I am a newbie at play, and I am trying at least to use HTTPS on a login and sign up pages in order to have more security on sensitive user data.
I have a range of questions regarding this:
I have configured my play application to use https on the application.conf file with the https.port property. However in my development environment I cant seem to start the server with https capability unless I use the command: play -Dhttps.port=<port>
Why does this happen? I would think that I could use a dev.conf (right now is the application.conf) file in order to do this. Can't I start the server in dev mode while using this kind of settings specified on the configuration file?
Although I start the server with https capabilities, what is the correct way to use https on play? I already created a java key store that I use, and tried to redirect (from a controller) requests to a https url using redirect(securedIndexCall.absoluteURL(request, secure)). But it does not seem to work at least on my dev enviroment (localhost). The logs specify exceptions like:
java.lang.IllegalArgumentException: empty text
java.lang.IllegalArgumentException: invalid version format: M¥å/=<junk characters continue>
Should I use https on the whole application, or just securing the login and sign up requests is sufficient?
I feel the official documentation provided is rather insufficient and I am at a loss here trying to figure out how I should do this.
Any help would be really appreciated!
I agree with Fernando, I think it's easier to set up a front end web server. In my case I used Lighttpd and it was fairly straightforward to set up. I'd recommend:
Configure Lighttpd as per these instructions (at this stage, don't worry about HTTPS just get HTTP working): http://www.playframework.com/documentation/2.3.x/HTTPServer
Then configure HTTPS in Lighttpd: http://redmine.lighttpd.net/projects/1/wiki/HowToSimpleSSL. If you intend on buying an SSL certificate then there will be a few more options to set (e.g. intermediate certificate). The following page has more information: http://redmine.lighttpd.net/projects/1/wiki/Docs_SSL
Answers to your main questions:
1) Enabling HTTPS in Play
Yes, you have to explicitly say you want to use HTTPS when starting up
http://www.playframework.com/documentation/2.3.x/ConfiguringHttps
2) The "java.lang.IllegalArgumentException" error message
There might be an issue with the keystore. This SO article seems to discuss in more detail: Play framework 2.2.1 HTTPs fails on connection attempt
3) SSL for login page or whole app
Personally, I would go for the whole app. If you're taking the time to set up HTTPS I think you might as well cover the whole site. I guess there are slight performance overheads in running HTTPS but realistically it's not something you'd notice.
You should use a front end server for HTTPS, and use HTTPS for the whole application.
Please see Setting up a front end HTTP server and see the commented out nginx settings.
Related
I've setup a functional Cloudflare Worker via its route and domain and am using the Worker playground and the quick editor to avoid a deployment.
However, when developing locally I cannot make a request to the worker and get a CORs error.
I’ve read all the docs and implemented most CF security features within Zero Trust. However, nothing is getting us access to our deployed Worker due to strict CORs rules. (which we want)
On my machine I am routing through WARP and it is configured for my
team name.
I have installed and configured a root access certificate, perhaps
not applicable to this issue.
I have also tried to manually auth by visiting the worker URL and
getting a login code emailed to me. Perhaps CF Access is not related
to Workers?
We need clarification because the docs do not clearly explain the flow for access to Worker URLs when working on localhost.
Community question here.
How do we develop apps with Workers and strict CORs by authenticating a computer or user?
I think you can use Transform Rules for set/remove/update CORS.
It should work for you, because according to traffic sequence diagram header modifications performs before workers.
The Interactive Borker (IB) has a setting for the proxyRemoteHost which is like this "ib.abcd.com". This config won't work unless it's changed to "X.ib.abcd.com", where X = [1-5]. We need to specify a server to make it to work. Although this looks good for DEV purpose, in product we don't wanna specify the server instead use the base URL.
The Interactive Broker team has been troubleshooting this issue for a while and not able to pin point any reason. I really appreciate if anyone can help me understand probable causes behind this issue, so I can give more input for the relevant team to fix this issue. I can't add the logs due to some sensitive information in them. In logs, we can see the SSO authentication always fails while using proxyRemoteHost setting as base URL ("api.abcd.com") but works when we specify a server ("X.api.abcd.com"). No further info in the logs that mentions any reasons behind the failure.
We have tested this on latest Chrome and Firefox with CORS enabled. Also, once in a blue moon, it works fine with the base URL which totally surprises me.
How to disable the web security in Firefox or how to solve CORS issue in Firefox during development?
Things tried but did not work:
The option of filtering in "about:config" and setting the "security.fileuri.strict_origin_policy=false" doesn't work
Tried few add-ons like "CORS-Everywhere" (https://addons.mozilla.org/en-US/firefox/addon/cors-everywhere/). Doesn't work.
How to disable the web security in firefox
Don't. It gives unrealistic results for testing.
how to solve CORS issue in Firefox during development
Ideally: Create a development environment that is just like the live environment.
The server side code will, at some point, need development work performed on it. Your team will need the ability to create a development server with test data in it for that. Use the same development server for working on the client side code.
That way you can do you development work:
without making test calls to the live server (so you never need fake test users doing fake actions on the live server with the risk that test data will escape somewhere end users will see it).
without cross origin issues (because your development server for your client side code will be the same as the development server for the URL you are requesting)
able to use relative URLs
with a browser that acts like the browsers used by end users
As a quick and dirty hack which doesn't have most of the benefits of using a proper test environment: Use a proxy server that maps requests to the same origin as your development environment to the live environment.
I used Charles proxy for that before I moved to having proper development environments.
I have the following problem to solve:
I few months ago I startet a website where you can watch youtube videos which aren't available in your country. Everythings works fine but now I want to offer a new method where I route all the requests directly over my server. Therefore I will later use a custom DNS-Server. Right now I use the hosts file for testing but I have really no idea how i can identify the user. I can promp the user user to login on a website but I will that it works systemwide so if he use a youtube downloader for example it have to work there either and not only in the browser where I could use a session system with cookies. I want a solution where the user can identify himself once in a time like a website or something like this but how can my server detect if this is a user which is logged in or if he is not?
There are several ways that this could be accomplished with varying levels of difficulty.
standard proxy server over https. Your service could simply be a proxy server and then every "client" would update their browser to point to your proxy server. You could also simplify this by using a proxy PAC file (proxy auto config).
An anonomyzing interface. The end user would not be able to use their standard search tools etc, instead they would have to use a web page much like what google translate does.
A browser plugin. There are already firefox plugins which do something similar to this. They change the way that the browser resolves DNS. This may be the best bet for you but would require development work.
An actual install utility that you have your users install on their machines which update the dns servers.
I'm using the AJAX Test Server in Rational Application Developer. I'm posting a form to another host for authentication. That host takes a URL to redirect to after authentication. However, it insists on using HTTPS whenever it sends the 302 response. The low hanging fruit would be to just use HTTPS locally.
Looking at the launch configuration, the AJAX Test Server appears to be a custom Apache HttpCore server. I haven't spotted anything in the configuration guide.
Is there a way to access this test server via HTTPS?
This is for demo and local development purposes; not production.
Speaking from working with WAS (WebSphere Application Server) in RAD, I'm pretty sure the answer would be yes. The server (at least with WAS) has both secure and "unsecure" ports.
What I have noticed is that when the server is built with the install (at least with the newer versions of the products 7.5+), the ports used are different per install. This is to help with not conflicting with other applications that may use those ports.
So https is probably fine. You just may have to use it over port 302 or some other port.
If there is no admin console for viewing your ports, you could always try the Window | Preferences option under your menu items. Sometimes IBM hides server config stuff in there.