Use HTTPS for Puffin

[Jeeppler]

Puffin registration, login and the app catalog administration don't use HTTPS. However, the moment user register or login into the website they transfer their sensitive password from the client to the puffin server. The traffic between the user (client) and puffin (server) has to be always encrypted, so please use HTTPS.

[loomchild]

Yeah, I am aware of that. The current puffin.rocks is still in Alpha and all data is periodically deleted, but you are right, at some point I will need to address that. It's possible to activate HTTPS for individual applications via Let's Encrypt though, but there are some issues with it I am working on now.

[bigdoods]

Hi. I need to enable HTTPS connections to the catalogue so users can securely register etc.

How would you suggest enabling it on the server? Add it to nginx?

Also, where can I find out more information about how the HTTPS works for individual applications, I need more information as I will be adding my own.

Thanks

[loomchild]

Hi John,

Nice to hear from you, I didn't know you are still using Puffin.

The way to do it depends how you host it - if you have nginx or apache httpd as a proxy front of it, then yeah, the configuration will be there. If you are using cloud provider, such as Amazon AWS or Google Cloud, they propose their own, simpler solutions for certificate management.

As for individual apps - there's a setting in Settings menu to enable HTTPS before startng an application. It generates a certificate for each app using free Let's Encrypt service. If you want to enable HTTPS for all your applications by default and they are all hosted on subdomains under the same domain (e.g. app.user.puffincatalog.com), then probably simpler solution would be buying a wildcard certificate for the whole domain (e.g. *.puffincatalog.com).

Jarek

[bigdoods]

Yes, I am still using it :)

Is https/ Lets encrypt supposed to work without any other setup? I have tried checking the https box before I start the app and I have also tried LETSENCRYPT=True in puffin/core/config.py

A wildcard certificate for the domain can only apply to one level of subdomain i.e .puffincatalog.com or .sub.puffincatalog.com. ..puffincatalog.com would not be valid in this case. To solve, I was thinking to use one SSL certificate on the root domain (puffincatalog.com) and set https by default so that lets encrypt takes care of the application level SSL.

Thanks Jarek!

[loomchild]

In order to activate Let's Encrypt you need to set the following environment variables: LETSENCRYPT=True, LETSENCRYPT_TEST=False. You might also need to set your admin email to a valid one (admin user name is puffin, the first one that is created).

I wasn't aware that wildcard certificates don't work on multiple levels. It this case perhaps I could think about changing Puffin to replace subdomains by simple '/' (puffincatalog.com/user/app), however not all apps will work in this setup.

[bigdoods]

I can confirm that just setting the environment variables are not enough for encryption (I have updated these inside puffin/core/config) and I am trying to update the admin email 'to a valid one'. My approach was to create a new user and assign it the admin access that puffin has. I have managed to access the users in db via exec'ing into the container and running python3 puffin.py user list. I can see the users as I create them but no indication whether they have admin status or not.

My solution to the problem of wildcards not working on multiple levels was to buy a single certificate for the base domain and then to apply the HTTPS setting as default (my next task).

[loomchild]

Currently admin is hardcoded, you can't have other admin users.

In order to investigate what is wrong with HTTPS, please analyse the logs of containers responsible for let's encrypt - both "proxy" containers. You can also exec directly to them and try executing the command manually. It currently works on puffin.rocks, I don't know what can be the issue on your side - there are many possibilities. I was thinking the email could be an issue, since Let's Encrypt project requires and validates it (see their docs).

I understand that you are working on a fork of the project - feel free to share your developments with the upstream repo if they are generic enough, otherwise I won't be able to help you developing them.

[loomchild]

I am considering changing the app subdomains to the form - (one level), which would simplify using a wildcard. This will also simplify launching several instances of the same app (my another objective). I will also probably add a HTTPS on puffin.rocks.

[bigdoods]

Hi Jarek,

I still have the issue that https is not working for applications.

What are the steps to update the admin email? In the UI, it is greyed out.

Thanks

[Jeeppler]

@loomchild SSL Letsencrypt is on the way to introduce wildecard certificates: https://community.letsencrypt.org/t/acmev2-and-wildcard-launch-delay/53654

[loomchild]

Hi @bigdoods,

Currently you can only update admin email directly in the database, there's no UI. Admin user is called puffin. Initial email is puffin@.

Jarek