search

hyperledger / identus-cloud-agent

Identus Cloud Agent
https://identus.io/
Apache License 2.0
78 stars 21 forks source link

didcom service url over https #894

Closed jeyem closed 4 months ago

jeyem commented 7 months ago

Is this a regression?

Yes

Description

when service is on https as didcom service static configured on http for agent runner we are getting browser security error of using http request over https:

xhr.js:258 Mixed Content: The page at 'https://wallet.socious.io/connect/?_oob=eyJpZCI6IjUzNzIzNDVkLWY1ODItNDFlYy1iMTQ2LTdiMjEyN2JjYTRhOCIsInR5cGUiOiJodHRwczovL2RpZGNvbW0ub3JnL291dC1vZi1iYW5kLzIuMC9pbnZpdGF0aW9uIiwiZnJvbSI6ImRpZDpwZWVyOjIuRXo2TFNtZGF0a1RrODdZSDFSQWpHWm5ud1dNeVBiRHBnR0dFWkZ1VGt3eVZjNHJLUS5WejZNa2p0Z2lYQ2FHZWpXeW5OaGlzc29XZFJyazJXVEh4SHJBM1U2VnZvZ0RMTEJDLlNleUowSWpvaVpHMGlMQ0p6SWpvaWFIUjBjRG92THpVMExqZzFMakl3TVM0eU9qZ3dNREF2Wkdsa1kyOXRiU0lzSW5JaU9sdGRMQ0poSWpwYkltUnBaR052YlcwdmRqSWlYWDAiLCJib2R5Ijp7ImdvYWxfY29kZSI6ImlvLmF0YWxhcHJpc20uY29ubmVjdCIsImdvYWwiOiJFc3RhYmxpc2ggYSB0cnVzdCBjb25uZWN0aW9uIGJldHdlZW4gdHdvIHBlZXJzIHVzaW5nIHRoZSBwcm90b2NvbCAnaHR0cHM6Ly9hdGFsYXByaXNtLmlvL21lcmN1cnkvY29ubmVjdGlvbnMvMS4wL3JlcXVlc3QnIiwiYWNjZXB0IjpbXX19' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://54.85.201.2:8000/didcomm'. This request has been blocked; the content must be served over HTTPS.

Please provide the exception or error you saw

No response

Please provide the environment you discovered this bug in

No response

Anything else?

No response

yshyn-iohk commented 5 months ago

@jeyem, I apologize for the delay in replying to this tread

Our infrastructure uses the API Gateway (APISIX) to manage TLS and expose the Mediator and the Agent REST API endpoints.

Managing TLS at the proxy layer is generally considered a best practice in modern distributed architectures. It abstracts the complexity of secure communications from the services themselves and allows centralized control over security policies and certificates. This approach is particularly beneficial in microservices architectures where numerous services need secure exposure to the outside world. The gateway can efficiently handle security, allowing service developers to focus on business logic and service functionality without compromising on security.

Moreover, managing TLS at the gateway simplifies certificate management, as you only need to manage certificates at the gateway level rather than for each service. This can also be more cost-effective and reduce the administrative overhead of certificate renewal and compliance checks.

TLS can also be implemented at the application level to simplify local development and prototyping. I'm not sure this feature will be a priority as we have tight resources and an extensive roadmap with other features.

Currently, we are looking for the right place to document TLS management and usage of the API Gateway in the deployments. Also, you can use any proxy for this purpose: APISIX, Caddy, Traefik, Nginx, etc.

essbante-io commented 4 months ago

This issue has been addressed and is now considered solved. If you have further questions or related concerns, please open a new issue.