How can I run GZWeb over HTTPS/SSL?
We run an integration of GZWeb in the cloud, embedded via iFrame into our main webserver. With Google making a big push to everyone to run HTTPS only, we find we are restricted because gzweb is only HTTP, and we get blocked iframes due to mixed content.
Is there any way to run the viewer via HTTPS? I'm completely inexperienced with nodejs...
Asked by srees on 2017-04-11 16:38:14 UTC
Answers
an intermediate https/http proxy?
Asked by eugene-katsevman on 2017-04-11 16:41:04 UTC
Comments
It may be possible (can we make gzweb aware of it's DNS name?), but get's very complicated in our situation, referencing a lot of client's cloud servers. We don't really want the hassle of trying to proxy all their stuff and would prefer to be able to tell them how to enable SSL themselves for their application.
Asked by srees on 2017-04-11 16:58:51 UTC
I don't get what you've said, sorry, due to my poor english. I was thinking of reverse proxy, which will stay on the same host as gzweb, unpacking https requests from clients to http for gzweb and vice versa.
Asked by eugene-katsevman on 2017-04-11 18:59:07 UTC
or maybe I'm half asleep
Asked by eugene-katsevman on 2017-04-11 19:01:02 UTC
I'll have to look into that idea further. My preference though would be to modify/update the existing webserver to support SSL.
Asked by srees on 2017-04-11 19:04:48 UTC
Please feel free to make a pull request proposing the changes. This is currently how the server is spun up: https://bitbucket.org/osrf/gzweb/src/ff44316fd3c5b415eb1ccd9aef519520d4bdc32a/start_gzweb.sh?at=default&fileviewer=file-view-default#start_gzweb.sh-26
Asked by chapulina on 2017-04-11 19:32:47 UTC
chapulina, that actually has me pointed in the right direction. I'll update this ticket once I get it all nailed down.
Asked by srees on 2017-04-12 11:38:51 UTC
It’s been a while since I experimented with this, so some fiddling with my instructions may be necessary. Enabling HTTPS with gzweb requires modifying three files:
1.) Modify gzweb/start_gzweb.sh:
Change this line:
./node_modules/.bin/http-server http/client &
to:
./node_modules/.bin/http-server -S -C [path to cert] -K [path to key] http/client &
Just replace the crt and key files with wherever you store yours. You may also need to set the –a option…? Not sure about that one. If you have a more recent copy of gzweb, there is a ‘-p $PORT’ section of the command that can be left in place
2a.) Modify gzweb/http/client/gz3d.js:
Change line 2112:
url : 'ws://' + location.hostname + ':7681'
to:
url : 'wss://' + location.hostname + ':7681'
Yes, it’s just adding an ’s’ to the protocol. For more recent versions of gzweb, I’m not sure the location – check these:
- gz3d/build/gz3d.js:2234 (this could be generated by 2b below)
- gz3d/src/gziface.js:32 (most likely place)
2b.) Run gzweb/updateGZ3D.sh – this addresses code checking this change and minifying the JS again.
3.) Modify gzweb/gzbridge/ws_server.js:
Change line 4:
var http = require('http');
to: (putting your key and cert file locations in the appropriate spots)
var https = require('https’);
var fs = require(‘fs’);
var options = {
key: fs.readFileSync( ‘yourkeyfile’ ),
cert: fs.readFileSync( ‘yourcrtfile’)
};
Change line 32:
var server = http.createServer( function(request, response) {
to:
var server = https.createServer(options, function(request, response) {
That should about do it!
In our case, we are stuffing gzweb behind an F5, and it is handling the certificate for us. In this case, the only step I had to take was step 2.
Asked by srees on 2017-08-15 17:13:05 UTC
Comments