Incorrect docs for "HTTPS on the Source Interface" + Issues after configuration


#1

Since I’m not that use to using Git I’m reporting another “flaw” in the documentation here.

I just installed a certificate on our source interface, following the instructions (https://docs.securedrop.org/en/stable/https_source_interface.html) I’m supposed to run:

./securedrop-admin sdconfig and get asked for the four lines:
securedrop_app_https_on_source_interface: yes securedrop_app_https_certificate_cert_src: sd.crt securedrop_app_https_certificate_key_src: sd.key securedrop_app_https_certificate_chain_src: ca.crt

However, the script never asks for the key or the certificates.
Now I manually edited the “site-specific”, and everything else worked as intended.


#2

Unfortunately I have to retract my statement about everything working. After installation of the certificate we are unable to get to the submit page.
Hitting the first SUBMIT DOCUMENTS-button works, but on the next page the SUBMIT DOCUMENTS-button or the re-generate token button leads back to the first page with an error message Your session timed out due to inactivity. The same thing goes for the CONTINUE button on the check for a response page (tested multiple times from different sources).

Reverted the change by setting HTTPS to “no” in the config, and now the page is working again. I will troubleshoot a little bit later, but any suggestions are appreciated.


#3

Hey @jonas.franzen, I have a suspicion that modifying the Referrer-Policy in the source interface Apache config on the Application server might resolve the issue. Stop the Apache service (sudo service apache2 stop) and in /etc/apache2/sites-available/source.conf replace:

Header set Referrer-Policy "no-referrer"

with

Header set Referrer-Policy "same-origin"

And bring the service back up:

sudo service apache2 start

Try the source upload flow again. Let me know if this resolves.


#4

Thank you @redshiftzero, that seems to do the trick, everything is working as it is suppose to.

Is this a solution I can trust, or can it break in the next upgrade?


#5

@jonas.franzen We have included that in our testing strategy for the next release. We expect that this will be the only time you need to run this command.

Best,
Freddy Martinez


#6

Thank you for the update, good to know.