Request: Enable HTTPS support for external server

[Andreyco]

I develop on local vhost with self-signed SSL certificate so I need to confirm (at least in Chrome) to access such a website.

If I point external server to such URL, CK2 server will fail and return this.

CodeKit sent a request to the external server for this resource: https://dm-app.loc/ The error returned was: "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “dm-app.loc” which could put your confidential information at risk." (Code -1202)

I cannot switch down to HTTP, unfortunately.

[bdkjones]

Yea... right now I haven't put in support for HTTPS because most folks can test their site during development without using SSL.

It's a bit of a tricky situation because CodeKit is, in fact exactly that: a server pretending to be another server.

[bdkjones]

In this project's settings, have you entered the external server address using HTTPS? E.g.

https://dm-app.loc/

And then you hit the Preview button in CodeKit's toolbar, which loads the non-https address http://[computername].local:5757/ right?

That's the setup producing the problem above?

[Andreyco]

Exactly. Configured with HTTPS, but preview loads http://andrejs-imac.local:5757/ Also I tried https://andrejs-imac.local:5757/ but it says "This webpage is not available" anyway.

I understand most of us develop on non-secured local/remote servers and that this feature is not essential, but would be greate to cover this as well. Have some way to allow connection to such a server.

[bdkjones]

Yea. I looked into it and the simple answer is: it's not possible.

The whole reason CodeKit 2 has a proxy server to begin with is so that it can intercept requests to serve HTML pages and insert a couple scripts into the head element that talk to CodeKit and enable browser refreshing.

The whole reason HTTPS exists AT ALL is to prevent exactly that: computers in the middle from reading/modifying the transmission between client and server. There is no way to have an HTTPS connection and still have CodeKit make the necessary modifications to the page to enable reloading. It's just flat out not possible because that's exactly the thing that SSL was invented to prevent.

It is possible for CodeKit to simply forward SSL requests to the origin server (called "SSL tunneling") but it cannot modify the transmission in any way.

So in short, it looks like HTTPS will never be supported. Why is it not possible for you to drop to a non-secure connection during development?

[Andreyco]

Yea, I get you. Why I cant drop https in certain cases? F'ing Facebook API.

[masterful]

Sorry to bring this up again - but I don't see why it's impossible.

From my understanding, SSL was designed to prevent snooping on the traffic between two computers, and using trusted chains, to prevent impersonation.

However, it is certainly possible to intercept traffic as a proxy, and, utilizing your own SSL certificate, to continue providing SSL functionality. The user will likely be presented with a warning that certificate chain isn't trusted if you're using a self-signed certificate, but after accepting the certificate the user can continue to browse the site.

It's certainly extra development effort, so I can understand not wanting to support it for the time being. :( But it's not impossible.

[bdkjones]

Yes; TECHNICALLY it's possible for me to do it. But the trouble is that if I use a self-signed certificate you will:

A) See a bunch of warnings in your browser

and

B) Be exposed to a real threat.

If CodeKit were ever compromised on your machine, it could then be used to relay your secure traffic to any other server in the world. All a hacker would need to do is replace the Javascript file that I use to perform reloads with one that sends a call to some other server, etc. Is this likely? No. Is it possible? Absolutely.

For now, I decided to err on the side of caution. For 99% of development efforts, SSL is not needed. You can test your site without it and then do a little testing at the end to make sure it's working. Now, I recognize that some APIs like Facebook can't BE tested without SSL, so I may put this on the list for the future.

[BoylesWhite]

Just to drop a note in here, I am also using local signed certificates and ended up here.

I will consider dropping the SSL until production unless there is a patch or workaround? I wonder if there could be a hook which somehow forces a refresh when a file is recompiled?

[chrisphenry]

+1 ...also require HTTPS support periodically - understand the careful consideration though, tough call. Perhaps a really obvious kill switch/setting to allow functionality intermittently. I for one wouldn't mind having to constantly indicate to CK that I want to re-enable the function after it had automatically killed it after say 12 hours. In no way is that elegant or good practice but it would be a 'nice to have' on those rare projects. Perhaps you could validate the integrity of the reload JS in some scenario to enable a more elegant solution.

[bdkjones]

You'll like 3.0.

[chrisphenry]

You just made my weekend that bit... better..and seriously kudos for CK - without it my job would be seriously unbearable!

[jakecaputo]

I know this issue has been hanging around for years, but... +1.

[bdkjones]

This is the old 2.x repository. HTTPS support was introduced in 2016 with CodeKit 3.0

-Bryan

On Jul 29, 2020, at 09:20, Jake Caputo notifications@github.com wrote:

 I know this issue has been hanging around for years, but... +1.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub, or unsubscribe.