search

StickMick / BYOC

Bring Your Own Client. An online game with no client - challenge yourself by creating your own and compete with others.
MIT License
9 stars 2 forks source link

Blazor Server Side Concern #6

Closed musictopia2 closed 2 months ago

musictopia2 commented 2 years ago

I see one concern currently about the blazor server side as is. I can see you are forcing ssl. However, I have found it means that it will not work on other computers on the network. I have been able to get ssl to work when its just local host. However, I have not gotten it to work on other computers on the network since there has to be a ssl certificate. I would suggest to either eliminate the part where ssl has to be used. The other option is if you can figure out how to do the certificate for local hosting and give instructions. I suggested a course on tim coreys site but it was ignored. All my local hosting, I solve by not bothering with ssl (then it works perfectly with other computers on the network).

StickMick commented 2 years ago

Hey, sorry about the delay - life got in the way of this project while I work on other things.

To my knowledge - which could be incorrect, the development certificate isn't considered valid, but it is still a certificate and can be trusted by the client.

Example is within the current iteration of the command line client which has a custom implementation of validation that always returns true - ignoring that fact the certificate itself isn't valid.

Regardless, the server is just a means to an end, I probably should've left it out entirely until the concept of the games library was more complete.

If people want to take the project as a whole and run it: they can acquire and install certificates

musictopia2 commented 2 years ago

I have found from experience that there are steps a person can do to install a development certificate that even works in docker. However, it only works from localhost. If somebody tries to access from another computer on the network, its not going to work unfortunately. The only way I was able to get around it was to do as not ssl. I would suggest either taking out the part for ssl. Or another idea can be an extension. So if somebody wants to force ssl, then they can run 2 lines of code then it would be ssl enabled. However, they would have to figure out how to make other computers on the network trust it. If the extension is not ran, then it would not be ssl which means this can run even on docker. I would have suggested making more of the game where it does not care about any of the network stuff so people can have choices (if they really want to run completely locally like on a mobile device with no internet, they can). Its still a good idea that build your own client means the game focus on behind the scene stuff and its up to others to create a ui for it.

TimCorey commented 2 years ago

I would recommend NOT taking out SSL. Turning something off because you can't figure it out in development is not a wise idea. Like @StickMick said, you can get it to work locally, and not just with localhost. Don't reduce the security of your app in production in order to make it easier in development.

musictopia2 commented 2 years ago

The problem is if a person does not take out ssl, then you have a case where it will work in development but will not work in production. Even in development, if you want somebody else to access it from another computer on your network, its impossible for it to work unfortunately.

musictopia2 commented 2 years ago

The one case where its good to keep as ssl is if you are deploying to azure or some cloud service. That is the only way that ssl works. If a company wants to use it internally, then if ssl is used, then everybody has to go to the computer where its on. Good news is much more secure. The bad news is would not be very usuable though.

TimCorey commented 2 years ago

That's the issue though - it is NOT impossible to get it to work. It is possible. Also, it WILL work in production with SSL. In fact, if you don't use SSL, even internally, you are enabling a major security risk. Turning it off is really bad advice.

musictopia2 commented 2 years ago

Can you do a video to show how its possible. Because i have seen no videos about how to even do it. Hopefully does not cost money though. There is a site i heard of called InstantSSL. However, there was no clear instructions on how to get it to work even on a simple hello world site.

StickMick commented 2 years ago

Hey all, sorry about lack of input in the project. Big projects going live at work has drained my time, but I'm starting to get more opportunity to get back into this.

I'm interested in input on how to remedy this, I'm not really across SSL and I was somewhat under the impression that if someone wanted to host this project: they would need to install and use their own SSL certs.

It's not terribly high on my priority list to fix: since the server is just a means to access the logic within the library and is just a proof of concept at the moment.

If someone knows of a solution and/or best practice, jump on in and give it a shot

musictopia2 commented 2 years ago

unfortunately, most people don't even know how to do their own ssl certs except for the development one which does not allow other computers on the network to use this. my suggestion would be something like this. Don't even worry about the server part. just have the code logic (class library alone). then a person can decide how its hosted. they can decide either server side which means they have to pay for azure. Or they would do as self contained but the class library is still helpful because the business logic is already done so a person focuses on the ui for it. What would be great is if somebody can contribute and show how to do the ssl certificate for free for local hosting on private network.