open-balena-api icon indicating copy to clipboard operation
open-balena-api copied to clipboard

Published 20 hours ago verified publisher icon balena-io

HTTP to HTTPS middleware (optional?)

Open bartversluijs opened this issue 4 years ago • 4 comments

Hi,

There's default middleware enabled that always redirects http to https.

Because the application doesn't handle HTTPS certs, but, for example, HAProxy does, why is this necessary in the API?

I'm working on a K8s version of open-balena, but because of an issue/feature, K8s can't access the LoadBalancer inside a pod. So it can access the API container like http://api/, but not like https://api.mydomain.com/. But because the API redirects to https, it doesn't work anymore, because the API container doesn't provide the HTTPS connection.

So, is this middleware really necessary in the API? Or can it be optional based on an environment variable?

Thanks in advance!

bartversluijs avatar Jun 17 '20 11:06 bartversluijs

I have hit a similar problem with this before. I understand why the code is this way (we want to enforce access over HTTPS for security) but I also can see why it causes a problem. @dfunckt we should discuss if this is actually needed here, I think.

richbayliss avatar Jun 17 '20 12:06 richbayliss

We definitely want to enforce HTTPS but I agree it doesn't have to happen at this level and could be handled higher up in the stack. Let's get together with Anton and Page and figure it out.

dfunckt avatar Jun 17 '20 12:06 dfunckt

I completely agree that you want to enforce HTTPS for security. Running this on plain HTTPS isn't secure at all. However, I think this is the task of an NGINX, or HAProxy, to handle this. Because the SSL isn't handled in Node.js, so why enforce it in Node.js? It creates complications like these, which is unfortunate.

Was too slow hitting the 'comment' button as @dfunckt just commented.

bartversluijs avatar Jun 17 '20 12:06 bartversluijs

Just for some more information, I've stumbled upon this problem because of errors in the open-balena-vpn container. This uses the BALENA_API_HOST for connecting to the API. But everything has https:// predefined.

If this change is fixed, it wouldn't fix the problem of communicating locally between containers, because every other component enforces HTTPS. I'm happy to make an issue there, but what I'm saying is, it'd be better if there's support for inter-container communication by settings an ENV variable for example for k8s.

Thinking about it, this is k8s-only probably, because when using containers, you'd like to use a loadbalancer...

bartversluijs avatar Jun 17 '20 12:06 bartversluijs