Disable the Phusion Passenger (Standalone) error page on AWS Elastic Beanstalk?

Question

When deploying application to Elastic Beanstalk, is it possible to disable the error page that is shown by Phusion Passenger (Standalone)? Especially in production. This page includes a stack trace as well as exposed environment variables ... which is dangerous in my opinion.

Quick way to reproduce this would be introduce a syntax error (it's not the only way).

I can see here (link) that it's possible ... just not sure how you'd do the same on EB. To avoid broken links in the future, I'll just quote the conversation here ... one guy asks:

I seem to recall reading somewhere that it's possible to disable the passenger boot error page that shows if you're missing gems, etc. If I recall correctly, I think the Phusion guys were saying that the default behavior in the production environment would be to suppress this error page that shows the stack trace, etc. Is there a way to disable this error page with the current version of Passenger?

To which one of the Phusion guys reply ...

Right now you can just edit the templates in lib/phusion_passenger/templates. All errors are also logged to the web server log file.

While the response is a positive sign, it doesn't really solve my problem ... which is how to do it on EB and we all (almost) know that EB is a bit more tight-boxed that your typical self administered server.

Answer 1

You need to add a Passenger directive to prevent Passenger from exposing potentially exploitable details about your web server. The way to do this is to add a directive on your web server configuration to prevent Passenger from showing a backtrace and dump environment variables on your users. For instance if your Rails app is deployed using Apache then you just need to add the following directive on your Virtualhost configuration block

<VirtualHost *:80>
  ...
  PassengerFriendlyErrorPages off

As for AWS EBS, I'm not particularly familiar with it but a quick Google search revealed that you have to put this config in your Apache Vhosts config which is in the .ebextensions directory. You've probably done this already since you've already deployed your app successfully. I'll show it anyway for the benefit of others. For instance if you're using Apache you might have something like this under .ebextensions/vhosts.config

files:
  "/etc/httpd/conf.d/vhosts.conf":
    mode: "000644"
    owner: root
    group: root
    encoding: plain
    content: |
      NameVirtualHost *:80

      <VirtualHost *:80>
        ServerName www.example.com
        ServerAlias example.com
        DocumentRoot /var/www/ruby/example/
      </VirtualHost>

      PassengerFriendlyErrorPages off

Update: You can find the documentation to turn off 'friendly error pages' here