A web application i developed is sitting on a server that serves it under https, some of my js code requires to open a socket to another server (nodejs) who is currently not set for https. and thus browser wont allow it to run.
all i want is a simple way without getting involved with certificates just to initiate a https socket connection, i don't mind the lack of security,
just need app to run.
The certificates are not your problem. Your problem is CORS. You need to configure your server to answer with a header allows foreign-origin
res.header('Access-Control-Allow-Origin', 'example.com');
because in your case the technical difference between http (port 80) and https (443) is the port.
EDIT: ... I mean from the browsers point of view
Related
You can set up nginx to proxy a websocket connection between a browser and a server. Can nginx inspect the contents (perhaps using a technique similar to the way the auth_request module works for ordinary https urls) of the wss traffic. Why would this be necessary? For security purposes. Need to block bad requests on the web socket connection.
Note, in general there would be dozens of commands sent on any given connection.
I have a chrome extension which uses an externel socket.io server to connect clients together.
During development I was able to connect to the server via http://localhost:2087 just fine, but right now I need socket.io to work over HTTPS so I can access it from a browser tab being server by HTTPS.
I don't want to deal with certificates, and want to keep the code on the socket.io server mostly the same, so I want to proxy the IP for the server via Cloudflare and establish SSL like that.
But I haven't been able to, the socket.io server uses no other webserver, but I can change it to use the native NodeJS http or https libraries.
But I haven't been able to access the socket.io server via the Cloudflare proxy. Clouflare returns 522 errors, which means a connection timeout.
Apparantly flexible SSL only works with with ports 443->80
Other ports are not supported...
I have a website running on HTTPS which uses Prizmdoc API. The website makes call to the Prizmdoc API using "http://:3000", where 3000 is the port used by Prizmdoc API to accept the calls.
Since my website is running on HTTPS, this call is deemed insecure by browser. And there is no way for me to select HTTPS in Prizmdoc as far as I know.
I need to change the Prizmdoc API address to "https://:3000" instead.
I tried checking firewall settings, but there is no option to allow HTTPS connections for a specific port. I tried reinstalling the Prizmdoc API client to see if it allows using HTTPS, but no luck.
I also thought about using IIS url rewrite, but prizmdoc API is not even hosted on IIS. So, I am unable to figure out how is that API accepting the requests over port 3000, and how can I allow HTTPS calls to that port.
Other option that I can try is to serve HTTP requests instead of HTTPS, but I am not sure if it is possible in C#.
Since both my website and Prizmdoc API are hosted on the same server, it should be possible for the website to make calls to a different port using SSL. But simply put, I am out of ideas to try.
TL;DR
Website and a third party API running on same server. Website makes call to the API using IP address and the port. Browser thinks it is a mixed content request and blocks the same.
You might try this: set up a secure reverse proxy that listens for requests over HTTPS and then turns around and relays the requests to the port 3000. I have used this trick to secure an insecure API call. It should be good enough to pass the browsers' security checks as well.
Here are some IIS examples:
https://weblogs.asp.net/owscott/creating-a-reverse-proxy-with-url-rewrite-for-iis
https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/
In these instances, what happens? Does communication fall back to HTTP? I'm assuming that communication will either fail, or fallback, depending on the setup of the ssl-enabled destination server.
Example Case:
A plugin that is installed on Server A (which may or may not have SSL), communicates with an API that functions over HTTPS on Server B.
I think your question is not clear enough. Do you mean, with "a server without SSL", that
The server system has no kind of SSL software installed. In this case of course no SSL requests can be done from the server.
Or that the web server itself is only available by HTTP and not HTTPS, but there is a script on it which needs to access other hosts by HTTPS. In this case it can do these requests if the required software is installed on the server and if the target host is available by HTTPS and if no firewalls blocks the connections etc. Configuration of the web server itself has nothing to do what kind of requests programs on the web server can do.
I'm just setting up an SSL area of a website, and was just wondering... is it as simple as adding HTTPS on the url?
(this is presuming I have a valid certificate of the hosting company?)
Or is there something more to it?
Thanks.
You have to setup the server to allow ssl connections. That includes generating a signed server request. You send this CSR to the cert authority (Verisign etc), and they send you a cert to install on the server. If you are behind a firewall you need to open port 443.
If you don't control the server i.e. shared hosting, there is probably a page in your control panel to do it all for you using a GUI.
When you replace http: in a URL with https: you are asking your web browser to do two things:
To attempt an encrypted (SSL) connection
To change which port to use on the remote server if none is specified in the URL
Most web browsers use port 80 for unencrypted traffic and port 443 for encrypted traffic by default. So, the first thing you need is a web server that is listening on port 443. If you are using a hosting company, this is probably already the case or becomes the case when you configure SSL.
You do not have to use port 443 but that is where browsers will be looking when users do not specify a port. You could also force everybody that connects at port 80 to use SSL as well though with the right configuration. That means that ALL traffic to your site would be encrypted.
To get the encryption up and running you generally need three things: a certificate, an encryption key, and a server request (CSR).
How you configure these is extremely dependent on how you are hosting the web server. Most hosting companies have 'control panels' that you log into for configuration. Common ones are Plex and CPanel. If either of those ring a bell you can post more information to get a better answer.
If you are managing the server yourself the big question is whether you are hosting on Windows or Linux. If it is windows, you are most likely going to want to configure IIS (Internet Information Server) while if it is on Linux you are probably going to configure Apache.
If you are using IIS, this link might help:
http://www.petri.co.il/configure_ssl_on_your_website_with_iis.htm
If it is Apache, Byron gave a good link above:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html
You can use other web servers. For example, I use nginx:
http://rubypond.com/blog/setting-up-nginx-ssl-and-virtual-hosts
So, I guess the real step one is finding out more about your server. :-)
Once your web server has the SSL cert installed, it is as easy as using HTTPS on the URLs. There are some considerations to be aware of:
Port 443 must be open between the user and web server. (obvious)
Browser caching will be reduced to in-memory session cache and not stored on disk. Also, caching proxies in between will not be able to cache anything, since everything is encrypted. This means an increase in load times and bandwidth requirements of the web server.
When using HTTPS to receive sensitive data, be sure to disallow its use over HTTP. e.g. If you have a page that accepts credit card numbers in a POST, the app should fail validation if it was not done over HTTPS. This can be done in your code or in web server configuration. This prevents a bug or malware from systematically sending sensitive data in the clear without the user knowing.