edevosc2c
commented
1 year ago ping @jeanmi151 @pmauduit @jeanmi151 @emmdurin @fvanderbiest
Open edevosc2c opened 1 year ago
edevosc2c
commented
1 year ago ping @jeanmi151 @pmauduit @jeanmi151 @emmdurin @fvanderbiest
fvanderbiest
commented
1 year ago Thanks for the investigation Emilien !
HTTP is not desirable at all. We want to be as close as possible with a production environment.
Self Signed is also the source of problems with several browsers.
There's no good solution. I do not see any urgency in changing how things work today.
When the "Bring your own Domain" solution is live, it may be worth to give it try !
jeanpommier
commented
1 year ago I'd say there is an emergency there. Treafik.me certificate seems to be revoked half the time, which really disrupts the docker composition.
And using self-signed certificate with georchestra-127-0-1-1.traefik.me doesn't work on my browser because of some HSTS stuff. That's really a mess
I still think that having the option to run simple HTTP would be nice for dev & discovery (new users) purposes. Do you know which services have https hardcoded ?
edevosc2c
commented
1 year ago I still think that having the option to run simple HTTP would be nice for dev & discovery (new users) purposes. Do you know which services have https hardcoded ?
Well technically everywhere there is HTTPS here: https://github.com/search?q=repo%3Ageorchestra%2Fdatadir%20https&type=code
Ideally the protocol should never be specified, scheme-relative URL like //mydomain.com/test instead of https://mydomain.com/test should be used.
See here for a detailed explanation: https://stackoverflow.com/questions/35265762/scheme-relative-url
And using self-signed certificate with georchestra-127-0-1-1.traefik.me doesn't work on my browser because of some HSTS stuff. That's really a mess
Odd because there are no HSTS headers in georchestra nor on traefik.me main domain.
fvanderbiest
commented
1 year ago Why not switching to georchestra-127-0-0-1.georchestra.org (that we manage) instead of traefik's ?
edevosc2c
commented
1 year ago Why not switching to georchestra-127-0-0-1.georchestra.org (that we manage) instead of traefik's ?
If one day you were to implement HSTS on georchestra.org (the norm is to apply to all subdomains) then everyone that try to setup a self-signed certificate that it is not trusted by the browser will get an error that can't be bypassed.
If the security of the connection cannot be ensured (e.g. the server's TLS certificate is not trusted), the user agent must terminate the connection (RFC 6797 section 8.4, Errors in Secure Transport Establishment) and should not allow the user to access the web application (section 12.1, No User Recourse).
source: https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
fvanderbiest
commented
11 months ago If one day you were to implement HSTS on georchestra.org (the norm is to apply to all subdomains) then everyone that try to setup a self-signed certificate that it is not trusted by the browser will get an error that can't be bypassed.
Let's buy georchestra-demo.org then ;-)
Recently the certificate used for
georchestra-127-0-1-1.traefik.mein the default traefik docker compose file was revoked by the Let's Encrypt entity.This is an issue because on some browser that actually check for revoked certificates the page did not load anymore, it returns a big error:
SEC_ERROR_REVOKED_CERTIFICATEand no easy way to bypass the error.I sent a message to the maintainer of traefik.me, and he confirmed the revocation:
In the future, I would propose to migrate from this custom TLS certificate because this pause some issues for developers that just want georchestra to work. The error message couldn't be "bypass" easily.
Possible solutions:
Or buy a domain just for that, usually domains do not cost that much, for example a
.ovhcost 2€/month: https://www.ovhcloud.com/fr/domains/tld/ovh/. We just have to point to 127.0.0.1 that's it.The user will be presented with a warning, but that's ok for local development and everyone should expect to have this error when working with a software installed locally.