apache / cordova-browser

Apache Cordova
Apache License 2.0
168 stars 85 forks source link

Serve over HTTPS #122

Open mgatto opened 1 year ago

mgatto commented 1 year ago

Feature Request

Motivation Behind Feature

In some development environments, an API is served over SSL via the protocol https. Communicating with that API from a Cordova browser instance on a developer's machine is very efficient work flow. However, modern browsers disallow cross-origin communications between insecure and secured servers. In this case, the secured server is the API, and the insecure server is the current cordova-browser instance served with Node's http module. This is because it is always served without SSL.

I do not intend for this to be used in production environments, though there is no encoded limitation on its usage within this proposal.

Feature Description

A new option --https would be added to the command cordova run browser --> cordova run browser --https. The default option is false.

When this option is present, the node module https will be used to construct the server. The server accepts a keyfile and certificate, whose provision is the responsibility of the user.

When this option is not present, the current node module http is used. Also, the projectURL used in opening a browser window likewise switches based on the --https option.

A user choosing this option is most likely to see a warning page in the browser while opening the Cordova browser index.html. They merely need to accept the warning to continue onwards to their Cordova project's index page.

89 first proposed this, but was rejected and is currently closed. I have implemented this locally, and it works well.

Alternatives or Workarounds

Exposing the API over non-secure http is an alternative. In my context, this was rejected strongly for security reasons, especially relating to corporate security accountability programs.

The second is that a developer independently hacks their local cordova installation to enable https. This is suboptimal since upgrading becomes a hassle, requiring careful VCS audits to restore erased, custom code.

breautek commented 1 year ago

I don't think it's really as simple as throwing in a --https flag. Using the HTTPS module is one thing, but it also needs a key/certificate pair. That could potentially be generated on the fly when the platform is created/added for as long as using self signed certificates is acceptable (which should be if this is purely used for development/local testing).

Normally I'd suggest using a reverse proxy server. The 2 common web server engines are Apache and NGINX and they both have reverse proxy capabilities and isn't too difficult to setup. The overall concept is that you connect to a webserver, which has SSL configured, and it terminates the SSL and forwards the connection to the node server.

I'm not familiar with Apache myself, but a minimal NGINX configuration would look something like:

server {
    listen 0.0.0.0:443 ssl http2;

    server_name dev.example.com 127.0.0.1;

    # could be a self-signed key
    ssl_certificate /etc/nginx/ssl/nginx.crt; 
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    location {
        proxy_pass http://127.0.0.1:8080; # this would be the node server.
    }
}
mgatto commented 1 year ago

Yes, a reverse proxy is technically fine, but I think a two-step process takes away from the elegance of a single command line step with little setup.

Since cordova run browser already runs node's http, it makes sense to me to stay within that process instead of introducing another server.

To address the cert and key issues, I will add more args to designate the paths of those required files.