fix INSECURE_USE_HTTP for people with nginx or apache

[PieterGit]

reported by @viq
see https://gitter.im/nightscout/public?at=5bff2215e25cc274055be745

[zehnBE]

i got in xDrip with nginx and my.env Setting:
INSECURE_USE_HTTP=true
SECURE_HSTS_HEADER=false

and error:
x - - [29/Nov/2018:14:21:58 +0100] req_time=0.054 "POST /api/v1/entries HTTP/1.1" 405 88 "-" "okhttp/3.10.0" "-"

[zehnBE]

mhhh, but the BG values from xDrip comes in (the timestamp on last BG update was updated) and:
nightscout output:
WS: emitted notification to all clients
2018-11-29T13:37:00.613Z EMITTING NOTIFICATION:
{"level":"Info","title":"Bolus-Kalkulator","message":"BG: 124 (Manual)\nKohlenhydrate: 40g\nInsulin: 4.25U","group":"default","plugin":"treatmentnotify"}
WS: running websocket.update
delta changes found on sgvs
lastData full size 1252032 bytes
patientData update size 227 bytes
WS: running websocket.emitData 1543498619476
tick 2018-11-29T13:37:36.972Z

And the current Glucose Value (BG) is showing on nightscout.

[sulkaharo]

This is case sensitive, boolean checks should at least do case insensitive comparison

[viq]

Here's my logs, you can see where I updated, and where I applied the above fix:

 [29/Nov/2018:00:09:06 +0100] "POST /api/v1/entries HTTP/2.0" 200 66 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:09:07 +0100] "POST /api/v1/devicestatus HTTP/2.0" 200 130 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:09:07 +0100] "POST /api/v1/devicestatus HTTP/2.0" 200 120 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:09:07 +0100] "POST /api/v1/activity HTTP/2.0" 200 129 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:14:07 +0100] "POST /api/v1/entries HTTP/2.0" 302 59 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:19:06 +0100] "POST /api/v1/entries HTTP/2.0" 302 59 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:24:06 +0100] "POST /api/v1/entries HTTP/2.0" 302 59 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:29:06 +0100] "POST /api/v1/entries HTTP/2.0" 405 88 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:34:06 +0100] "POST /api/v1/entries HTTP/2.0" 405 88 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:39:13 +0100] "POST /api/v1/entries HTTP/2.0" 405 88 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:42:43 +0100] "POST /api/v1/entries HTTP/2.0" 405 88 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:44:06 +0100] "POST /api/v1/entries HTTP/2.0" 405 88 "-" "okhttp/3.10.0"
 [29/Nov/2018:00:49:06 +0100] "POST /api/v1/entries HTTP/2.0" 405 88 "-" "okhttp/3.10.0"

[PieterGit]

@viq @zehnBE @CareGo: I think the 405 come from the removal of svgdata.
See code changes here https://github.com/nightscout/cgm-remote-monitor/pull/4091/files#diff-3c067b7aa6880d3dd055f362d1e604b8R175 I think xdrip doesn't sent it as json, but as text or csv.

Can you try to see what is being uploaded?

Workaround is to use master or to use dev from october 16th https://github.com/nightscout/cgm-remote-monitor/tree/f64f6951f4cb0aca34519f71e16239a54c93c94a (the commit before I upgraded event-stream that has vulnerability https://gitter.im/nightscout/public?at=5bff1f5de25cc274055bd90d )

@sulkaharo : can you also have a look. I will be at work in a training all day.

[jamorham]

xDrip sends sensor glucose json data via POST to /api/v1/entries
with Content-Type: application/json; ; charset=utf-8 that looks like:

[{"device":"xDrip-Follower","date":1543582792383,"dateString":"2018-11-30T12:59:52.383+0000","sgv":149,"delta":-2.438,"direction":"Flat","type":"sgv","filtered":100624,"unfiltered":94400,"rssi":100,"noise":1,"sysTime":"2018-11-30T12:59:52.383+0000"}]

[viq]

Yeah, I just finally managed to convince tcpdump and tshark to show me that indeed there's JSON in those requests.

[viq]

#4106 may potentially contain a fix. At least uploads work for me now, thogh xdrip seems to complain about downloads now?