Move portal.glos.us to https:

[tslawecki]

Because of the use of accounts in myglos and the boaters' view, we need to switch to https: ASARP. I can install the certs on portal.glos.us, but am not sure what redirects, etc. need to be implemented to support this, and also if any changes re needed to the Docker apps. cc'ing @kknee @Bobfrat @cheryldmorse for input on cDocker updates needed and reasonable timing, @kkoch FYI.

[Bobfrat]

I don't think we'll need any updates from the docker end if we can take care of this through nginx.

We'll likely see some warnings if we're making requests from an https application to http sources though.

[kknee]

@Bobfrat can you do this on dev first to see what the impact is, warning wise? If we are getting nasty browser warnings when the page loads, we may want to dig deeper into http sources to see if they can be updated.

[Bobfrat]

The dev site is available through https: https://dev.oceansmap.com/myglos/ If you use your browsers developer tools you'll see the warning messages like this:

dev.oceansmap.com/:1 Mixed Content: The page at 'https://dev.oceansmap.com/myglos/' was loaded over HTTPS, but requested an insecure image 'http://data.glos.us/metadata/srv/eng/resources.get?uuid=6349eecd-2b05-46d5-93ed-fe87f00e4702&fname=sondes_sm_s.png'. This content should also be served over HTTPS.

[tslawecki]

If I understand correctly, in theory we "just" need to do the following for the cited warning:

1) Switch data.glos.us to https (add cert, DNS record)

2) Switch/redirect all http://data.glos.us references to https://data.glos.us

Or do we need to do something more?

---

From: Bob Fratantonio notifications@github.com Sent: Monday, December 18, 2017 1:15 PM To: glos/myglos Cc: Tad Slawecki; Assign Subject: Re: [glos/myglos] Move portal.glos.us to https: (#180)

The dev site is available through https: https://dev.oceansmap.com/myglos/ If you use your browsers developer tools you'll see the warning messages like this:

dev.oceansmap.com/:1 Mixed Content: The page at 'https://dev.oceansmap.com/myglos/' was loaded over HTTPS, but requested an insecure image 'http://data.glos.us/metadata/srv/eng/resources.get?uuid=6349eecd-2b05-46d5-93ed-fe87f00e4702&fname=sondes_sm_s.png'. This content should also be served over HTTPS.

- You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/glos/myglos/issues/180#issuecomment-352512957, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AE-3PuezayPk3xMSGPU_dgPd9GK_WW1Kks5tBqu0gaJpZM4RFumi.

[Bobfrat]

That's right! But there may be more other requests to http resources, I'll check if there are any others.

[kkoch]

1) GeoNetwork comes to mind as something we may need to investigate.
2) Need to make sure we have redirects in place http >>> https in order to be sure Google Analytics tracking works. Devra will create a copy of our reports so that we have a set for http and a set for https. I've sent an email invite to @devra@webspinster.com to be a glos member for this repository so she can be updated on this ticket.

[Bobfrat]

@gitchrisadams is going to start looking at switching any hardcoded http endpoints to https so when the certs are added and https://data.glos.us is available we'll be ready with a new version of the portal. Good point @kkoch, if the UI is being fed http endpoints from GeoNetwork, those should be updated as well.

[tslawecki]

@cheryldmorse reiterated Bob's comments in a separate e-mail.

The best way to update to https would be to have http://data.glos .us and https://data.glos.us both available. That way the existing portal keeps working and we can test out the new portal. If we don’t do that then we could still switch over to https and update the links at a later date. The problem with that approach is that the user would see a lot of mixed-content warning messages. We will also need to get the links in GeoNetwork updated and https available.

Most everyone is out on vacation next week and back in the office after the New Year.

Let's walk through the steps on our 1/4 call.

[tslawecki]

Per 1/4 call, let's write out the steps needed to make portal.glos.us https. Kelly suggested adding Ben Adams (did I get the right Adams?) to the assignees because he can identify dependencies. My naive list of steps:

1. Adams reviews dev portal to identify dependencies and correct (where appropriate) http to https: in references.
2. We collectively address dependencies as needed (e.g. switching GeoNetwork instance to https:)
3. Add SSL cert to myglos VM hosting portal.glos.us and boaters.glos.us
4. Updated docker container deployed
5. DNS records updated
6. Redirects on myGLOS VM?

[kknee]

I think both Adams are needed here @gitchrisadams will look for and correct dependencies (@kkoch - for GeoNetwork, need to confirm that links to external images and services have https enabled and then update links - we already know that much of the mixed content comes from these links).

@benjwadams can help with certs if necessary.

[kkoch]

Is this also affecting data.glos.us? And/or any or all of the VMs (e.g., GN25 for GeoNetwork)?

I believe that if neither data.glos.us or GN25 are affected at this first change, then we can phase in GN since both data linkages, images and 'info' links seem to work fine using dev https.

1) If so, within GN itself - links within GN will need to be updated (e.g., http://data.glos.us/portal/getObsByPlatform.php?provider=glos&platform=Western+Lake+Ontario+2+-+OMOECC+Environmental+Sensors)

2) And I would also need to also change the metadata links within GN (what users get when they click on the "i" in the portal) (e.g., http://data.glos.us/metadata?uuid=605af2e1-b3a4-44ed-a9fd-1c9b141b7197).

3) Images as well - but that might happen automatically since it is not something embedded in a record like the above two items (e.g., http://data.glos.us/metadata/srv/eng/resources.get?uuid=3f6216e2-38ae-41cd-8e42-41720633f272&fname=photo-apn_s.png)

[kknee]

@kkoch we agree that changes to GN and other dependencies can be phased in after the switch for portal and boaters too since there are no issues on dev with https. That makes #3 above the crucial step for getting this done. Bob and I chatted and we don't think DNS updates are necessary, nginx will take care of redirect from http to https. We'll have @benjwadams look at the certs.

[kknee]

@benjwadams is waiting for the private key that was used to sign the certificate

[tslawecki]

Yep. I'm still looking for it ... I had to do a reload on my computer, so I'm not sure which GLOS server I ran openssl on to generate csr and key. Hope to resolve today.

---

From: Kelly Knee notifications@github.com Sent: Wednesday, January 17, 2018 11:29 AM To: glos/myglos Cc: Tad Slawecki; Assign Subject: Re: [glos/myglos] Move portal.glos.us to https: (#180)

@benjwadamshttps://github.com/benjwadams is waiting for the private key that was used to sign the certificate

- You are receiving this because you were assigned. Reply to this email directly, view it on GitHubhttps://github.com/glos/myglos/issues/180#issuecomment-358360365, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AE-3Pt-XG6Gpllc0PbfZapuCFJql6rnDks5tLh_agaJpZM4RFumi.

[kknee]

thanks @tslawecki! wanted to make sure that request was documented here, as well as in ben's email

[tslawecki]

@benjwadams @kknee checking in on progress, especially if there's anything we need to do ...

[kknee]

@tslawecki nothing needed at the moment. @benjwadams is working on testing before going live.

[tslawecki]

@benjwadams @kknee https://portal.glos.us/ is now accessible from the Internet

[devrap]

Hi, @tslawecki (and @benjwadams and @kknee)--it looks like the assets aren't yet using https on the live version.

I was hoping to be able to start the analytics view switch today on the 1st, but as things are not yet technically live: any new ETA?

[kknee]

@devrap I believe there are still some firewall issues to be addressed. @tslawecki can you comment?

Even when the portal transition is complete, there will still be references to external http only links (e.g. from GN) until they - so browsers may still display warnings.

[tslawecki]

AFAIK firewall is open for portal.glos.us. Do we need to open access for GeoNetwork and others?

---

From: Kelly Knee notifications@github.com Sent: Friday, February 2, 2018 1:23 PM To: glos/myglos Cc: Tad Slawecki; Mention Subject: Re: [glos/myglos] Move portal.glos.us to https: (#180)

@devraphttps://github.com/devrap I believe there are still some firewall issues to be addressed. @tslaweckihttps://github.com/tslawecki can you comment?

Even when the portal transition is complete, there will still be references to external http only links (e.g. from GN) until they - so browsers may still display warnings.

- You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/glos/myglos/issues/180#issuecomment-362657111, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AE-3PiGm3jVfQR2bxCiSB70mweui7osZks5tQ0vdgaJpZM4RFumi.

[benjwadams]

Hi, portal.glos.us and boaters.glos.us have both been moved to HTTPS only and will now redirect HTTP to the HTTPS endpoint using the glos.us wildcard cert. I'm going to close this issue for now. Do note that portal.glos.us is displaying mixed HTTP/HTTPS content warnings, which looks to be due to thumbnails (possibly other things?) from the GLOS GeoNetwork server.