search

xcube-dev / xcube

xcube is a Python package for generating and exploiting data cubes powered by xarray, dask, and zarr.
https://xcube.readthedocs.io/
MIT License
194 stars 17 forks source link

serve images over https #302

Open tiagoams opened 4 years ago

tiagoams commented 4 years ago

At the moment images are sent over http. Even if the viewer is being served over https, and time series are being plotted, the browser will show a mixed content warning regarding the images:

Loading mixed (insecure) display content "http://datacube.cefas.co.uk/datasets/demo/vars/c2rcc_flags/t…3/1.png?vmin=0&vmax=1&cbar=viridis&time=2017-01-30T10:46:34Z" on a secure page

For servers to have all the trafic SSL secured, standard practive in operational servers, it will be necessary to change this. For instance, Chrome will show Not secure on any page with mixed content.

I would like to hear that this is not an xcube limitation, and can be changed in the server's web server configuration, but I don't think so as I see it in all the xcube servers I have looked at.

forman commented 4 years ago

@tiagoams insecure image tile calls are made for most public background maps. In your case, insecure tile calls are made for the cube variables which is due to your own web server configuration.

tiagoams commented 4 years ago

@forman at the moment I see the background maps as a separate issue as these are not affected by blocking port 80 on the server. True, this will be enough to make the browser have the Not secure label but it is not as urgent for me as it allows me to deploy the server.

As an example that this is seen in other systems, on the dcs4cop-demo-viewer the same warnings are issued for images serve over ssl.

Loading mixed (insecure) display content "http://service.demo.dcs4cop.eu//xcube/api/latest/datasets/c_…in=272.15&vmax=297.15&cbar=inferno&time=2017-12-31T00:00:00Z" on a secure page Of course this doesn't prove it can't be done, so is there an example when this problem has been solved and images are being served over https?

But if this is as you say not related to xcube, then can you say where the problem lies (apache configuration, firewall?). If I am able to understand what the configuration is supposed to do it will be easier to achieve.

It surprises me that in webapi/, the tornado.web.Application function is not passed ssl_options. In my tests with tornado framework I had to do this to serve over SSL.

Thanks

tiagoams commented 4 years ago

Just to elliminate a possible problem, I have checked that our VM's webserver is translating http to https, but the browser still received the satelite images from an http address

Apache's conf file has: RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}