Provide some way to connect to WebSocketSecure (wss://)

riemann / riemann-dash

An HTTP dashboard for Riemann.

MIT License

248 stars 102 forks source link

Provide some way to connect to WebSocketSecure (wss://) #14

Closed default50 closed 11 years ago

default50 commented 11 years ago

I set up riemann-dash behind apache as a reverse proxy to provide digest authentication to secure its access. I have also enabled SSL on that VirtualHost to provide encryption for the now flying passwords.

On Firefox it is forbidden (by default) to connect to a normal websocket coming from an HTTPS site, so the dash is unusable with that set up. Chrome doesn't care about it and works the same.

I found this related info

I tried two different approaches:

I installed stud to enable SSL for riemann's websockets (as recommended for aleph) but couldn't make it work. I'm guessing there's something missing from the dash as a client? There's a chance I missed something, though.
I toggled network.websocket.allowInsecureFromHTTPS on Firefox's config and it worked, but I think we could work out a way to avoid this.

Let me know if you need any extra information or test setup maybe.

Thanks!

aphyr commented 11 years ago

I imagine we'd need an SSL terminator in front of ws-server. Might be able to do it in Netty directly, though my limited contact with Java's SSL suggests this is a path fraught with peril. If you figure something out let me know!

--Kyle

default50 commented 11 years ago

I imagine we'd need an SSL terminator in front of ws-server. Might be able to do it in Netty directly, though my limited contact with Java's SSL suggests this is a path fraught with peril.

I recall you saying that you were using Aleph for the websockets server, right? I found this and this which may be relevant (or not) to have WSS support directly into riemann.

But maybe we can avoid all that by proxying the requests through stud, as I tried before, which should terminate the SSL part and forward the socket directly into riemann. I think I have the setup right, but it didn't work (neither in Chrome nor in Firefox).

I tried entering wss:// as a prefix into riemann-dash besides changing the port to the stud one, but to no avail. When connections arraive to stud I can see it in the logs (even connections with errors), but from all my tries in the dash I didn't see any SSL connection arriving. That's why I think maybe there's some required change in the dash to enable WSS backends.

default50 commented 11 years ago

Hi!

Sometime along the way I could make stud work perfectly for terminating SSL in front of riemann-dash. My config is as follows:

# cat /etc/stud/riemann-ws.conf 
OPTIONS="-f *,6555 -b 127.0.0.1,5556 --ssl"
CERT="/etc/stud/riemann.pem"

And now with this pull the dash works perfectly under https.

I will close this issue, and I think you could recommend stud to deal with SSL web sockets in the future.

Thanks!

hanynowsky commented 10 years ago

@default50 Thanks for this use case.I am on the same trouble. COuld you please tell us what the new riemann-dashboard url is then.

My running command is stud -f *,6555 -b 127.0.0.1,5556 --ssl /etc/stud/toto.dom.info.pem Yet I can't access the dashboard when using https://toto.dom.info:6555/ while I still can access it using the default address: http://toto.dom.info:4567/

@aphyr Does it mean I am using the wrong version of riemann-dash ?

default50 commented 10 years ago

@hanynowsky the stud trick is only for securing the websockets part of the dash with SSL. Hence, you have to access the dash and change the URL of the websocket on the text box you have on the top right with the URL from stud (toto.dom.info:6555 in your case). Make sure to save the config after that.

To secure the web part of the dash you'll have to use an SSL proxy in front of it, like Apache or nginx.