forked from SeleniumHQ/selenium
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
https between components (SeleniumHQ#7767)
Merging in support to run the standalone server and/or component parts of the server as https. Default is still http due to configuration pain. Note: none of the client bindings have been updated to communicate to a https server
- Loading branch information
1 parent
3936d4d
commit 0da3d6d
Showing
9 changed files
with
187 additions
and
29 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88 changes: 88 additions & 0 deletions
88
java/server/src/org/openqa/selenium/grid/commands/security.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
Selenium Grid by default communicates over HTTP. This is fine for a lot | ||
of use cases, especially if everything is contained within the firewall | ||
and against test sites with testing data. However, if your server is | ||
exposed to the Internet or is being used in environments with production | ||
data (or that which has PII) then you should secure it. | ||
|
||
Standalone | ||
|
||
In order to run the server using HTTPS instead of HTTP you need to start | ||
it with the `--https-private-key` and `--https-certificate` flags to | ||
provide it the certificate and private key (as a PKCS8 file). | ||
|
||
``` | ||
java -jar selenium.jar \ | ||
hub \ | ||
--https-private-key /path/to/key.pkcs8 \ | ||
--https-certificate /path/to/cert.pem | ||
``` | ||
|
||
Distributed | ||
|
||
Alternatively, if you are starting things individually you would also | ||
specify https when telling where to find things. | ||
|
||
``` | ||
java -jar selenium.jar \ | ||
sessions \ | ||
--https-private-key /path/to/key.pkcs8 \ | ||
--https-certificate /path/to/cert.pem | ||
``` | ||
|
||
``` | ||
java -jar selenium.jar \ | ||
distributor \ | ||
--https-private-key /path/to/key.pkcs8 \ | ||
--https-certificate /path/to/cert.pem \ | ||
-s https://sessions.grid.com:5556 | ||
``` | ||
|
||
``` | ||
java -jar selenium.jar \ | ||
router \ | ||
--https-private-key /path/to/key.pkcs8 \ | ||
--https-certificate /path/to/cert.pem \ | ||
-s https://sessions.grid.com:5556 \ | ||
-d https://distributor.grid.com:5553 \ | ||
``` | ||
|
||
Certificates | ||
|
||
The Selenium Grid will not operate with self-signed certificates, as a | ||
result you will need to have some provisioned to you from a Certificate | ||
Authority of some sort. For experimentation purposes you can use MiniCA to | ||
create and sign your certificates. | ||
|
||
``` | ||
minica --domains sessions.grid.com,distributor.grid.com,router.grid.com | ||
``` | ||
|
||
This will create minica.pem and minica.key in the current directory as well as | ||
cert.pem and key.pem in a directory `sessions.grid.com` which will have both | ||
distributor.grid.com and router.grid.com as alternative names. Because Selenium | ||
Grid requires the key to be in PKCS8, you have to convert it. | ||
|
||
``` | ||
openssl pkcs8 \ | ||
-in sessions.grid.com/key.pem \ | ||
-topk8 \ | ||
-out sessions.grid.com/key.pkcs8 \ | ||
-nocrypt | ||
``` | ||
|
||
And since we are using a non-standard CA, we have to teach Java about it. To do that | ||
you add it to the cacert truststore which is by default, $JAVA_HOME/jre/lib/security/cacerts | ||
|
||
``` | ||
sudo keytool \ | ||
-import \ | ||
-file /path/to/minica.pem \ | ||
-alias minica \ | ||
-keystore $JAVA_HOME/jre/lib/security/cacerts \ | ||
-storepass changeit \ | ||
-cacerts | ||
``` | ||
|
||
More information can be found at: | ||
|
||
* MiniCA: https://github.com/jsha/minica |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.