search

MovingBlocks / FacadeServer

A headless facade that acts as a game host and provides web-based administration. Automation category: Terasology Facade. See https://forum.terasology.org/threads/facadeserver-headless-server-with-web-interface.1906
Apache License 2.0
4 stars 11 forks source link

Add secure websocket support #12

Closed Inei1 closed 6 years ago

Inei1 commented 6 years ago

Contains

Fix #11.

So far, I have looked on the internet to see how to add ssl support to jetty. The Jetty website gives a good starting point. I created a keystore with the keytool like this: keystoreimg (image is outdated, I made a different keystore with a few changes) as a way to test the server. Jetty supports SSL, so it isn't really that difficult to implement it.

For automatic certificate generation, it looks like we need a keystore. The Java KeyStore class provides a way to load a keystore, although to automatically generate what we need for a self-signed certificate we need to do something else. At the moment the certificate I provided seems good enough.

How to Test

You can test this by trying to login to wss://localhost:8443/ws in the Facade Server Frontend. Chrome appears to accept connections to the self-signed certificate on localhost, but for other browsers you will need to make an exception. You can also go to https://localhost:8443 in the browser and access the REST APIs over https, such as https://localhost:8443/api/resources/config/MOTD.

Outstanding Before Merging

gianluca-nitti commented 6 years ago

Also, I checked the 1st checkbox because in my opinion what you did - providing a self-signed certificate - is already good enough, I don't really see any reason to generate one at runtime since it would still be a self-signed one and show warnings in browsers (but please correct me if you disagree).

What is probably more useful is explaining somewhere in the docs how to replace the built-in certificate with a custom one from a CA/LetsEncrypt (I think this is the same thing you meant with your 3rd checkbox), for example by providing some link to documentation about converting other common certificate formats (such as PEM files) to Java Keystore.

Inei1 commented 6 years ago

I made the appropriate changes. This should be ready for merging if there isn't anything else you can think of.

I created a new keystore file that is more appropriate for end-users. The alias is now serverfacade and the CN is now utility.terasology.org. Apparently the CN is supposed to be the same as the web address, although there will be complaints anyway because the certificate is self-signed.

If users are going to be able to add their own certificate, then they should be able to change the password. I added that as an environment variable option as well.

gianluca-nitti commented 6 years ago

Okay thank you for the work. Merged.