search

canonical / lxd-demo-server

The LXD demo server
https://linuxcontainers.org/lxd/try-it
Apache License 2.0
74 stars 24 forks source link

https and ssl #7

Closed mderouineau closed 7 years ago

mderouineau commented 7 years ago

hello,

i am french student, i work with lxd-demo- server for school project. the project goal is to create server of network lab. with it the student can discover the network and test many think with no knowlage of linux.

we have chose lxd because this is light and fast.

so we have got some probleme with your technologie, i have install lxd-demo-server and it don't work whith https , so i think is it ssl probleme ecause i have try to use http protocol and it work !! but not for connexion with the container.

the lxd-demo-server doesn't print error, i had read the log wiht wireqhark and i had see , error encrypted packets malformated

have you already have this problem ?

stgraber commented 7 years ago

lxd-demo-server only listens on http (port 8080). The production environment we run at https://linuxcontainers.org/lxd/try-it is on https because we have a frontend server in front of it which handles the SSL for us.

BobVul commented 7 years ago

Currently it appears that the server requests certain API endpoints (http://"+tryit_server+"/1.0, http://"+tryit_server+"/1.0/terms, etc.) over HTTP only, which fails when the browser blocks mixed content. This also makes it impossible to apply a 'simple' HTTPS reverse proxy.

Now, nginx (and probably apache) can rewrite responses: sub_filter 'http://' 'https://'; sub_filter_once off; works here. But it would be nice if this wasn't necessary and the script simply reused the currently loaded protocol; I believe it's enough to just use // which will make the browser pick (@stgraber?)

stgraber commented 7 years ago

I could use // in a number of places but that still wouldn't be quite good enough as I don't believe there is an equivalent to // for a websocket address, so I'd still need to figure out ws:// vs wss://

The built-in client code is really there more as an example than something I expect people to run in production. I'd expect production environments (like the one I run) to have a copy of the static client on an actual web server (nginx, apache, whatever) and update the various URLs and paths to match.

The Go code would then only server the API and websocket endpoints.

BobVul commented 7 years ago

Ah, yea, I just noticed the ws issue.

Customising the static content makes sense; I'd not thought of doing so.