HTTPS support

[rileyinman]

I'm unsure how difficult a feature this would be to implement, but it would be nice to have the option of using HTTPS. I reverse proxy all my network services in order to use my domain's SSL certificate, but can't do that for the pisugar interface because it loads an insecure websocket.

[fengyc]

A good use case. The ws url is assembled in frontend, see:

pisugar-power-manager-rs/electron/src/renderer/main.js

Lines 15 to 16 in 76dbc47

	const defaultHost = localStorage.getItem('webSocketAddress') || `ws://${window.location.hostname}:${defaultWsPort}`
	const webSocketHost = process.env.NODE_ENV === 'development' ? 'ws://192.168.100.201:8422' : defaultHost

Change ws to wss，then build the web UI, and replace the default web UI in /usr/share/pisugar-server/web. Add a reverse proxy rule, nginx(or else) will set up a tunnel between wss request and pisugar backend server.

It might be better to add a http api feature, I suppose. It is not easy to setup a reverse proxy with current stream api.

[rileyinman]

Unfortunately I don't think it works that easily, as it's giving me errors about the websockets not having a valid SSL certificate. I think some services get around this by having a self-signed certificate they distribute, but I'm not sure.

[fengyc]

What doest reverse proxy rule looks like, that might help.

The pisugar server has no self-signed certificate. Could you debug the ws connection with postwoman https://postwoman.io/realtime ?

[rileyinman]

Here's what my nginx rule looks like:

server {
        listen 0.0.0.0:80 ;
        listen [::]:80 ;
        server_name pisugar.domain ;
        location /.well-known/acme-challenge {
                root /var/lib/acme/acme-challenge;
                auth_basic off;
        }
        location / {
                return 301 https://$host$request_uri;
        }
}
server {
        listen 0.0.0.0:443 ssl http2 ;
        listen [::]:443 ssl http2 ;
        server_name pisugar.domain ;
        location /.well-known/acme-challenge {
                root /var/lib/acme/acme-challenge;
                auth_basic off;
        }
        ssl_certificate /var/lib/acme/domain/fullchain.pem;
        ssl_certificate_key /var/lib/acme/domain/key.pem;
        ssl_trusted_certificate /var/lib/acme/domain/fullchain.pem;
        location / {
                proxy_pass http://host.domain:8421;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header Accept-Encoding "";
        }
}

server {
        listen 0.0.0.0:8422 ;
        listen [::]:8422 ;
        server_name pisugar.domain ;
        location / {
                proxy_pass http://host.domain:8422;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header Accept-Encoding "";
        }
}

The debug console gives me an error of ERR_SSL_PROTOCOL_ERROR attempting to connect to the console, and https://postwoman.io/realtime simply gives:

@ 10:51:31 PM	ℹ️ [INFO]:	An error has occurred.
@ 10:51:31 PM	ℹ️ [INFO]:	
@ 10:51:32 PM	ℹ️ [INFO]:	Disconnected from wss://pisugar.domain:8422

[fengyc]

SSL configuration is missing in the 3rd server rule, fix it and try again.

server {
        listen 0.0.0.0:8422 ;
        listen [::]:8422 ;
        server_name pisugar.domain ;
        <ssl...>
        <ssl...>
        location / {
                proxy_pass http://host.domain:8422;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-Server $host;
                proxy_set_header Accept-Encoding "";
        }
}

[rileyinman]

I added the ssl configuration, and still get ERR_SSL_PROTOCOL_ERROR from the wss connection. The postwoman.io output is the same as before.

[fengyc]

Try the latest build https://github.com/PiSugar/pisugar-power-manager-rs/releases/tag/latest . We don't need a standalone websocket port anymore, it has been integrated into http (/ws). This should fix the problem.

[rileyinman]

@fengyc Thanks! Sorry it took me a bit to get back to you. Unfortunately, it looks like the new build has some issues.

• For some reason accessing the UI directly (https://hostname:8421) using Firefox doesn't work, but it does with Chrome. Firefox gives the error Firefox can’t establish a connection to the server at ws://hostname:8421/ws.
• Loading the (insecure) reverse proxy on either browser fails. The log gives this error: WebSocket connection to 'ws://pisugar.domain/ws' failed: Error during WebSocket handshake: Unexpected response code: 400.
• Loading the secure reverse proxy fails with the same error, but for wss://pisugar.domain/ws instead.

[fengyc]

Yeah, that is a bug, see 1tgr/rust-websocket-lite#85 . Need to wait for their updates.

[rileyinman]

Ah, good to know. What about the reverse proxy failing though? It doesn't work in either browser.

[fengyc]

Try this

server {
    <...>
    <...>
    location / {
        <...>
    }
    location /ws {
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_pass http://<host>:8421;   # Same host and port as http
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

[rileyinman]

That worked perfectly, thank you! It even gets around the rust-websocket-lite bug 🙂

[rileyinman]

Should I leave this open until that bug is closed though? Since it breaks direct access this is probably something that should wait for a release like you said.

[fengyc]

Leave this open. We will keep track of the websocket bug.