search

danwent / Perspectives-Server

network notary implementation for the Perspectives project
http://perspectives-project.org
GNU General Public License v3.0
50 stars 13 forks source link

Support https queries #19

Open daveschaefer opened 11 years ago

daveschaefer commented 11 years ago

Currently queries are sent to notaries using unecrypted http traffic. Messages are still cryptographically signed and verified using the notary's public key, so they are guaranteed to be correct and secure, but this is not ideal for privacy. Currently anyone watching the network can see the messages being sent and received.

We should allow clients to send queries over https.

daveschaefer commented 11 years ago

We'll probably need to generate a different, self-signed certificate for this. Would we be able to implement the HSTS header?

daveschaefer commented 10 years ago

Ticket to track client work: https://github.com/danwent/Perspectives/issues/81

daveschaefer commented 9 years ago

I wrote some basic code to set this up and it works. One issue is that CherryPy doesn't make it easy to allow collecting requests from multiple ports and sending it all to the same app. For example, on the official notary servers we'd want to take requests from HTTP 80, HTTP 8080 (for backwards compatibility) and HTTPS 443 and send them all to the notary server.

I asked on the CherryPy mailing list and the response was that CherryPy currently doesn't easily support forwarding or redirects across scheme types (i.e. from HTTP to HTTPS). They suggested that using a server like nginx in front of CherryPy would be a much easier way to set this up, and would likely have better performance to boot.

We may want to still add basic https if people would use that, but setting up nginx in front of CherryPy may be the way to go.

netsafe commented 9 years ago

Wrong implementation vector, guys =) Use NGinx to handle them both : HTTP and HTTPS. Like that :

http { 
proxy_cache_path /tmp/nginx.cache keys_zone=one:100m loader_threshold=300 loader_files=2000;
    proxy_temp_path /tmp/nginx.proxy_temp 1 2;
ssl_prefer_server_ciphers On;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-DES-CBC3-SHA256:EDH-RSA-DES-CBC3-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:DES-CBC3-SHA256:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4:!SHA1';
server {
    listen <your-ip>:80;
    server_tokens off;
    return 404;
}
# Perspectives notary - https
    server {
      server_name <your-domain-name>;
      listen <your-ip>:80 default_server;
      proxy_cache one;

      access_log off; # for increased user privacy

      location / {
        proxy_pass http://127.0.0.1:8081/;
        proxy_cache_valid 200 4h;

        # only cache 404s long enough for the server to run a scan
        proxy_cache_valid 404 1m;

        # headers to improve security
        add_header X-Frame-Options DENY;
        add_header X-XSS-Protection '1; mode=block';
        add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self';";
      }
    }
# end of Perspectives notary https

server {
    ssl on;
    ssi on;
    listen <your-ip>:443 ssl;
    server_tokens off;
    return 444;
    ssl_certificate     /www/ssl/sslstub.crt;
    ssl_certificate_key /www/ssl/sslstub.key;
}
# pass https entry in full compliance with http one
server {
      server_name <your-domain-name>;
      listen <your-ip>:443 default_server;
      proxy_cache one;
      ssl on;
    ssi on;
    ssl_certificate     /www/ssl/sslcert.crt;
    ssl_certificate_key /www/ssl/sslcert.key;
      access_log off; # for increased user privacy

      location / {
        proxy_pass http://127.0.0.1:8081/;
        proxy_cache_valid 200 4h;

        # only cache 404s long enough for the server to run a scan
        proxy_cache_valid 404 1m;

        # headers to improve security
        add_header X-Frame-Options DENY;
        add_header X-XSS-Protection '1; mode=block';
        add_header Content-Security-Policy "default-src 'none'; img-src 'self'; style-src 'self';";
      }
    }
}

after that force python to bind not to 0.0.0.0 but to 127.0.0.1 - replace this hardcode in notary_http.py, run it like that in daemontools : 

s# cat run
#!/bin/bash

cd /perspectives
setuidgid perspectives /usr/bin/python notary_http.py --sni --webport 8081 --pycache 100M --cache-expiry 4H --dbtype sqlite --dbname notary.sqlite 2>&1

SSL cert's generation is:

openssl req -x509 -nodes -days 365 -newkey rsa:16384 -sha512 -keyout /www/ssl/sslcert.key -out /www/ssl/sslcert.crt
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -sha512 -keyout /www/ssl/sslstub.key -out /www/ssl/sslstub.crt
daveschaefer commented 8 years ago

Yep, good call netsafe :) nginx was the better way to go here.

With #46, #52, and #62 done we are good to go here for now. I'm going to work with Dan to hopefully set up nginx on all of the default notaries soon, and then add https.