switchable secure mode #97

Open
wants to merge 1 commit into
from

7 participants

@rusekr

Hello!
Want to add option for starting https with wss instead of http server with ws.

Minor changes - new feature. Some people may need this. For example we need secure websockets now for testing :)
Tried not to break coding style/modularization.
And big thanks for original :)

@dhruvbird
Owner

@rusekr Thanks for the PR.
However, is it possible for you to use nginx before the bosh proxy? nginx can be configured to terminate https (and hence wss).

The reason(s) that I'm reluctant to add https support is that:
1. node.js is single threaded, and performance will be impacted
2. the next thing people will want is gzip compression
3. these things are better handled by a software meant for an optimized to provide the above functionality (aka. nginx).

Would you consider using nginx before the bosh proxy? Is there something that the nginx based solution can't provide?

@rusekr

May be on production we'll be using nginx. But now nginx is still need to be installed and configured but https is already required. And having option to make https without additions seems not too bad for us :)

p.s.: May be nodejs performance is not too bad as it was earlier. Here http://habrahabr.ru/post/123154/ people succeed in testing 1 000 000 simultaneous connections to nodejs server.

p.p.s: Gzip - http://stackoverflow.com/questions/8880741/node-js-easy-http-requests-with-gzip-deflate-compression

@dhruvbird
Owner

Is it possible for you to use https://github.com/nodejitsu/node-http-proxy for testing? It seems easy(ier) to set up than nginx.

The test http://habrahabr.ru/post/123154/ uses the cluster module (hence not single threaded, whereas node-xmpp-bosh is single threaded) and only compares small http requests (not https or any processing involved). Because of all the processing overhead involved in a bosh server, typical QPS doesn't cross a few thousand.

Thanks for the gzip link! However, my concern is with the gzip CPU overhead instead of the easy of use (which I may add, node.js has been a champion of).

I wrote a post on scaling parts of your stack separately http://dhruvbird.blogspot.com/2011/03/scale-out-with-services-scale-services.html a while ago, and you would typically have more bosh proxy instances than nginx instances, and management is easier if the TLS certs are in one place (nginx or apache for example) rather than all over the place.

Is it possible for you to avoid https natively in the bosh proxy?

@mr-tron

If nginx is already used on server, it makes complete sense. But there is not good idea to add yet another system's element without strong reason. node-xmpp-bosh is equal in https-speed to nginx, but nginx is wasteful of made connections' memory. It's critically important for xmpp-server because of low traffic but lots of connections.
P.S. Sorry for my english.

@rusekr

Oh. Got it.

@dhruvbird
Owner

I have some more comments before I can get this in - will post in a bit.

@dhruvbird
Owner

I can buy the performance argument (wrt # of connections using more resources, etc...) as a valid reason to support https built-in.

@rusekr

Hello!
Just another variant. I will comment on all this and yours comments in about two hours (:

@rusekr

Hello, dhruvbird!
Check this version (1.3). Modified unit tests included. --secure parameter.
About ssl parameters and behaviour - all now checked as described in http://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener . But some parameters differs as I commented in config as "For key, cert, pfx and ca you can use links to files here."

@rusekr

bump :)

@rusekr

Fixed priority of "--secure" run option. Now https works while configured in bosh.conf.js too..

@flekmatik

I am not sure why this isn't merged already. We are trying to use this library but current browsers (Chrome) won't permit insecured connections from https pages. Deploying another proxy just for one server when all of our other node servers use https just fine doesn't make much sense.

@mr-tron

Probably you try test without secured certificates: https://code.google.com/p/chromium/issues/detail?id=141839

@cervajs

+1 for merge

@HLFH

+1 for merge.

@dhruvbird

I'd love to see ECDHE here as the first option maybe?
There's a doc somewhere on the internet detailing the list of good/bad ciphers and the order to use them in. I'll try to bring that up.

@dhruvbird

minor: indentation??

@dhruvbird

Maybe add:

set -e
which openssl

# That will force the script to exit if openssl doesn't exist.

@dhruvbird

+1 for sync*() file system calls.

@dhruvbird
Owner

Looks good overall. Testing it out.

Working for us since pull request. No problems detected (:

@dhruvbird
Owner

I'm getting the following error (not sure if I'm doing it right)

  1. bash scripts/generate_cert.sh
  2. node run-server.js --secure --config=./bosh.conf.example.js

Output:

$ node run-server.js --secure --config=./bosh.conf.example.js
+----------------------------------------------------------------------------------------------------------------------------+
| Starting BOSH server 'v0.7.10' on 'https://0.0.0.0:5280/^\/http-bind(\/+)?$/' at 'Wed Apr 22 2015 12:38:43 GMT-0400 (EDT)' |
+----------------------------------------------------------------------------------------------------------------------------+

crypto.js:176
      c.context.loadPKCS12(pfx);
                ^
Error: not enough data
    at Object.exports.createCredentials (crypto.js:176:17)
    at Server (tls.js:1128:28)
    at new Server (https.js:35:14)
    at Object.exports.createServer (https.js:54:10)
    at new HTTPServer (/home/dhruvbird/node-xmpp-bosh/src/http-server.js:340:33)
    at Object.exports.createServer (/home/dhruvbird/node-xmpp-bosh/src/bosh.js:291:14)
    at Object.exports.start_bosh (/home/dhruvbird/node-xmpp-bosh/src/main.js:58:25)
    at main (/home/dhruvbird/node-xmpp-bosh/run-server.js:187:24)
    at Object.<anonymous> (/home/dhruvbird/node-xmpp-bosh/run-server.js:201:1)
    at Module._compile (module.js:456:26)
@rusekr

It can't found certificate file mentioned in --config=./bosh.conf.example.js

It has to be key and cert pair or one pfx file. (in this config it named ./cert/server.pfx).

You can interactively generate sample pfx certificate by runing:
"bash scripts/generate_cert.sh pfx"

or edit configuration file to use generated without "pfx" option key and crt pair.

Script puts it in ./cert directory.

Normally this file(s) given by certification authority or generated by you and signed with certification authority than it will be "green" in address bar in browser.

@sdebnath

Hey guys, any updates on this? The HTTPS option is required for any single page app (SPA) trying to communicate with the BOSH server if the app itself is served securely. Yes, the SSL terminating proxy ahead of the bosh should solve the issue, however this is a major PITA for dev/uat scenarios in startups where resources are already desperately low. Any help will be appreciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment