I've read in this post (How to use TLS in Play!Framework WebSockets ("wss://")) that Play framework 2.x doesn't support Secure WebSocket. Someone suggests to use nginx proxy. I'm thinking about configuring Play to serve HTTPS (as described here: https://www.playframework.com/documentation/2.3.x/ConfiguringHttps).
Would this work with a WSS client endpoint and is this a correct approach?
Is there an alternative approach to nginx or https?
Yes, it does work i have tried it in play 2.1.4. Worked fine for me, but i have only tested it in google chrome and firefox.
Yes, the right approach is to run Play configured to run https (-Dhttps.port=9443) and then you can use wss://
Tested on Windows and Play 2.2.x
Related
I run a .Net 6 API on my Raspberry PI. I can get data from this API using the browser “https://192.168.178.51:7001/swagger/” . Also getting data from entering the url “https://192.168.178.51:7001/api/status/” returns the expected values. So the API is working so far. But when I try to get data from my Blazor WASM App using HTTPClient I get no data. Inspect the browser shows the following message:
GET https://192.168.178.51:7001/api/Status net::ERR_CERT_AUTHORITY_INVALID
How can I fix this? Do I have to install a SSL Certificate? How to do this for a self contained API?
You will need, at minima, a self-sign certificate. Then you will need to let your browser accept a self-sign.(Advance, Proceed to ServerIp)
Now, I do not know what OS you are using in your Raspberry, but for a Beaglebone(similar to Raspberry Pi) with Debian and nginx, here is the procedure
https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-debian-10
You will need the same kind of steps for which ever OS and webserver(Apache, nginx...Kestrel?).
Using a reverse proxy will be the solution, as described here: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/linux-nginx?view=aspnetcore-6.0
Quote from the article:
Kestrel is great for serving dynamic content from ASP.NET Core. However, the web serving capabilities aren't as feature rich as servers such as IIS, Apache, or Nginx. A reverse proxy server can offload work such as serving static content, caching requests, compressing requests, and HTTPS termination from the HTTP server.
Using a reverse proxy I can set a certificate.
Is it possible to enable HTTP2 in cloud foundry using NGINX buildpack or any? I understand that GoRouter will not support HTTP2 but not sure if there is any workaround for this?
My original requirement is to serve large JS file from Cloud Foundry so to improve performance looking for enabling HTTP2.
Thanks,
Not exactly the same question, but the solution here applies: https://stackoverflow.com/a/55552398/1585136.
If you have the need for public clients (i.e.clients outside CF) to connect to your app, you need to use TCP routing. If your provider doesn't enable this by default, find another provider (see this list of public providers, hint Pivotal Web Services will provide TCP routes upon request) or self host.
If you only need to use HTTP/2 and/or gRPC between apps running on CF, you can use the container to container network. When you talk app to app, there are no restrictions (so long as you properly open required ports). You can use TCP, UDP and any protocol built on top of those. There some details about how this works here.
You'll also need the Nginx http_v2_module. This is a very recent addition and isn't yet in a build of the Nginx or Staticfile buildpack as I write this. It's should be, if everything goes right, in the next release though. That should be Nginx buildpack 1.1.10+ and Staticfile buildpack 1.5.8+.
My original requirement is to serve large JS file from Cloud Foundry so to improve performance looking for enabling HTTP2.
It might, it might not. Your mileage may vary. HTTP/2 isn't a silver bullet. This explains this well.
https://www.nginx.com/blog/http2-module-nginx/
we are running a Dotnet Core 3.0 application that provides a web api via Kestrel. By default Kestrel has set available protocols to Protocols.Http1AndHttp2.
On one of our testmachines it turned out that http/2 does not work in combination with Google Chrome (77.0.3865.90). The browser displays an error with ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY message. The fallback to http1 does not work in this case because the browser does support http/2 in general.
Microsoft Edge btw. does support requesting the same endpoint via http/2.
I tested the certificate on my develop machine and it turns out that this works as expected. So it does not seem to be a problem with the certificate itself rather than the server hosting the application. My local machine is running Windows 10 Pro (1903). The server is running Windows Server 2012 R2 Datacenter (6.3.9600).
The application will be hosted at our customers servers as a self contained package and we will not have an impact on what servers the api will be running.
Instead of disabling http/2 completely, we would like to check if all browsers will accept the provided certificate in combination of http/2. I'm not sure how to find this out on server side. To us it seems to be some kind of problem regarding to the provided cipher suites but I got no idea on how to check the compatibility on server side.
Does anyone have an idea on how to check the compatibility?
It’s not the certificate it’s the cipher suites.
Run your site through this tool: https://www.ssllabs.com/ssltest/ (or download and use https://testssl.sh if not publicly available, internal site) and you’ll see the cipher suites configured.
HTTP/2 blacklists older ciphers and Chrome won’t use HTTP/2 if those are configured. The list is here: https://www.rfc-editor.org/rfc/rfc7540#appendix-A but basically you probably should be using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for Chrome.
This post tells you how to change them for IIS: https://medium.com/#rootsecdev/configuring-secure-cipher-suites-in-windows-server-2019-iis-7d1ff1ffe5ea
I want to
write my backend code with Java,
use HTTP/2 (NGINX 1.9.5 has been supported HTTP/2),
write a bidirectional stream to send data between client and server at any time.
gRPC seems to be the best choice and I want use NGINX as my reverse proxy and loading balancing, I could not find any documentation to figure out how to use NGINX with gRPC Java, does anyone know?
I saw the gRPC PHP has already supported NGINX: https://github.com/grpc/grpc/tree/master/src/php#use-the-grpc-php-extension-with-nginxphp-fpm
But I also saw there is an issue said it is in the process of submitting a 3rd party module in NGINX for gRPC support, and there is a ticket on NGINX means we can't write HTTP/2 NGINX proxy module for gRPC, and I also saw nginx does not support the full HTTP/2 specs, gRPC does not work through it
I'm confused about that, why do some posts say gRPC PHP works but in other posts it says it can't.
Not on nginx, but I just published a grpc-proxy written in Go. It's lightweight and configurable, and there is a docker image available.
Yeah, nowdays, gRPC/HTTP2 with or without TLS are indeed fully supported on NGINX, as long as you have version 1.13.9 (if you just install the docker image with either alpine or latest tags then it'll be the right version).
As of (at least) late 2020 there is full support for it. Here's a link to their official Documentation:
https://www.nginx.com/blog/nginx-1-13-10-grpc/
we have a site (https://oursite.net) in which we display a videostream hosted on http (http://someserver.com). The site needs to be hosted on https, and we don't control the video, so I'm assuming it needs to be on http. we recently added the option to play the stream through the silverlight asp:MediaElement, which works perfectly fine in our test environment (on http) but doesn't work in production (https).
The info on the web is somewhat confusing as I'm having a hard time differentiating between how this stuff worked at different stages in the silverlight development (seems to have been a bit to and fro)
Is this setup possible at all (hosting the player on https but playing a stream on http) with some sort of policy file?
in that case: does this policy file need to be hosted with the silverlight app (on https) or where the streams are located (http)
Thanks for your time
Andreas
You are running into a cross-scheme violation unfortunately. The stream would need to match the same scheme (https) as the hosting application. Unfortunately most streaming isn't available in HTTPS.
Can you check the enableHtmlAccess property on the object tag to make sure it is true? Most media players end up using the HTML DOM bridge to communicate with the web page.
It's also likely that there is a cross-scheme issue: you should try and optimize for all assets being on the same scheme (HTTP or HTTPS).