search

OpenTreeOfLife / opentree

Opentree browsing and curation web site. For overarching or cross-repo concerns, please see the 'germinator' repo.
http://tree.opentreeoflife.org/
BSD 2-Clause "Simplified" License
107 stars 26 forks source link

Certificates must be optional #409

Open jar398 opened 10 years ago

jar398 commented 10 years ago

It's important that it be easy to set up an instance of the application that doesn't have SSL certificates, i.e. that runs with no login and without SSL. Currently the install fails if there is no certificate.

It's OK if there's a true/false configuration option saying using SSL or not using SSL, if you don't want to just trigger SSL based on the presence of the certificate.

jimallman commented 10 years ago

OK, I'm disabling SSL if the main STAR_opentreeoflife.crt file isn't found, in 4bac2d82c5fd8fdd0d461aab3c381a8e1a8645a0.

More generally, I'm torn on whether implicit or explicit configuration is best for situations like this. We could have explicit flags in the server-config files:

SUPPORT_SSL=true
SUPPORT_GITHUB_OAUTH=false

... which would clue people in that these features are optional and separable. It's more for them to think about, and carelessness might expose a site without the proper security. But it would allow us to target error messages and warnings based on their intended use.

jar398 commented 9 years ago

I'm happy with how it works now. I've just added a warning when no .crt file is found (not pushed yet, but no hurry). Jim, if you think you're going to work on this some more, you can keep the issue open, otherwise please close it.

jar398 commented 9 years ago

see also #419

jimallman commented 9 years ago

I've added "internal" support (ie, in web2py) for HTTPS in commit ef45f91. This behavior is triggered by deployment tools (via /private/config in both webapps) with a new variable:

[security]
secure_sessions_with_HTTPS = true

...which is in turn set (like our Apache SSL support) based on the presence of our wildcard cert.

Once enabled, HTTPS is always on for both webapps, even for anonymous visitors. I tried to slice it finer than that (using HTTPS only for login and logged-in requests), but this setup is the only one that works properly with OAuth. It allows our registered apps on GitHub to use HTTP in the OAuth redirect_uri, so we can support both secure and insecure (dev) configurations.

Testing this now (with and without wildcard cert) on devtree... Will submit a pull request if it passes.

jar398 commented 9 years ago

great!

A lot of sites will do 301 redirects from http:foo to https:foo. This ensures privacy of the page contents even if the site is entered using an http: URI. I don't propose that we do this, but it's an option to be aware of.

On Tue, Dec 16, 2014 at 10:32 PM, Jim Allman notifications@github.com wrote:

I've added "internal" support (ie, in web2py) for HTTPS in commit ef45f91 https://github.com/OpenTreeOfLife/opentree/commit/ef45f9100c5339c47c278f23ef7485c9c8e81d2f. This behavior is triggered by deployment tools (via /private/config in both webapps) with a new variable:

[security] secure_sessions_with_HTTPS = true

...which is in turn set (like our Apache SSL support) based on the presence of our wildcard cert.

Once enabled, HTTPS is always on for both webapps, even for anonymous visitors. I tried to slice it finer than that (using HTTPS only for login and logged-in requests), but this setup is the only one that works properly with OAuth. It allows our registered apps on GitHub to use HTTP in the OAuth redirect_uri, so we can support both secure and insecure (dev) configurations.

Testing this now (with and without wildcard cert) on devtree... Will submit a pull request if it passes.

— Reply to this email directly or view it on GitHub https://github.com/OpenTreeOfLife/opentree/issues/409#issuecomment-67272712 .