Hiya 👋 I've started noodling around on implementing the bridge/prin

A small update: I added local SSL (via Docker) support into <a href="https://github.co

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Issue connecting to websocket via SSL or via host about sirius HOT 4 CLOSED

notjosh commented on July 17, 2024

Issue connecting to websocket via SSL or via host

from sirius.

Comments (4)

knyar commented on July 17, 2024 1

Just FYI, if someone is interested in getting Little Printer connect to their Sirius server via HTTPS, you can find a patched version of the bridge software that makes that possible here: https://github.com/knyar/berg-bridge

I think I managed to make it properly pass the Host header while establishing a websocket connection, and also removed client side SSL verification.

from sirius.

notjosh commented on July 17, 2024

A small update: I added local SSL (via Docker) support into my fork, and the connection happily stays open when running websocat -k -v wss://sirius.localhost:8443/api/v1/connection, so perhaps there's something funky with the SSL termination at Heroku? Maybe it needs some additional paid addon to keep the connection open? Blargh.

from sirius.

joerick commented on July 17, 2024

Hi @notjosh ! Your new printer is looking great!

So I'm not a specialist in all this, but there are a few wrinkles in how this all works. We use Heroku to host sirius, but when the Berg bridges connect, they resolve DNS and send their HTTP/HTTPS requests without a Host header. I think WSS doesn't work for them either, since the certificate the server provides is attached to a DNS name, not an IP address. Heroku also can't give you a dedicated IP address.

So to work around this, we stood up a VM on Digital Ocean that is a reverse proxy for the heroku server. Here's the config:

root@little-printer-proxy:~# cat /etc/nginx/sites-enabled/littleprinterproxy 
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream heroku {
    server nord-sirius.herokuapp.com:443;
}
upstream ngrok {
    server 1d591c6f.ngrok.io:443;
}

server {
    listen 80 default_server;
    server_name littleprinter.nordprojects.co;

    location / {
        proxy_pass https://heroku;
#        proxy_pass https://ngrok;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host "littleprinter.nordprojects.co";
#        proxy_ssl_session_reuse off;
	proxy_connect_timeout 10s;
        proxy_read_timeout 60s;
#        proxy_set_header Host "1d591c6f.ngrok.io";
    }

    listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/littleprinter.nordprojects.co/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/littleprinter.nordprojects.co/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

littleprinter.nordprojects.co points to that server, and that server routes the traffic via HTTPS to heroku.

Later, I wanted to make the device.li URLs, so I created a different nginx config on that server:

root@little-printer-proxy:~# cat /etc/nginx/sites-enabled/deviceli 
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

upstream littleprinter {
    server littleprinter.nordprojects.co:443;
}

server {
    server_name device.li;

    location / {
        proxy_pass https://littleprinter/printkey/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host "littleprinter.nordprojects.co";
        proxy_ssl_session_reuse off;
        proxy_read_timeout 86400s;
    }

    location /static/ {
        proxy_pass https://littleprinter/static/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host "littleprinter.nordprojects.co";
        proxy_ssl_session_reuse off;
        proxy_read_timeout 86400s;
    }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/device.li/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/device.li/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = device.li) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    server_name device.li;
    return 404; # managed by Certbot


}

So that's the context - I'm no expert in nginx, so there might well be issues in those configs that are causing issues. I will say though, have you tried wss://littleprinter.nordprojects.co/api/v1/connection? That's what I would expect to work - there's an SSL config for that domain, and nginx is already routing unsecured HTTP websocket traffic at that URL.

from sirius.

notjosh commented on July 17, 2024

Whew, thanks for the writeup! That all makes complete sense, I appreciate it.

I haven't looked super closely just yet, but it looks like wss://littleprinter.nordprojects.co/api/v1/connection works completely fine. I wish I tried that in the first place and saved us both the hassle ;)

I'll close the issue, and reopen if it starts to look like a problem again.

from sirius.

Issue connecting to websocket via SSL or via host about sirius HOT 4 CLOSED

Comments (4)

Related Issues (11)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent