Phusion white papers Phusion overview

Phusion Blog

Enterprise customers: please update your gem source and APT repository URL

By Hongli Lai on November 1st, 2013

A short while ago, we introduced a gem server and an APT repository for Phusion Passenger Enterprise customers. HTTP basic authentication was used to authenticate with these servers. Customers were supposed to use URLs that look like this:

https://YOUR_ORDER_REFERENCE:YOUR_PASSWORD@www.phusionpassenger.com/enterprise_gems/
deb https://YOUR_ORDER_REFERENCE:YOUR_PASSWORD@www.phusionpassenger.com/enterprise_apt precise main

Today, we are deprecating the ORDER_REFERENCE:PASSWORD authentication string in favor of download tokens. Each customer has a unique download token, which can be found in the Customer Area. The new RubyGems source URL and APT URL look like this:

https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_gems/
deb https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_apt precise main

Why are we doing this?

We made this change as a security precaution. Just to be clear: there is no security incident. Nothing has been breached or leaked, and the old mechanism was not vulnerable.

Since the authentication string can be read as clear text in configuration files on the system, anybody who can access the configuration files will be able to login to the Customer Area. This in itself has no security consequences for customers: the only thing you can do in the Customer Area is to view licensing details and to download Phusion Passenger Enterprise. Credit card details cannot be retrieved from the Customer Area.

Since customer passwords are automatically generated by our system and are completely random, being able to read the password is of no use other than being able to login to the Customer Area.

However, we might extend the functionality of the Customer Area in the future. As such, we are changing the authentication string so that those who have access to the system configuration files cannot login to the Customer Area. With this new download token mechanism, the only thing they will be able to do is to download Phusion Passenger Enterprise files, no matter how much we extend the Customer Area in the future.

Migration instructions

The old ORDER_REFERENCE:PASSWORD mechanism will continue to work for 1 month. We will disable it after 1 month so please migrate now.

Step 1: remove your old URLs

Remove your existing Enterprise gem source (you might have to run this with sudo or rvmsudo depending on the circumstances):

gem source --remove https://YOUR_ORDER_REFERENCE:YOUR_PASSWORD@www.phusionpassenger.com/enterprise_gems/

Remove your Enterprise APT source:

sudo rm -f /etc/apt/sources.list.d/passenger.list

Step 2: add the new URLs

If you’re using RubyGems to install Passenger Enterprise, add the new gem source (you might have to run this with sudo or rvmsudo depending on the circumstances):

gem source --add https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_gems/

If you’re using APT to install Passenger Enterprise, add the new APT URL to /etc/apt/sources.list.d/passengerlist:

deb https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_apt DISTRIBUTION_NAME main

Please refer to the manual for a full list of APT URLs for the different distributions.

  • LightBe Corp

    I do not see any instructions in the installation instructions of how I should respond to this as a Mac OS X user. I see statements to add for Ubuntu and Debian in section 2.3.1. How do I proceed? Also will I have to reinstall Passenger according to the updated instructions in the Enterprise section?

  • http://www.phusion.nl/ Hongli Lai

    Please follow the instructions for installation through RubyGems: http://www.modrails.com/documentation/Users%20guide%20Apache.html#rubygems_generic_install
    The instructions mention running `gem source –add`.

    You do not have to reinstall. Just replacing the gem source is enough.

  • Guest

    So all I have to do is the following:

    gem source –remove https://YOUR_ORDER_REFERENCE:YOUR_PASSWORD@www.phusionpassenger.com/enterprise_gems/

    sudo rm -f /etc/apt/sources.list.d/passenger.list
    gem source –add https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_gems/

  • LightBe Corp

    So all I have to do is execute the two commands in step 1 listed here and the gem source –add command in the RubyGems section?

  • http://www.phusion.nl/ Hongli Lai

    Yes. I’ve updated the instructions in this blog post so that this is more clear.

  • LightBe Corp

    Thanks so much. I decided to do the gem source –remove command then go ahead and install the latest gem version of Passenger on both my servers to get ready for a Mavericks upgrade. Upgrading both servers took about 20 minutes total, quite uneventful which is a good thing 🙂 Hopefully the Mavericks upgrade will not be a mess.