search

xmppo / node-xmpp-bosh

An XMPP BOSH & WebSocket server (connection manager) written on node.js using Javascript
https://github.com/xmppo/node-xmpp-bosh
263 stars 85 forks source link

switchable secure mode #97

Open rusekr opened 10 years ago

rusekr commented 10 years ago

Hello! Want to add option for starting https with wss instead of http server with ws.

Minor changes - new feature. Some people may need this. For example we need secure websockets now for testing :) Tried not to break coding style/modularization. And big thanks for original :)

dhruvbird commented 10 years ago

@rusekr Thanks for the PR. However, is it possible for you to use nginx before the bosh proxy? nginx can be configured to terminate https (and hence wss).

The reason(s) that I'm reluctant to add https support is that:

  1. node.js is single threaded, and performance will be impacted
  2. the next thing people will want is gzip compression
  3. these things are better handled by a software meant for an optimized to provide the above functionality (aka. nginx).

Would you consider using nginx before the bosh proxy? Is there something that the nginx based solution can't provide?

rusekr commented 10 years ago

May be on production we'll be using nginx. But now nginx is still need to be installed and configured but https is already required. And having option to make https without additions seems not too bad for us :)

p.s.: May be nodejs performance is not too bad as it was earlier. Here http://habrahabr.ru/post/123154/ people succeed in testing 1 000 000 simultaneous connections to nodejs server.

p.p.s: Gzip - http://stackoverflow.com/questions/8880741/node-js-easy-http-requests-with-gzip-deflate-compression

dhruvbird commented 10 years ago

Is it possible for you to use https://github.com/nodejitsu/node-http-proxy for testing? It seems easy(ier) to set up than nginx.

The test http://habrahabr.ru/post/123154/ uses the cluster module (hence not single threaded, whereas node-xmpp-bosh is single threaded) and only compares small http requests (not https or any processing involved). Because of all the processing overhead involved in a bosh server, typical QPS doesn't cross a few thousand.

Thanks for the gzip link! However, my concern is with the gzip CPU overhead instead of the easy of use (which I may add, node.js has been a champion of).

I wrote a post on scaling parts of your stack separately http://dhruvbird.blogspot.com/2011/03/scale-out-with-services-scale-services.html a while ago, and you would typically have more bosh proxy instances than nginx instances, and management is easier if the TLS certs are in one place (nginx or apache for example) rather than all over the place.

Is it possible for you to avoid https natively in the bosh proxy?

mr-tron commented 10 years ago

If nginx is already used on server, it makes complete sense. But there is not good idea to add yet another system's element without strong reason. node-xmpp-bosh is equal in https-speed to nginx, but nginx is wasteful of made connections' memory. It's critically important for xmpp-server because of low traffic but lots of connections. P.S. Sorry for my english.

rusekr commented 10 years ago

Oh. Got it.

dhruvbird commented 10 years ago

I have some more comments before I can get this in - will post in a bit.

dhruvbird commented 10 years ago

I can buy the performance argument (wrt # of connections using more resources, etc...) as a valid reason to support https built-in.

rusekr commented 10 years ago

Hello! Just another variant. I will comment on all this and yours comments in about two hours (:

rusekr commented 10 years ago

Hello, dhruvbird! Check this version (1.3). Modified unit tests included. --secure parameter. About ssl parameters and behaviour - all now checked as described in http://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener . But some parameters differs as I commented in config as "For key, cert, pfx and ca you can use links to files here."

rusekr commented 10 years ago

bump :)

rusekr commented 10 years ago

Fixed priority of "--secure" run option. Now https works while configured in bosh.conf.js too..

flekmatik commented 10 years ago

I am not sure why this isn't merged already. We are trying to use this library but current browsers (Chrome) won't permit insecured connections from https pages. Deploying another proxy just for one server when all of our other node servers use https just fine doesn't make much sense.

mr-tron commented 10 years ago

Probably you try test without secured certificates: https://code.google.com/p/chromium/issues/detail?id=141839

cervajs commented 10 years ago

+1 for merge

HLFH commented 9 years ago

+1 for merge.

dhruvbird commented 9 years ago

I'm getting the following error (not sure if I'm doing it right)

  1. bash scripts/generate_cert.sh
  2. node run-server.js --secure --config=./bosh.conf.example.js

Output:

$ node run-server.js --secure --config=./bosh.conf.example.js
+----------------------------------------------------------------------------------------------------------------------------+
| Starting BOSH server 'v0.7.10' on 'https://0.0.0.0:5280/^\/http-bind(\/+)?$/' at 'Wed Apr 22 2015 12:38:43 GMT-0400 (EDT)' |
+----------------------------------------------------------------------------------------------------------------------------+

crypto.js:176
      c.context.loadPKCS12(pfx);
                ^
Error: not enough data
    at Object.exports.createCredentials (crypto.js:176:17)
    at Server (tls.js:1128:28)
    at new Server (https.js:35:14)
    at Object.exports.createServer (https.js:54:10)
    at new HTTPServer (/home/dhruvbird/node-xmpp-bosh/src/http-server.js:340:33)
    at Object.exports.createServer (/home/dhruvbird/node-xmpp-bosh/src/bosh.js:291:14)
    at Object.exports.start_bosh (/home/dhruvbird/node-xmpp-bosh/src/main.js:58:25)
    at main (/home/dhruvbird/node-xmpp-bosh/run-server.js:187:24)
    at Object.<anonymous> (/home/dhruvbird/node-xmpp-bosh/run-server.js:201:1)
    at Module._compile (module.js:456:26)
rusekr commented 9 years ago

It can't found certificate file mentioned in --config=./bosh.conf.example.js

It has to be key and cert pair or one pfx file. (in this config it named ./cert/server.pfx).

You can interactively generate sample pfx certificate by runing: "bash scripts/generate_cert.sh pfx"

or edit configuration file to use generated without "pfx" option key and crt pair.

Script puts it in ./cert directory.

Normally this file(s) given by certification authority or generated by you and signed with certification authority than it will be "green" in address bar in browser.

sdebnath commented 9 years ago

Hey guys, any updates on this? The HTTPS option is required for any single page app (SPA) trying to communicate with the BOSH server if the app itself is served securely. Yes, the SSL terminating proxy ahead of the bosh should solve the issue, however this is a major PITA for dev/uat scenarios in startups where resources are already desperately low. Any help will be appreciated.

mr-tron commented 6 years ago

lol. more than two years.