From e16ae00efcaa9f87791f70dd92c9534ef6db8d9a Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 28 Jan 2018 20:46:33 -0600 Subject: [PATCH 1/6] Fix hardcoded http:// urls. --- app/presenters/post_presenter.rb | 2 +- app/views/layouts/default.html.erb | 10 +++++----- app/views/legacy/create_post.xml.erb | 2 +- app/views/static/mrtg.html.erb | 16 ++++++++-------- app/views/users/edit.html.erb | 2 +- 5 files changed, 16 insertions(+), 16 deletions(-) diff --git a/app/presenters/post_presenter.rb b/app/presenters/post_presenter.rb index 9fec67a23..c77fdcd47 100644 --- a/app/presenters/post_presenter.rb +++ b/app/presenters/post_presenter.rb @@ -168,7 +168,7 @@ class PostPresenter < Presenter def safe_mode_message(template) html = ["This image is unavailable on safe mode (#{Danbooru.config.app_name}). Go to "] - html << template.link_to("Danbooru", "http://danbooru.donmai.us") + html << template.link_to("Danbooru", "http://danbooru.donmai.us") # XXX don't hardcode. html << " or disable safe mode to view (" html << template.link_to("learn more", template.wiki_pages_path(title: "help:user_settings")) html << ")." diff --git a/app/views/layouts/default.html.erb b/app/views/layouts/default.html.erb index d0f854bbe..09d58b2a8 100644 --- a/app/views/layouts/default.html.erb +++ b/app/views/layouts/default.html.erb @@ -48,9 +48,9 @@ "@context" : "http://schema.org", "@type" : "Organization", "name" : "<%= Danbooru.config.app_name %>", - "url" : "http://<%= Danbooru.config.hostname%>", + "url" : "<%= root_url %>", "sameAs" : [ - "http://twitter.com/<%= Danbooru.config.twitter_site[1..-1] %>" + "https://twitter.com/<%= Danbooru.config.twitter_site[1..-1] %>" ] } @@ -59,10 +59,10 @@ { "@context": "http://schema.org", "@type": "WebSite", - "url" : "http://<%= Danbooru.config.hostname %>", + "url" : "<%= root_url %>", "potentialAction": [{ "@type": "SearchAction", - "target": "http://<%= Danbooru.config.hostname %>/posts?tags={search_term_string}", + "target": "<%= posts_url %>?tags={search_term_string}", "query-input": "required name=search_term_string" }] } @@ -73,7 +73,7 @@ "@type": "WebSite", "name": "<%= Danbooru.config.app_name %>", "alternateName": "<%= Danbooru.config.description %>", - "url" : "http://<%= Danbooru.config.hostname %>" + "url" : "<%= root_url %>" } diff --git a/app/views/legacy/create_post.xml.erb b/app/views/legacy/create_post.xml.erb index d8eea6d96..1cd4dbe4c 100644 --- a/app/views/legacy/create_post.xml.erb +++ b/app/views/legacy/create_post.xml.erb @@ -1,5 +1,5 @@ 0 - http://<%= Danbooru.config.hostname %>/uploads/<%= @upload.id %> + <%= upload_url(@upload) %> diff --git a/app/views/static/mrtg.html.erb b/app/views/static/mrtg.html.erb index e4f11a515..2245ef9bb 100644 --- a/app/views/static/mrtg.html.erb +++ b/app/views/static/mrtg.html.erb @@ -2,37 +2,37 @@

5 min

- +

30 min

- +

2 hour

- +

1 day

- +

hijiribe

5 min

- +

30 min

- +

2 hour

- +

1 day

- + <% content_for(:page_title) do %> MRTG - <%= Danbooru.config.app_name %> diff --git a/app/views/users/edit.html.erb b/app/views/users/edit.html.erb index 8a850a2b7..01ea347bf 100644 --- a/app/views/users/edit.html.erb +++ b/app/views/users/edit.html.erb @@ -93,7 +93,7 @@ <%= f.input :disable_responsive_mode, :as => :select, :collection => [["No", "false"], ["Yes", "true"]], :include_blank => false, :hint => "Disable alternative layout for mobile and tablet" %> - <%= f.input :custom_style, :label => "Custom CSS style".html_safe, :hint => "Style to apply to the whole site.", :input_html => {:size => "40x5"} %> + <%= f.input :custom_style, :label => "Custom CSS style".html_safe, :hint => "Style to apply to the whole site.", :input_html => {:size => "40x5"} %> <%= f.button :submit, "Submit" %> From 909c9aad5a952168f0b776c40206bea1e9fcfb27 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 28 Jan 2018 20:47:29 -0600 Subject: [PATCH 2/6] Fix user id cache expiration. Use a delayed job instead of a HTTP request to invalidate the user id cache on both servers. --- app/controllers/users_controller.rb | 6 ------ app/models/user.rb | 2 +- config/routes.rb | 4 ---- 3 files changed, 1 insertion(+), 11 deletions(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 9e6dc0317..2c99c6bef 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -71,12 +71,6 @@ class UsersController < ApplicationController respond_with(@user, location: edit_user_path(@user)) end - def cache - @user = User.find(params[:id]) - @user.update_cache - render plain: "" - end - private def check_privilege(user) diff --git a/app/models/user.rb b/app/models/user.rb index 5b504ea1c..b55226113 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -191,7 +191,7 @@ class User < ApplicationRecord def update_remote_cache if saved_change_to_name? Danbooru.config.other_server_hosts.each do |server| - HTTParty.delete("http://#{server}/users/#{id}/cache", Danbooru.config.httparty_options) + delay(queue: server).update_cache end end rescue Exception diff --git a/config/routes.rb b/config/routes.rb index 3b799e2c7..9ee17368d 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -291,10 +291,6 @@ Rails.application.routes.draw do get :search get :custom_style end - - member do - delete :cache - end end resource :user_upgrade, :only => [:new, :create, :show] resources :user_feedbacks do From c50ad41792b7d3f1223b7bae8bafe73e51ce8fe1 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 28 Jan 2018 16:09:55 -0600 Subject: [PATCH 3/6] nginx.danbooru.conf: fix X-Forwarded-Proto. Sending `http` is wrong, it causes a redirect loop if HSTS is enabled. --- script/install/nginx.danbooru.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/script/install/nginx.danbooru.conf b/script/install/nginx.danbooru.conf index 10f6bddd8..d1b15b869 100644 --- a/script/install/nginx.danbooru.conf +++ b/script/install/nginx.danbooru.conf @@ -71,7 +71,7 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; proxy_set_header Host $host:$server_port; - proxy_set_header X-Forwarded-Proto http; + proxy_set_header X-Forwarded-Proto $scheme; } location / { From d70a0a64bdba76aedf896ab514b21a47ad262fa3 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 28 Jan 2018 19:59:39 -0600 Subject: [PATCH 4/6] Remove controller-level force_ssl checks. Obsoleted by force_ssl being globally enabled by default. --- app/controllers/application_controller.rb | 5 ----- app/controllers/user_upgrades_controller.rb | 5 ----- app/logical/session_creator.rb | 8 -------- 3 files changed, 18 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 1dcc4aa4a..494d1cab4 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -11,7 +11,6 @@ class ApplicationController < ActionController::Base before_action :set_safe_mode # before_action :secure_cookies_check layout "default" - force_ssl :if => :ssl_login? helper_method :show_moderation_notice? before_action :enable_cors @@ -32,10 +31,6 @@ class ApplicationController < ActionController::Base CurrentUser.can_approve_posts? && (cookies[:moderated].blank? || Time.at(cookies[:moderated].to_i) < 20.hours.ago) end - def ssl_login? - cookies[:ssl_login].present? - end - def enable_cors response.headers["Access-Control-Allow-Origin"] = "*" end diff --git a/app/controllers/user_upgrades_controller.rb b/app/controllers/user_upgrades_controller.rb index b126d2aee..4e030a065 100644 --- a/app/controllers/user_upgrades_controller.rb +++ b/app/controllers/user_upgrades_controller.rb @@ -1,7 +1,6 @@ class UserUpgradesController < ApplicationController before_action :member_only, :only => [:new, :show] helper_method :user - force_ssl :if => :ssl_enabled? skip_before_action :verify_authenticity_token, only: [:create] def create @@ -57,8 +56,4 @@ class UserUpgradesController < ApplicationController redirect_to user_upgrade_path end - - def ssl_enabled? - !Rails.env.development? && !Rails.env.test? - end end diff --git a/app/logical/session_creator.rb b/app/logical/session_creator.rb index 7174a1148..b21c3eb72 100644 --- a/app/logical/session_creator.rb +++ b/app/logical/session_creator.rb @@ -28,14 +28,6 @@ class SessionCreator } end - if secure - cookies.permanent[:ssl_login] = { - :value => "1", - :secure => true, - :httponly => true - } - end - session[:user_id] = user.id user.update_column(:last_ip_addr, ip_addr) return true From 2fd91bfa20473e7aefaebcecbe0f0590f0a3a985 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 28 Jan 2018 16:49:24 -0600 Subject: [PATCH 5/6] Load danbooru_default_config.rb earlier. Load danbooru_default_config.rb inside application.rb instead of in an initializer so that it's available as soon as possible. --- config/application.rb | 4 +++- config/danbooru_default_config.rb | 6 ++++++ config/initializers/danbooru_config.rb | 10 ---------- 3 files changed, 9 insertions(+), 11 deletions(-) delete mode 100644 config/initializers/danbooru_config.rb diff --git a/config/application.rb b/config/application.rb index 92d06bc4b..c642b25b2 100644 --- a/config/application.rb +++ b/config/application.rb @@ -6,11 +6,13 @@ if defined?(Bundler) end Bundler.require(*Rails.groups) +require_relative "danbooru_default_config" +require_relative "danbooru_local_config" + module Danbooru class Application < Rails::Application # Initialize configuration defaults for originally generated Rails version. config.load_defaults 5.1 - config.active_record.schema_format = :sql config.encoding = "utf-8" config.filter_parameters += [:password] diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb index 821ce89af..b04786931 100644 --- a/config/danbooru_default_config.rb +++ b/config/danbooru_default_config.rb @@ -772,4 +772,10 @@ module Danbooru end end end + + def config + @configuration ||= EnvironmentConfiguration.new + end + + module_function :config end diff --git a/config/initializers/danbooru_config.rb b/config/initializers/danbooru_config.rb deleted file mode 100644 index 78a505bae..000000000 --- a/config/initializers/danbooru_config.rb +++ /dev/null @@ -1,10 +0,0 @@ -require "#{Rails.root}/config/danbooru_default_config" -require "#{Rails.root}/config/danbooru_local_config" - -module Danbooru - def config - @configuration ||= EnvironmentConfiguration.new - end - - module_function :config -end From 09462aefeb0c489adc1bc8c529b530d14ed50165 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 28 Jan 2018 19:57:45 -0600 Subject: [PATCH 6/6] Fix #3522: Enable HSTS. --- config/application.rb | 11 +++++++++++ config/danbooru_default_config.rb | 20 ++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/config/application.rb b/config/application.rb index c642b25b2..54701f8b4 100644 --- a/config/application.rb +++ b/config/application.rb @@ -26,6 +26,17 @@ module Danbooru config.action_mailer.perform_deliveries = true config.log_tags = [lambda {|req| "PID:#{Process.pid}"}] config.action_controller.action_on_unpermitted_parameters = :raise + config.force_ssl = true + + if Rails.env.production? && Danbooru.config.ssl_options.present? + config.ssl_options = Danbooru.config.ssl_options + else + config.ssl_options = { + hsts: false, + secure_cookies: false, + redirect: { exclude: ->(request) { true } } + } + end if File.exists?("#{config.root}/REVISION") config.x.git_hash = File.read("#{config.root}/REVISION").strip diff --git a/config/danbooru_default_config.rb b/config/danbooru_default_config.rb index b04786931..329c8143b 100644 --- a/config/danbooru_default_config.rb +++ b/config/danbooru_default_config.rb @@ -198,6 +198,26 @@ module Danbooru 1.week.ago end + # Permanently redirect all HTTP requests to HTTPS. + # + # https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security + # http://api.rubyonrails.org/classes/ActionDispatch/SSL.html + def ssl_options + { + redirect: { exclude: ->(request) { request.subdomain == "insecure" } }, + hsts: { + expires: 1.year, + preload: true, + subdomains: false, + }, + } + end + + # Disable the forced use of HTTPS. + # def ssl_options + # false + # end + # The name of the server the app is hosted on. def server_host Socket.gethostname