To serve https requests in Ktor, their documentation states you need to set some config properties (ktor.security.ssl) in application.conf, such that Ktor can find the ssl certificate. However, I want to retrieve the ssl certificate from another server (via an encrypted connection).
Can I setup my Ktor server in such a way that I retrieve this certificate and enable https on server startup?
If anyone is still wondering about this, the way to do this is to start your Ktor server as an embedded server and supply it with your own ApplicationEngineEnvironment (As a reference you can use the function io.ktor.server.engine.CommandLine.Kt).
In this ApplicationEngineEnvironment you can customize the way the SSL certificate is loaded.
Related
I'm trying to get a SOAP web service set up with Spyne. So far, so good. I have a web service,but not I need to secure the data in-flight with SSL. Is there a way to attach a certificate to the Spyne app so my connection is encrypted?
Thank you!
I've looked at the help guides on Spyne.io and have not found the info I need about SSL.
You need to use either a reverse proxy setup (like nginx) that will terminate the SSL connection outside of the Python process (recommended) or you have to use OpenSSL (or similar) bindings to create an SSL socket for yourself.
You can use twisted's ssl capabilities via the WsgiApplication. Have a look: https://twisted.readthedocs.io/en/twisted-17.9.0/web/howto/using-twistedweb.html
Ant-Media-Server is running on an IPAdress without any domains. We just set up this server to be used for streaming in order to use it from different domains pointing to different servers.
Since all of our domains use ssl, we face the typical connection problem:
mixed Content: The page at 'https://SOMEDOMAIN.com/QUERY' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://1.2.3.4:56'. This request has been blocked; this endpoint must be available over WSS.
Ant-Media already offers tutorials on how to install a Let's Encrypt SSL Certificate but sadly it is not available for pure IP-Addresses.
Apart from the Ant-Media Service, the server doesn't has any NGINX, NodeJS, Apache or other http Servers installed - the plan was just to use it for streaming by calling the IP-Address.
Do you have any ideas on how to solve that problem?
Unfortunately, this is not possible.
The goal of having a SSL is ensure you are requesting the right domain name besides encrypting the content between your users and your server.
Here are some alternatives:
create an endpoint in your own app that proxies data to your server.
Instead of playing the IP address, you can play:
/your-proxy-url?stream=http://yourIp.com:port/....
Note that using a proxy will make all the traffic pass through your web app.
As a reference, if you are using PHP on your website, you can have some ideas from here: https://gist.github.com/iovar/9091078
Create a reverse-proxy in front of your web app that redirects the traffic to your IP address.
Both solutions does not change your Ant Media Server, just adds a new resource between your users and your streaming server - adding the SSL on it.
I'm trying to write a service, my service is a WebsocketServer is written in nodejs, with express and the ws module. This service should be installed with node-webkit locally on a computer(on localhost) to communicate with a web site in https:// to exchange information. My problem is, that i need a trusted certificate for localhost(its not possible), because all browsers give a warning if i use a self signed certificate. I know i can ignore that warning, but in the future this software should be distribuited, and i dont want to give that warning for future clients. Is there a good way to resolve this problem?
Use one of the following options to work around this:
Package your client-side interface as a browser extension
Setup a Message Queue which transforms messages to your node server as Websocket requests
Use a PAAS provider with free certificates to proxy to your domain
References
How do I use a self signed certificate for a HTTPS Node.js server?
Simulating GitHub OAuth2 Login for Tests with JUnit, Webdriver & Hoverfly
Apache configuration using Self Signed Certificate - YouTube
Amazon SES: Sendmail
SMTP Gateway Plugin for RabbitMQ
Sending RabbitMQ messages via websockets
I'm setting up HTTPS Load Balancing (LB) on Google Compute Engine (GCE). Key components are outlined in the Overview Diagram.
After successfully creating a HTTP Backend Service where 1 of 1 (GCE) instance is healthy, I decided to do the same for HTTPS. I'm using the Developer Console UI to do this.
The Healtheck "wizard" provides a drop-down menu for protocol with the option HTTP and HTTPS:
The successful HTTP Heathcheck used the path :8080/admin/healthcheck.
Presumably the HTTPS Healtheck will use the path :443/admin/healthcheck. The problem is my HTTPS Healthchecks are failing. This was expected since when visiting https://[INSTANCE_IP]:443/admin/healthcheck in a browser, it could not connect. So I didn't expect the Healthcheck to mark the instance as healthy.
How can I connect to https://[INSTANCE_IP]:443/admin/healthcheck over TLS, do I merely need to upload a certificate and create a Certificate Resource in the Developer Console (I doubt it)?
I think it's a conceptual problem too.
The URL https://[INSTANCE_IP]:443/admin/healthcheck does exist, I think because the instance doesn't implement TLS, the Healthcheck fails.
What is the relationship between a uploading a certificate (i.e. creating Certificate Resource) and a specific GCE instance accepting HTTPS requests such that HTTPS HealthCheck pass?
After re-reading the documentation, it is stated:
The client SSL session terminates at the load balancer. Sessions
between the load balancer and the instance can either be HTTPS
(recommended) or HTTP. If HTTPS, each instance must have a
certificate.
It is the last sentence that I was trying to achieve because HTTPS Healthchecks use a HTTPS URL to check the 'health' of an individual instance:
https://[INSTANCE_IP]:443/admin/healthcheck
Since this was failing, I incorrectly assumed I needed to implement TLS on each instance for the Healthcheck to succeed. However, I do not require each instance to implement TLS (HTTPS), only the Load Balancer.
The final configuration I used involved creating a new HTTPS Target Proxy, which pointed to the same Backend Service used for the HTTP Target Proxy. In other words: 2 Target Proxies (HTTP and HTTPS), but only one Backend Service).
Since Healthchecks are employed by Backend Services, the only Healthcheck required was the (original) unsecure Healthcheck, i.e.
http://[INSTANCE_IP]:8080/admin/healthcheck
The next sentence is important to:
The Beta release of HTTPS load balancing only supports a single SSL
certificate with a single load balancing service.
If the beta release only supports a single SSL certificate, I assume this certificate belongs to the LB, and therefore, on the beta at least, it's not actually possible to secure individual instances.
I have two remote servers that run two play framework services (client, server) and I want to configure SSL mutual Authentication between them.
Iam using Nginx as a reverse proxy to the server and Iam trying to use Nginx as forward proxy in front of the client.
The reverse proxy works perfectly and I tested it by importing the client certificate to a browser and tested authentication. My problem in the client server I need to configure Nginx on the client server as forward proxy to send the client certificate in its request.
Can Nginx do that (I googled a lot and I can't find a way). Or will I have to use Apache or squid as forward proxy?
Is there a better way to do the mutual SSl Authentication between the two servers?
Thanks in advance for any guidance.
nginx doesn't support two-way/mutual authentication using client cert/key.
I have added support for mutual auth for connecting to upstream weblogic server.
See the patch details:
https://github.com/nginx/nginx/pull/7
http://mailman.nginx.org/pipermail/nginx-devel/2014-August/005817.html