Open tsibley opened 5 years ago
famulare
commented
4 years ago @devclinton @tsibley We can do this. Also, we'd like to set up seattleflu.org domain name for the API service instead of just a naked IP address. I'm not sure if that would prove to be related.
tsibley
commented
4 years ago Thanks! A verifiable certificate will require a domain name, so might as well make it a seattleflu.org one. I have control over DNS and can add a subdomain for you if you give me details. (We could also have the existing seattleflu.org web server proxy requests to your backend if you'd rather requests be on seattleflu.org under some path.)
devclinton
commented
4 years ago What details do you need @tsibley ? I should be able to provide those to you.
tsibley
commented
4 years ago @devclinton Wasn't sure if you wanted an A record or a delegation of a subzone to your own DNS servers. Happy to just do an A for now, in which case just need:
devclinton
commented
4 years ago Sorry I needed to confirm the IP. The IP you have is correct. I think the domain is up for discussion. I would think we could do incidencemapper.seattleflu.com . I am not very opinionated there. I think that name would most likely me the most descriptive and clearly tie this project to domain.
tsibley
commented
4 years ago incidence-mapper.seattleflu.org now resolves to that IP.
devclinton
commented
4 years ago Do you have a site-wide cert or a subdomain cert you can send me so I can update my nginx configuration? I can try to go the free route, but usually you need the ownership of root domain for that so I am thinking I will need to be provided one
tsibley
commented
4 years ago We use the excellent Let's Encrypt for seattleflu.org and backoffice.seattleflu.org. Heroku handles the interaction with Let's Encrypt for the former, and we have an automated Let's Encrypt client, Certbot, configured for the latter. I don't have a wildcard cert on hand, although might be able to obtain one.
Let's Encrypt doesn't require ownership, only the co-operation of the owner, which you have from me. :-) So you should be able to setup Certbot for incidence-mapper.seattleflu.org which automates against your nginx infrastructure. This would be my preferred approach rather than maintaining a wildcard cert since that will require us to coordinate renewals (which are frequent).
devclinton
commented
4 years ago Awesome! I already have a Let's encrypt docker solution ready to go for this that should need minimal configuration for our existing deployment. I should finish that by EOD today. I will update ticket once done and close ticket.
devclinton
commented
4 years ago SSL should be enabled. I am waiting on port to be open by IT team. Sorry for delay
We'll need the web API to be available over HTTPS (with a browser-trusted cert) so that our HTTPS-only site seattleflu.org can make successful cross-origin requests for viz.
I ran into this last night while prototyping viz for https://seattleflu.org/current on a dev server that wasn't localhost. While the model web API allows cross-origin requests, the browser denies cross-origin requests of any kind from an HTTPS origin to an HTTP origin by preventing the CORS preflight request.¹
There is no rush on this, as our viz isn't ready to deploy to production yet and this issue doesn't block (most) dev. That said, getting that viz into production is a priority for the next couple weeks and HTTPS support for the model web API is a blocker to that.
¹ See the second "possible cause" on this doc page.