Passenger Showing Debug Errors With System Info – Design Flaw?

Question

We have noticed a design flaw with the newer (4.0+) versions of Phusion Passenger. When an error occurs starting an app (Ruby, Python, etc), it displays a Passenger debug message which lists all system variables, environment variables (!) directories, etc. Is this a design flaw?

You cannot password protect the VirtualHost directive AND run the app at the same time for a public app, nor can you disable, globally, these debug pages. In a production app, they should never display, ever, anywhere on the system, unless the administrator specifics that they should… Why is this default behavior?

A lot of new users store sensitive Rails settings in environment variables (whether by hand, Figaro gem, etc), and this is becoming more of a practice because it is the default in Rails Composer/Rails App Composer, which many users (new and experienced alike) use to start a project.

In a production site, the number of spiders/bots that will capture that page, even if for a half a second, can be in the tens of thousands, and so on.

There needs to be a way to disable Passenger debug webpages from ever displaying, but the only documentation related to debugging or logs relates to their Enterprise edition. Do you have to "pay" or else?

Answer 1

It is enabled by default in order reduce support questions. There are many users (perhaps even the majority?) who have absolutely no idea where to look if something goes wrong, were it not for this error page with detailed information. Many people have literally no idea that the web server has a log file and that they're supposed to look there for problems.

You can disable it by setting PassengerFriendlyErrorPages off. It's in the open source version.

There is currently a ticket open that suggests displaying less information when in production mode.