http: TLS not used despite proper config

chihaya / chihaya

A customizable, multi-protocol BitTorrent Tracker

https://chihaya.io

Other

1.43k stars 190 forks source link

http: TLS not used despite proper config #407

Closed f4nff closed 6 years ago

f4nff commented 6 years ago

How to configure https, only certificate settings, no port, open

mrd0ll4r commented 6 years ago

I do not understand what your problem is. To enable and configure HTTPS (that is, HTTP over TLS), just set the values for tls_cert_path and tls_key_path in the config.

elico commented 6 years ago

@mrd0ll4r when you use tls_cert_path and tls_key_path on what port chihaya will listen? Will it listen both on http(80 or another) and https(443 or another)?

f4nff commented 6 years ago

@mrd0ll4r r when you use tls_cert_path and tls_key_path on what port chihaya will listen? Will it listen both on http(80 or another) and https(443 or another)?

please~

mrd0ll4r commented 6 years ago

It should listen, TLS only, on the port you specified in addr. However, I just tried it and it's broken.

We need to use ListenAndServeTLS instead of ListenAndServe.

Thanks for finding this one!

f4nff commented 6 years ago

When is the time to fix it?

elico commented 6 years ago

@mrd0ll4r Would it be complex to listen on both http and https ports? ... leaving the FW to deny or allow access to each of these ports?

mrd0ll4r commented 6 years ago

I'll fix this today. Listening on both HTTP and HTTPS would only be possible if you used, say, nginx in front of chihaya and did it that way.

... leaving the FW to deny or allow access to each of these ports?

The middleware does not know whether the request came in through HTTP(S) or UDP (which is a good thing! That's what makes it so nice :) )

Tbh, I don't see a reason why any tracker should operate a plain HTTP frontend anymore. Getting certificates is really simple these days, and HTTPS doesn't eat your resources either. What's your use case for operating both HTTP and HTTPS at the same time?

elico commented 6 years ago

@mrd0ll4r locally(tier3+2) I do not have any issues with plain http but when traffic flows from the outside world ie tier1 ISP's things start to get nasty and for some reason the plain text html page of mine get's all sort of "decorations" in the form of adds and JS content.

mrd0ll4r commented 6 years ago

I see. I'd run chihaya on localhost on HTTP and reverse proxy through nginx - the outside world with HTTPS, your local stuff with HTTP. What do you think?

elico commented 6 years ago

@mrd0ll4r if chihaya knows to recognize X-Forward-For or X-Real-IP then it's good enough for me.

mrd0ll4r commented 6 years ago

Yup! Just set the real_ip_header config field to whatever the header is called. Leave allow_ip_spoofing disabled, otherwise the IP provided by clients in the announce will have priority. See the logic here.