Serve over HTTPS

[mottosso]

Is there any way to tell Visdom to make requests over HTTPS as opposed to HTTP?

When setting up a reverse proxy with HTTPS, pointing to localhost:8097, I get these messages (Chrome).

Mixed Content: The page at 'https://my.web.address/' was loaded over HTTPS, but requested an insecure script 'http://my.web.address/static/js/main.js?v=4b72317f763632006def9236be6408b4'. This content should also be served over HTTPS.

Which is fine for development purposes, however I also receive this error message that I'm not sure how to resolve.

WebSocket connection to 'ws://my.web.address/socket' failed: Error during WebSocket handshake: Unexpected response code: 301

And this (Edge)

SCRIPT5022: SecurityError
main.js (1,13767)

For completeness, here's the Caddy configuration on how I'm reverse proxying Visdom.

my.web.address {
    proxy / localhost:8097 {
        transparent
        websocket
    }

    log stdout
    errors stderr
}

[lvdmaaten]

I think in order to do this, we would have to make changes akin to this to py/server.py: https://stackoverflow.com/questions/20636145/tornado-ssl-certs?answertab=votes#tab-top

The basic idea is to pass a key-file and a cert-file into a tornado HTTPServer, and then run the server on port 443.

I think I would prefer to keep the default behavior as-is though: my hunch is quite a few users may want to run the visdom server on a different machine than the client(s), but may not have a CA-certificate? Hiding the https behavior behind a -cert_file flag seems fine though. Feel free to send a PR implementing that!

[mottosso]

I'm also uncertain about how exactly it can be done, but I don't think we need to involve certificates if certificates are handled by the reverse proxy; I think all we would need to do is have the Visdom web application make requests using the string https:// rather than http://. It'd be for addresses requested from itself, such as for it's CSS and Javascript assets.

If that doesn't sound familiar, I can take a closer look at where these requests might come from in the coming days.

[lvdmaaten]

If that's the case, perhaps adding something like this may do the trick?

def prepare(self):
        if self.request.protocol == "http":
            self.redirect("https://%s" % self.request.full_url()[len("http://"):], permanent=True)

You would presumably have to add it here (and hide it behind some input flag).

[lvdmaaten]

@mottosso Did you get a chance to test this potential solution?

[mottosso]

Hi @lvdmaaten, I did not, and have since moved on to other projects. Sorry about the noise.

[rubiagatra]

Can I help with this one @lvdmaaten @JackUrb ?

[JackUrb]

@rubiagatra of course if you'd like, however this is one of the few visdom issues that I don't really have any strong intuition on how to properly implement it as I have little to no experience with ssl or https requirements in general.

[andrewssobral]

If that's the case, perhaps adding something like this may do the trick?

def prepare(self):
        if self.request.protocol == "http":
            self.redirect("https://%s" % self.request.full_url()[len("http://"):], permanent=True)

You would presumably have to add it here (and hide it behind some input flag).

Hi @lvdmaaten , I have the same problem as described by @mottosso , I would like to try your solution but the link is broken, and when I go to the line 180 of server.py I don't find the right place to test your function. Can you help me please? Thanks in advance!