Add HTTPS support

Question

Add HTTPS support

Closed this issue 8 years ago · 6 comments

Is it possible (as the code is currently) to start the server in HTTPS?

Answer 1 · 2016-06-14T00:36:45.000Z

It's not, but that's a good idea. It would solve TerriaJS/terriajs#1493 .

I'm not sure what's required to implement this though. Do we provide a certificate, or does each instance have to obtain their own?

Answer 2 · 2016-06-14T00:51:14.000Z

@stevage: As always, my question is why should TerriaJS get into the HTTPS game when things like Apache2/Nginx/others already does it, is not hard to put in front of Terria, and receive security updates?

Answer 3 · 2016-06-14T00:51:46.000Z

Certificates are tied to the host name, so it's not possible for us to provide one.

FWIW, in our production deployments of TerriaJS-based maps (e.g. nationalmap.gov.au), we use AWS and terminate HTTPS at the Elastic Load Balancer, so there's no need for SSL support in terriajs-server. In fact, in just about any reasonable production deployment, there's Varnish or nginx or something in front of the node server, so again no real need for HTTPS in terriajs-server.

Answer 4 · 2016-06-14T00:53:23.000Z

In that case, we should provide guidance about how to do that.

Out of curiosity, how hard would it actually be to implement it? Perhaps it's useful even for "unreasonable non-production" deployments?

Answer 5 · 2016-06-14T00:54:54.000Z

I'd imagine it's pretty easy:
http://blog.mgechev.com/2014/02/19/create-https-tls-ssl-application-with-express-nodejs/

Answer 6 · 2016-06-14T00:55:27.000Z

So... the way I did it ( just to play with it)...

I created a self-signed cert inside of TerriaMap... then modified (a
downloaded version of) terria-server and added the https stuff... and I
created the express app with https... I didn't do any error checking for
missing certs/keys.... just enough to get a POC started.

But, I agree... it should be a function of a web server or an endpoint...