Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove SSL cert for localhost #374

Merged
merged 1 commit into from
Jan 20, 2021
Merged

Remove SSL cert for localhost #374

merged 1 commit into from
Jan 20, 2021

Conversation

pinkwah
Copy link
Contributor

@pinkwah pinkwah commented Jan 12, 2021

This PR removes SSL certification creation and usage when running webviz in localhost mode. This makes it HTTP-only for localhost with no HTTPS option.

It isn't complete in the sense that we still have to consider all cases. To my knowledge, the industry standard within web applications is to have the application (webviz) only do things using HTTP, and let a reverse proxy deal with HTTPS. I'm not entirely sure how this applies to Azure, but I imagine a similar thing is true there. That means that our use of flask-talisman (the security hardening addon for Flask) should perhaps not be as strict.

This should also be documented somehow. The workflow of our users depends on there existing certificates.

Resolves #332
Resolves equinor/webviz-ert#87

@pinkwah pinkwah force-pushed the remove-cert branch 2 times, most recently from a17196e to 178637f Compare January 13, 2021 10:08
@pinkwah
Copy link
Contributor Author

pinkwah commented Jan 19, 2021

The current changes are:

  • Talisman only has forced-HTTPS disabled
  • webviz certificate is a dummy command that sys.exit(0) (gracefully and will continue to work in scripts)
  • Added documentation about HSTS in the introduction.md
  • When starting a localhost browser, inform the user about potential problems on HSTS

@pinkwah pinkwah requested a review from asnyv January 19, 2021 09:24
@asnyv
Copy link
Collaborator

asnyv commented Jan 19, 2021

Is it safe to have force-https disabled also when not running localhost @dotfloat? 🤔

@pinkwah
Copy link
Contributor Author

pinkwah commented Jan 19, 2021

In my experience, the web application runs behind a reverse proxy. nginx or Apache httpd if you're hosting it yourself. On Azure, I think the correct way to deploy applications is by having them with no protocol-level security and let the platform deal with the rest. Ie, Azure should be the one to force HTTPS, not the application.

My reasoning is that I know that you can specify/buy SSL keys on Azure, and then it doesn't make sense to have the webapp deal with HTTPS, but Azure magically know how to inject SSL keys into the black box that is your web program.

I might be very wrong though, but I reckon this is something that needs to be brought up with security.

FWIW, all of my web development experience comes from using Ruby on Rails, which could've been forcing HTTPS in a smart but transparent way that I've never noticed.

@pinkwah pinkwah force-pushed the remove-cert branch 2 times, most recently from 7ba8877 to 14681a2 Compare January 20, 2021 10:13
asnyv
asnyv reviewed Jan 20, 2021
View reviewed changes
webviz_config/command_line.py Outdated
@@ -175,3 +175,14 @@ def entrypoint_schema(args: argparse.Namespace) -> None:
args = parser.parse_args()

args.func(args)


def _dummy_create_ca() -> None:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The set_defaults sends the arguments to the function, currently fails.

Suggested change
def _dummy_create_ca() -> None:
def _dummy_create_ca(_: argparse.Namespace) -> None:

@asnyv
Copy link
Collaborator

asnyv commented Jan 20, 2021

One thing to fix since webviz certificate commands crashes due to too many arguments given to _dummy_create_ca.
Otherwise it looks good to me @dotfloat 😊🎉

@pinkwah
Copy link
Contributor Author

pinkwah commented Jan 20, 2021

Fixed. webviz certificate --auto-install and co works as intended. 👍

@pinkwah pinkwah force-pushed the remove-cert branch 3 times, most recently from 1c4d86a to 5800d39 Compare January 20, 2021 13:26
@pinkwah
Remove SSL cert for localhost
26c4609 
This commit removes SSL certification creation and usage when running
webviz. The onus is on the process that connects to the internet to
handle HTTPS, eg. Azure's firewall.
asnyv
asnyv approved these changes Jan 20, 2021
View reviewed changes
Copy link
Collaborator

@asnyv asnyv left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀 Thansk a lot @dotfloat 🎉👍

@asnyv asnyv merged commit a1cd67d into equinor:master Jan 20, 2021
@pinkwah pinkwah deleted the remove-cert branch January 20, 2021 13:59
@asnyv asnyv mentioned this pull request Jan 20, 2021
Closed
This was referenced Jan 22, 2021
Closed
Closed
@asnyv asnyv mentioned this pull request Mar 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asnyv asnyv asnyv approved these changes

@anders-kiaer anders-kiaer Awaiting requested review from anders-kiaer

@HansKallekleiv HansKallekleiv Awaiting requested review from HansKallekleiv

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Authentication issue on webviz localhost https
3 participants
@pinkwah @asnyv @anders-kiaer