Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Serve over HTTPS #122

Open
mgatto opened this issue Jul 14, 2023 · 2 comments · May be fixed by #123
Open

Serve over HTTPS #122

mgatto opened this issue Jul 14, 2023 · 2 comments · May be fixed by #123

Comments

@mgatto
Copy link

mgatto commented Jul 14, 2023

Feature Request

Motivation Behind Feature

In some development environments, an API is served over SSL via the protocol https. Communicating with that API from a Cordova browser instance on a developer's machine is very efficient work flow. However, modern browsers disallow cross-origin communications between insecure and secured servers. In this case, the secured server is the API, and the insecure server is the current cordova-browser instance served with Node's http module. This is because it is always served without SSL.

I do not intend for this to be used in production environments, though there is no encoded limitation on its usage within this proposal.

Feature Description

A new option --https would be added to the command cordova run browser --> cordova run browser --https. The default option is false.

When this option is present, the node module https will be used to construct the server. The server accepts a keyfile and certificate, whose provision is the responsibility of the user.

When this option is not present, the current node module http is used. Also, the projectURL used in opening a browser window likewise switches based on the --https option.

A user choosing this option is most likely to see a warning page in the browser while opening the Cordova browser index.html. They merely need to accept the warning to continue onwards to their Cordova project's index page.

#89 first proposed this, but was rejected and is currently closed. I have implemented this locally, and it works well.

Alternatives or Workarounds

Exposing the API over non-secure http is an alternative. In my context, this was rejected strongly for security reasons, especially relating to corporate security accountability programs.

The second is that a developer independently hacks their local cordova installation to enable https. This is suboptimal since upgrading becomes a hassle, requiring careful VCS audits to restore erased, custom code.
@mgatto mgatto mentioned this issue Jul 14, 2023
Open
mgatto added a commit to mgatto/cordova-browser that referenced this issue Jul 14, 2023
@mgatto
apacheGH-122 browser: permit serving over https
857821c
This was referenced Jul 14, 2023
Closed
Open
@breautek
Copy link
Contributor

I don't think it's really as simple as throwing in a --https flag. Using the HTTPS module is one thing, but it also needs a key/certificate pair. That could potentially be generated on the fly when the platform is created/added for as long as using self signed certificates is acceptable (which should be if this is purely used for development/local testing).

Normally I'd suggest using a reverse proxy server. The 2 common web server engines are Apache and NGINX and they both have reverse proxy capabilities and isn't too difficult to setup. The overall concept is that you connect to a webserver, which has SSL configured, and it terminates the SSL and forwards the connection to the node server.

I'm not familiar with Apache myself, but a minimal NGINX configuration would look something like:

server {
    listen 0.0.0.0:443 ssl http2;

    server_name dev.example.com 127.0.0.1;

    # could be a self-signed key
    ssl_certificate /etc/nginx/ssl/nginx.crt; 
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

    location {
        proxy_pass http://127.0.0.1:8080; # this would be the node server.
    }
}

@mgatto
Copy link
Author

mgatto commented Jul 28, 2023

Yes, a reverse proxy is technically fine, but I think a two-step process takes away from the elegance of a single command line step with little setup.

Since cordova run browser already runs node's http, it makes sense to me to stay within that process instead of introducing another server.

To address the cert and key issues, I will add more args to designate the paths of those required files.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

GH-122 browser: permit serving over https mgatto/cordova-browser
2 participants
@mgatto @breautek