-
-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
how to use custom certification files? #75
Comments
The configuration options are different depending on how you start falcon. I was able to set the path to certificates for #!/usr/bin/env ruby
require 'localhost/authority'
class Localhost::Authority
def self.path
File.join __dir__, 'ssl'
end
end
require 'falcon/command'
serve = Falcon::Command::Serve[
'--hostname', 'example.com',
'--bind', 'https://localhost:443',
parent: Falcon::Command::Top[]
]
serve.call Certificates will be loaded based on the hostname specified, like:
|
There is very limited documentation at this time as it's only just been released, but take a look at the following files: Here are the parameters to set the tls certificates: falcon/lib/falcon/configuration/tls.rb Lines 31 to 38 in b8e9ca5
Make your own https://github.com/socketry/falcon/blob/master/examples/hello/falcon.rb#L9-L14 Then use |
Also if possible, once you have it working can you let me know and can you help with documentation? |
Note that
Here's my config file: #!/usr/bin/env ./bin/falcon-host
load :rack, :tls
rack 'example.com', :tls do
ssl_session_id 'falcon'
ssl_ciphers Falcon::TLS::SERVER_CIPHERS
scheme 'https'
protocol { Async::HTTP::Protocol::HTTPS }
endpoint do
Async::HTTP::Endpoint.for(scheme, 'localhost', port: 3000, protocol: protocol)
end
ssl_certificate_path { File.expand_path 'ssl/certificate.pem', root }
ssl_certificates { OpenSSL::X509.load_certificates ssl_certificate_path }
ssl_certificate { ssl_certificates[0] }
ssl_certificate_chain { ssl_certificates[1..-1] }
ssl_private_key_path { File.expand_path 'ssl/private.key', root }
ssl_private_key { OpenSSL::PKey::RSA.new File.read(ssl_private_key_path) }
ssl_context do
OpenSSL::SSL::SSLContext.new.tap do |context|
context.add_certificate ssl_certificate, ssl_private_key, ssl_certificate_chain
context.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
context.session_id_context = ssl_session_id
context.alpn_select_cb = lambda do |protocols|
if protocols.include? 'h2'
return 'h2'
elsif protocols.include? 'http/1.1'
return 'http/1.1'
elsif protocols.include? 'http/1.0'
return 'http/1.0'
else
return nil
end
end
context.ssl_version = :TLSv1_2_server
context.set_params ciphers: ssl_ciphers, verify_mode: OpenSSL::SSL::VERIFY_NONE
context.setup
end
end
end It works if I disable HTTPS by setting |
You don't need to duplicate the configuration in Can you try some other tool like |
My operating system is Here's my updated load :rack, :tls
rack 'example.com', :tls do
endpoint { Async::HTTP::Endpoint.for scheme, 'localhost' }
ssl_certificate_path { '/usr/local/project/ssl/example.com.crt' }
ssl_private_key_path { '/usr/local/project/ssl/example.com.key' }
end I figure my syntax must be incorrect, because no matter what I try,
curl 7.68 suggests a client certificate is required:
However, I haven't been able to override the Meanwhile, |
Interesting, I'll probably need to take a closer look. Thanks for reporting back. |
I tried again with a clean setup on darwin18 and had the same outcome. No TLS under I can successfully use my custom certificates using |
Can you let me know what version of falcon you are using? |
I'm on falcon 0.34.5, but I see that you've worked on related code since then. Sorry, I thought I had updated more recently. I'll test on the current release and report back. |
I got
|
Can you show me your current Yes, by default it will use So, is it working, or you still having the same issues? |
I was using incorrect syntax. With corrected syntax, I am able to override the configuration. Thank you. |
i have a similar issue. i would like to move one rails app from using Puma used with # falcon.rb
load :rack, :tls
rack 'my_app', :tls do
endpoint { Async::HTTP::Endpoint.for scheme, 'localhost', port: '3000' }
ssl_certificate_path { './certificate.pem' }
ssl_private_key_path { './private.key' }
end the certificate.pem and private.key are generated with openssl similarly to
and are present in the root dir of the rails app as well as the falcon.rb file when doing
when trying to connect to some async tasks fail with
other with
Environment
NoteI see a For example the same error pops up if the falcon.rb is
|
The |
|
I see what's going on. The normal TLS termination is at the falcon virtual load balancer.
So, you forced it to be on the network interface by specifying the endpoint, but you didn't specify the Your configuration needs to look like this: # falcon.rb
load :rack, :tls
rack 'my_app', :tls do
endpoint do
Async::HTTP::Endpoint.for(scheme, 'localhost', port: '3000', ssl_context: ssl_context)
end
ssl_certificate_path { './certificate.pem' }
ssl_private_key_path { './private.key' }
end We can probably make an environment specific to this use case, e.g. |
Thank you @ioquatix. your solution proved to be working. now running Note 1trying to visit the link
i was tented to say "this is a client problem so i guess we are good to go." but now i see the same is happening when i do
after checking i see that falcon is still serving a tls connection at https://localhost:3000. when Note 2if you like i could try to set up a |
|
Thank you for the explanation so at the end i was able to fix the issue client side by setting
or by doing
|
It's not well documented I guess since you didn't find it but it is explained here too: https://github.com/socketry/localhost#self-signed-localhost |
I'll add my case here, we use real signed certificates in development and testing and it's a must for our project, also it means each developer has it's own certificates. So far I'm only checking how we could use falcon in our environment but in order to run our certificates when using |
Yes this is a totally acceptable way to do it. That |
Just FYI, the directory was changed |
With puma, we can use our own cert files either by URL or a config file.
URL:
config:
I wonder if falcon has the same feature.
The text was updated successfully, but these errors were encountered: