Force SSL by default #1768
Comments
|
Also as discussed maybe if the site url has https:// in it then we could force ssl by default. But for sure we need a toggle |
|
@geekgonecrazy Maybe add the |
|
Going to tack on intermediate. Because I assume easy, but it might throw a curve ball :) |
|
Meteor won't handle the SSL directly, the NGINX or other reverse proxy will do that. I think it makes more sense to configure the redirect there (like we do on the demo server) rather than on the app level. It's far more effective/secure and much faster. |
|
@engelgabriel agree with you there, the reverse proxy should handle the SSL connection termination and can force all http to https easily. (as well as secure numerous other web security issues.) |
|
@Megatronic79 Will this also apply to the mobile apps? |
|
It will apply to ALL connections. |
|
The mobile apps connect to the same endpoint as the web services, if the reverse proxy is set to force all http to https then all traffic will be encrypted. |
|
Nevertheless, this is something that should be apparent in the tutorial. I found no mention of this before I deployed my instance to Heroku. Not forcing SSL is a big privacy and security risk IMO. |
|
Agree. Maybe you can document this and issue the PR. |
|
@vargasbo How would one document this? I'd prefer a script that does this automatically, if this is possible to achieve that is. |
|
You can add create a new wiki page (how to force SSL) add your 2 cents, and then link to the existing wiki page. |
|
SSL and reverse proxy is already part of the wiki here: https://github.com/RocketChat/Rocket.Chat/wiki/Run-Rocket.Chat-behind-a-SSL-Reverse-Proxy I guess a step on the Heroku page needs to point to this with a security note. |
|
I am not sure how you'd configure it at Heroku. They relay on the app to do that. So we may have to implement something on our side to support it at all. |
|
On Heroku ... https://devcenter.heroku.com/articles/ssl-endpoint ... might have websocket or sticky sesssion problems ? |
|
@Sing-Li I've seen the article, but didn't find anything about forcing the SSL... from what I understand, they expect the app to do the redirect. |
|
I also think that it is not the role of a Meteor application to handle http to https redirection. The Anyway even if the |
|
Perhaps add Nginx to front-end Rocket.Chat on Heroku? https://github.com/ryandotsmith/nginx-buildpack |
|
And maybe the docker-compose could also have a Nginx proxy? Although IIRC docker-compose doesn't advertise itself as ready for production use, so I’m not sure if there is a clean way to install and update a full stack of containers (database, application, Nginx proxy) on production with it. |
|
@mquandalle A deployment guide exists for rocketchat using docker-compose and nginx (SSL): https://github.com/RocketChat/Rocket.Chat/wiki/Docker---Ubuntu-with-Nginx-SSL-and-Hubot although you're right about the non-production warning with docker-compose at the moment. I've banged on my docker-compose deployments as much as possible, never a problem. As for nginx https rewrites, In general, the official method for having nginx force http connections to https is to use the source: http://nginx.org/en/docs/http/converting_rewrite_rules.html edit: removed cloudflare info |
|
Just because Rocket.Chat is the most popular button at Heroku (see https://elements.heroku.com/), should we try to implement something like https://github.com/kfatehi/meteor-my-force-ssl but make it ONLY triggered/installed if the administrator turns it on the the admin panel? What do you think @RocketChat/core ?
|
|
(Ah, Wekan is on the list! I wasn’t aware of that at all!) |
|
From the top 5, 3 are Meteor apps :) |
|
@engelgabriel I agree with this. Heroku users will have no idea about this issue otherwise and will deploy without knowledge. |
* develop: (67 commits) Remove toUpperCase from emojione popup config; Fixes #1955 Make oembed parse title in ungreedy form Display time based on locale instead of using fixed 24h format Fix audio-recorder not stoping. Closes #1941. Sort room files by uploadedAt. Closes #1932 Allow multi-line title on oembed Add some logs Fallback LDAP login to local account if LDAP fails Add connections status bar to login page Created and pushed by LingoHub. Project: 'Rocket.Chat' by User: '[email protected]'. send correct content-type for livechat. fixes #1951 Fix redirect exceptions Add i18n strings Close #1768; Force SSL Close #1925; Add options to enable TLS on LDAP Improve admin disbleQuery Close #1923; Prevent erros update outgoing webhooks with empty channel Fix overlapping windows Add Raspberry Pi support announcement Updated base.less to use 480x270 ...
Currently there is no way to force clients to connect via SSL, making communication insecure by default.
I'm not sure how this would be implemented, though I know of this meteor package that forces SSL, which might help.
And as @geekgonecrazy has pointed out to me: A toggle might be useful during the initial setup.
The text was updated successfully, but these errors were encountered: