Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

switchable secure mode #97

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

rusekr
Copy link

@rusekr rusekr commented Dec 20, 2013

Hello!
Want to add option for starting https with wss instead of http server with ws.

Minor changes - new feature. Some people may need this. For example we need secure websockets now for testing :)
Tried not to break coding style/modularization.
And big thanks for original :)

@dhruvbird
Copy link
Collaborator

@rusekr Thanks for the PR.
However, is it possible for you to use nginx before the bosh proxy? nginx can be configured to terminate https (and hence wss).

The reason(s) that I'm reluctant to add https support is that:

  1. node.js is single threaded, and performance will be impacted
  2. the next thing people will want is gzip compression
  3. these things are better handled by a software meant for an optimized to provide the above functionality (aka. nginx).

Would you consider using nginx before the bosh proxy? Is there something that the nginx based solution can't provide?

@rusekr
Copy link
Author

rusekr commented Dec 23, 2013

May be on production we'll be using nginx. But now nginx is still need to be installed and configured but https is already required. And having option to make https without additions seems not too bad for us :)

p.s.: May be nodejs performance is not too bad as it was earlier. Here http://habrahabr.ru/post/123154/ people succeed in testing 1 000 000 simultaneous connections to nodejs server.

p.p.s: Gzip - http://stackoverflow.com/questions/8880741/node-js-easy-http-requests-with-gzip-deflate-compression

@dhruvbird
Copy link
Collaborator

Is it possible for you to use https://github.com/nodejitsu/node-http-proxy for testing? It seems easy(ier) to set up than nginx.

The test http://habrahabr.ru/post/123154/ uses the cluster module (hence not single threaded, whereas node-xmpp-bosh is single threaded) and only compares small http requests (not https or any processing involved). Because of all the processing overhead involved in a bosh server, typical QPS doesn't cross a few thousand.

Thanks for the gzip link! However, my concern is with the gzip CPU overhead instead of the easy of use (which I may add, node.js has been a champion of).

I wrote a post on scaling parts of your stack separately http://dhruvbird.blogspot.com/2011/03/scale-out-with-services-scale-services.html a while ago, and you would typically have more bosh proxy instances than nginx instances, and management is easier if the TLS certs are in one place (nginx or apache for example) rather than all over the place.

Is it possible for you to avoid https natively in the bosh proxy?

@mr-tron
Copy link

mr-tron commented Jan 16, 2014

If nginx is already used on server, it makes complete sense. But there is not good idea to add yet another system's element without strong reason. node-xmpp-bosh is equal in https-speed to nginx, but nginx is wasteful of made connections' memory. It's critically important for xmpp-server because of low traffic but lots of connections.
P.S. Sorry for my english.

@rusekr
Copy link
Author

rusekr commented Jan 17, 2014

Oh. Got it.

@dhruvbird
Copy link
Collaborator

I have some more comments before I can get this in - will post in a bit.

@dhruvbird
Copy link
Collaborator

I can buy the performance argument (wrt # of connections using more resources, etc...) as a valid reason to support https built-in.

@rusekr
Copy link
Author

rusekr commented Jan 27, 2014

Hello!
Just another variant. I will comment on all this and yours comments in about two hours (:

@rusekr
Copy link
Author

rusekr commented Jan 28, 2014

Hello, dhruvbird!
Check this version (1.3). Modified unit tests included. --secure parameter.
About ssl parameters and behaviour - all now checked as described in http://nodejs.org/api/tls.html#tls_tls_createserver_options_secureconnectionlistener . But some parameters differs as I commented in config as "For key, cert, pfx and ca you can use links to files here."

@rusekr
Copy link
Author

rusekr commented Mar 3, 2014

bump :)

@rusekr
Copy link
Author

rusekr commented Mar 17, 2014

Fixed priority of "--secure" run option. Now https works while configured in bosh.conf.js too..

@flekmatik
Copy link

I am not sure why this isn't merged already. We are trying to use this library but current browsers (Chrome) won't permit insecured connections from https pages. Deploying another proxy just for one server when all of our other node servers use https just fine doesn't make much sense.

@mr-tron
Copy link

mr-tron commented Sep 5, 2014

Probably you try test without secured certificates: https://code.google.com/p/chromium/issues/detail?id=141839

@cervajs
Copy link

cervajs commented Sep 11, 2014

+1 for merge

@HLFH
Copy link

HLFH commented Mar 4, 2015

+1 for merge.

@dhruvbird
Copy link
Collaborator

I'm getting the following error (not sure if I'm doing it right)

  1. bash scripts/generate_cert.sh
  2. node run-server.js --secure --config=./bosh.conf.example.js

Output:

$ node run-server.js --secure --config=./bosh.conf.example.js
+----------------------------------------------------------------------------------------------------------------------------+
| Starting BOSH server 'v0.7.10' on 'https://0.0.0.0:5280/^\/http-bind(\/+)?$/' at 'Wed Apr 22 2015 12:38:43 GMT-0400 (EDT)' |
+----------------------------------------------------------------------------------------------------------------------------+

crypto.js:176
      c.context.loadPKCS12(pfx);
                ^
Error: not enough data
    at Object.exports.createCredentials (crypto.js:176:17)
    at Server (tls.js:1128:28)
    at new Server (https.js:35:14)
    at Object.exports.createServer (https.js:54:10)
    at new HTTPServer (/home/dhruvbird/node-xmpp-bosh/src/http-server.js:340:33)
    at Object.exports.createServer (/home/dhruvbird/node-xmpp-bosh/src/bosh.js:291:14)
    at Object.exports.start_bosh (/home/dhruvbird/node-xmpp-bosh/src/main.js:58:25)
    at main (/home/dhruvbird/node-xmpp-bosh/run-server.js:187:24)
    at Object.<anonymous> (/home/dhruvbird/node-xmpp-bosh/run-server.js:201:1)
    at Module._compile (module.js:456:26)

@rusekr
Copy link
Author

rusekr commented Apr 23, 2015

It can't found certificate file mentioned in --config=./bosh.conf.example.js

It has to be key and cert pair or one pfx file. (in this config it named ./cert/server.pfx).

You can interactively generate sample pfx certificate by runing:
"bash scripts/generate_cert.sh pfx"

or edit configuration file to use generated without "pfx" option key and crt pair.

Script puts it in ./cert directory.

Normally this file(s) given by certification authority or generated by you and signed with certification authority than it will be "green" in address bar in browser.

@sdebnath
Copy link

sdebnath commented Sep 2, 2015

Hey guys, any updates on this? The HTTPS option is required for any single page app (SPA) trying to communicate with the BOSH server if the app itself is served securely. Yes, the SSL terminating proxy ahead of the bosh should solve the issue, however this is a major PITA for dev/uat scenarios in startups where resources are already desperately low. Any help will be appreciated.

@mr-tron
Copy link

mr-tron commented May 15, 2018

lol. more than two years.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

8 participants