Enterprise customers: please update your gem source and APT repository URL
A short while ago, we introduced a gem server and an APT repository for Phusion Passenger Enterprise customers. HTTP basic authentication was used to authenticate with these servers. Customers were supposed to use URLs that look like this:
https://YOUR_ORDER_REFERENCE:YOUR_PASSWORD@www.phusionpassenger.com/enterprise_gems/
deb https://YOUR_ORDER_REFERENCE:YOUR_PASSWORD@www.phusionpassenger.com/enterprise_apt precise main
Today, we are deprecating the ORDER_REFERENCE:PASSWORD authentication string in favor of download tokens. Each customer has a unique download token, which can be found in the Customer Area. The new RubyGems source URL and APT URL look like this:
https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_gems/
deb https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_apt precise main
Why are we doing this?
We made this change as a security precaution. Just to be clear: there is no security incident. Nothing has been breached or leaked, and the old mechanism was not vulnerable.
Since the authentication string can be read as clear text in configuration files on the system, anybody who can access the configuration files will be able to login to the Customer Area. This in itself has no security consequences for customers: the only thing you can do in the Customer Area is to view licensing details and to download Phusion Passenger Enterprise. Credit card details cannot be retrieved from the Customer Area.
Since customer passwords are automatically generated by our system and are completely random, being able to read the password is of no use other than being able to login to the Customer Area.
However, we might extend the functionality of the Customer Area in the future. As such, we are changing the authentication string so that those who have access to the system configuration files cannot login to the Customer Area. With this new download token mechanism, the only thing they will be able to do is to download Phusion Passenger Enterprise files, no matter how much we extend the Customer Area in the future.
Migration instructions
The old ORDER_REFERENCE:PASSWORD mechanism will continue to work for 1 month. We will disable it after 1 month so please migrate now.
Step 1: remove your old URLs
Remove your existing Enterprise gem source (you might have to run this with sudo or rvmsudo depending on the circumstances):
gem source --remove https://YOUR_ORDER_REFERENCE:YOUR_PASSWORD@www.phusionpassenger.com/enterprise_gems/
Remove your Enterprise APT source:
sudo rm -f /etc/apt/sources.list.d/passenger.list
Step 2: add the new URLs
If you’re using RubyGems to install Passenger Enterprise, add the new gem source (you might have to run this with sudo or rvmsudo depending on the circumstances):
gem source --add https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_gems/
If you’re using APT to install Passenger Enterprise, add the new APT URL to /etc/apt/sources.list.d/passengerlist:
deb https://download:YOUR_DOWNLOAD_TOKEN@www.phusionpassenger.com/enterprise_apt DISTRIBUTION_NAME main
Please refer to the manual for a full list of APT URLs for the different distributions.
-
Hello, we are Phusion. We provide amazing products and services for web apps written in Ruby, Python, Node.js and Meteor.
Featured articles
- Docker-friendly Vagrant boxes
- Duplicity + S3: easy, cheap, encrypted, automated full-disk backups for your servers
- Efficient Substring Searching
- Mail in 2012 from an admin’s perspective
- Making Ruby threadable: properly handling context switching in native extensions
- Objective-C for Ruby developers
- Passing environment variables to Ruby from Phusion Passenger
- Securely store passwords with bcrypt-ruby
- The right way to deal with frozen processes on Unix
- Tuning Phusion Passenger's concurrency settings
- Tutorial: setting up Gitlab on Debian 6
- Why Rails 4 Live Streaming is a big deal
Phusion. All rights reserved.