Configuration` under the _Web Tier_ section and click the gear icon to edit those settings.
-* Under `Environment Properties` add an entry for `NGINX_SERVER_NAME` with a value corresponding to the exact domain name you are using for your Metabase instance.
-* Scroll to the bottom of the page and click `Apply` in the lower right, then wait for your application to update.