Use HTTPS with BrowserSync #57
Conversation
Bundle a default key/cert generated from the instructions in [this great article](https://deliciousbrains.com/https-locally-without-browser-privacy-errors/).
|
@mor10 or @hellofromtonya I would love someone else to test this and see if they can get the certs trusted and working for them. I think it makes sense to bundle a cert rather than walk folks through creating one. We will need to document the step to add the cert to the keychain. I also only have a Mac and can't test on Windows or Linux. |
|
This cert was generated with |
|
Once #55 is merged I will rebase it here, which should allow Travis to pass. |
dev/config/themeConfig.js
Outdated
| @@ -10,7 +10,12 @@ module.exports = { | |||
| browserSync: { | |||
| live: true, | |||
| proxyURL: 'wprig.test:8888', | |||
| bypassPort: '8181' | |||
| bypassPort: '8181', | |||
There was a problem hiding this comment.
Can we fix the spacing issues here?
| @@ -4,6 +4,8 @@ | |||
| // External dependencies | |||
| import requireUncached from 'require-uncached'; | |||
| import browserSync from 'browser-sync'; | |||
| import log from 'fancy-log'; | |||
There was a problem hiding this comment.
Hey @ataylorme! I don't mind introducing logging and colors, but let's do so in its own PR. Then we can add it for other functionality.
There was a problem hiding this comment.
The logging packages are already in (see #47 (comment)), I am just making use of them.
Would you prefer using log messages to be a separate PR later?
There was a problem hiding this comment.
I'm fine with keeping the logging in. Thanks!
gulp/browserSync.js
Outdated
| log(colors.yellow(`Using the default SSL key ${colors.bold(keyPath)}`)); | ||
| } | ||
|
|
||
| if (config.dev.browserSync.https) { |
There was a problem hiding this comment.
We should check this logic first, because otherwise there's no point in running the rest.
There was a problem hiding this comment.
And it should all be moved inside if (config.dev.browserSync.live).
gulp/browserSync.js
Outdated
| @@ -21,12 +23,42 @@ export function serve(done) { | |||
| // get a fresh copy of the config | |||
| const config = requireUncached(paths.config.themeConfig); | |||
|
|
|||
| let serverConfig = { | |||
| proxy: config.dev.browserSync.proxyURL, | |||
There was a problem hiding this comment.
Should we be checking to make sure these are defined?
|
Also, FYI, we already had a PR open for this. So we'll need to keep it in mind. |
|
Yes, I saw #7 and used that PR for inspiration ;-). However, it does not supply a cert and was made before the recent gulp changes. With my research into what makes Chrome happy generating a cert is not fun so bundling one is preferred if possible. @bamadesigner were you able to test this and see if the cert works for you? It worked for me but I also generated it so would like a second (and maybe third) opinion. You'll need to add the cert file to the keychain and mark as trusted but it should be okay after that since the BrowserSync URL is hard coded and the cert matches. |
|
Looping in @miklb as he was the one who put in the original issue (#6) and PR (#7). See @ataylorme's request for testing. |
mor10
added
enhancement
It makes more sense to have this check at the beginning rather than a conditional later.
…orme/wprig into issue-6-browser-sync-https-support
| liveReload: true | ||
| }); | ||
| // bail early if not serving via BrowserSync | ||
| if (! config.dev.browserSync.live) { |
There was a problem hiding this comment.
And it should all be moved inside if (config.dev.browserSync.live).
@bamadesigner I took the opposite approach and just exit early if config.dev.browserSync.live is not true
There was a problem hiding this comment.
Good call. Let's wrap L39-63 in the check for if (config.dev.browserSync.https), since there's no point if no https.
|
Let me get my local fork updated and will test both with my local certs as well as the generated. Much appreciated taking a look at it. |
|
@miklb have you had a chance to test this yet? |
|
apologies, I have not, was out of town for a few days. I can definitely test this evening. |
|
I'm testing as well. Thanks for being patient with me. I had to knock out a project after WPCampus. |
| liveReload: true | ||
| }); | ||
| // bail early if not serving via BrowserSync | ||
| if (! config.dev.browserSync.live) { |
There was a problem hiding this comment.
Good call. Let's wrap L39-63 in the check for if (config.dev.browserSync.https), since there's no point if no https.
|
@ataylorme if there are required steps for the user to implement, e.g. "add the cert file to the keychain and mark as trusted", lets make sure we add instructions in the README. Current status: I added to Keychain Access, marked to always trust, re built the theme but its struggling to connect. Update: it's working now. I forgot to update my config file with my local proxyURL. |
dev/config/themeConfig.js
Outdated
|
|
||
| // Use a custom cert/key if desired | ||
| // certPath: '', | ||
| // keyPath: '' |
|
I misunderstood and thought the script was generating a unique local cert. I'm not inclined to accept a public cert like that in my browser. I attempted to use my own cert and key and other than the two missing commas and I'm able to However it seems like for some reason it's not cache busting the version number of the css file when I update a file. Specifically I edited OK, looking closer, |
|
@miklb Yea, I believe the cache stuff is on purpose, plus some of that is being worked on in #39. @ataylorme and I are gonna have a working session early next week, confirm everything and close this up. Have you had a chance to test @mor10? You feel good about this? |
Good catch @miklb, this has been updated.
@miklb can you expand on this concern? I would object as well if we were recommending the certs be used for production but for local development I don't think it is a concern. Using your own cert is great for users with the knowledge to create one but generating a self-signed cert with the proper Subject Alternative Name for Chrome to not show warnings took some education, creating an OpenSSL configuration file, and more than one attempt. By including the certs here I am hoping others do not have to go through the same thing and can get up and running quickly. Since the BrowserSync domain is constant at The alternative would be to not include a cert in WP Rig and ask users to generate their own. We would need to provide ample documentation on how to do so. I'm happy to discuss further but would need some convincing before putting that burden on WP Rig users. |
@bamadesigner I added instructions for Mac but I don't have access to a Windows on Linux machine to test. The
How have you been testing Windows/Linux? I'd love help making sure those are documented as well |
It is true that the key is tied to the domain (which might need to be documented? if I change the Once you're browser and machine accept that cert, you are trusting ANY site served with that cert/domain. So an attacker would need to poison your dns in order to have the malicious site use the same domain name as is on the certificate. Highly unlikely, but as a rule I would never suggest accepting a cert/key that is just floating around in a GitHub repo. I wonder if a one off Gulp task could be written to generate the local key/cert. Something like |
It is tied to
I think this would be very hard to do. Different operating systems aside, even for Mac which version of OpenSSL and other unpredictable things would make this unreliable.
I'm +1 on adding this info to the README. I'm curious though how this is different even if each user generates their own cert as you would still need to trust a cert with To be really risk-averse you could trust the cert when you start developing locally after disabling WiFi and then distrust it again when you are done working and re-enable WiFi. |
|
I did not realize the cert was tied to localhost. I’ll need to read up on security issues there before commenting further. My only experience is with domain level certs. |
|
OK, this seems to be the best argument against using https://letsencrypt.org/docs/certificates-for-localhost/
|
|
@miklb thanks for the research/comments. This is an area I am not super familiar with as well. I'm coming around to the alternative of making users generate their own certs. We should not toss security out for the sake of convenience. Security vs convenience is a constant battle but in this case, asking users to generate their own certs may be necessary. It would be a one-time effort as once they have a cert if would work for multiple WP Rig projects. I'd like to see what @bamadesigner and @mor10 have to say as well. |
|
@ericmann you are the most knowledgeable security person I know. Any chance you can weigh in? |
|
@ataylorme I would highly recommend against distributing a cert and private key with the project. There are a lot of applications that leverage In short: never distribute a private key in a repo. Ever. And in order for a local environment to leverage a pre-generated cert, it'd need the private key. In other words, this is a bad idea. However, your heart's in the right place!
Something like https://github.com/jfromaniello/selfsigned could likely be used in a Gulp task to generate a key and cert locally. Then use that generated key (and trust it in your keystore) using existing instructions. As the key is generated offline, no one will be able to abuse it. |
|
Thanks for the quick feedback @ericmann. I've removed the bundled cert/key. I will explore generating a cert/key with gulp but for now, I have just added a link to the LetsEncrypt instructions in the README. I also set |
|
I tested both with and without a custom cert. Screenshots of the results below. One thing to note is that my local WordPress installation that BrowserSync is proxying has HTTPS forced. Putting an Without a custom cert With a custom cert |
|
@miklb caching issues aside can you test with your custom cert/key as well? |
|
Thanks for all the hard work and research! |
@ataylorme custom cert/key works, caching issues aside. Give me a shout if you want a hand on the task to create the key/cert. I think that would be pretty rad. |
I won't be able to play around with that until next week. Help would be great if you want to give it a go. https://www.npmjs.com/package/@magento/devcert looks promising. |
I think generating a cert with gulp can be a separate feature/PR later and shouldn't hold this back. |
|
I have tested and this works, though the setup is rather clunky. Not that we can do much about it as the clunkiness is centered around how to get certificates up and running. Nice work! |
|
Feel free to merge once you feel the issues you've flagged above are sufficiently handled @bamadesigner |
|
Agreed @ataylorme: Let's get this thing wired up first, and then talk about automatic generation of certs. That would probably involve some serious documentation work and testing which warrants a separate PR. |
|
Thanks for all the hard work @ataylorme! |
Description
Addresses issue #6. Bundles a default key/cert generated from the instructions in this great article.
The certs need to be trusted. I was able to do this on macOS High Sierra by dragging the certificate file into the keychain.
List of changes
dev/config/BrowserSyncdirectory with an SSL cert, key and config.dev/config/themeConfig.jsto allow for custom certificatesChecklist: