Taiga events running on secure environment

[Nacho Álvarez]

Hi,

I have a working installation of Taiga over HTTP, but I'm trying to configure for serving HTTPS, using dummy certs for the moment. I have all modules working except Taiga Events.

If I leave the config for Taiga Events without change, the console notify me about insecure operation and Taiga doesn't work.

What changes are needed to run Taiga Events in a HTTPS context? In the doc, 6.2.1 section https://taigaio.github.io/taiga-doc/dist/setup-production.html I only see the nginx config without /events, which appears in section 5 with this:

location /events {
       proxy_pass http://127.0.0.1:8888/events;
       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_connect_timeout 7d;
       proxy_send_timeout 7d;
       proxy_read_timeout 7d;
    }

Is any change needed in this part to activate HTTPS? In ~/taiga-front-dist/dist/js/conf.json I have:

    "eventsUrl": "wss://example.com/events",




instead of 




    "eventsUrl": "ws://example.com/events",




as the doc suggests. 

In /etc/rabbitmq/rabbitmq.config I have:

[

 {rabbit,

  [

   {tcp_listeners, [5672]},

   {ssl_listeners, [5671]},

   {ssl_options, [{cacertfile,           "/etc/ssl/certs/ca-bundle.crt"},

                  {certfile,             "/etc/ssl/certs/ssl-bundle.crt"},

                  {keyfile,              "/etc/ssl/certs/server.key"},

                  {verify,               verify_none},

                  {fail_if_no_peer_cert, false}

   ]}

  ]},

and it seems it's working with tls1:

[root@demos taiga-events]# openssl s_client -connect 127.0.0.1:5671 -tls1

CONNECTED(00000003)

<cert data>

but not with ssl3 (it's not supported by rabbitmq, I think):

[root@demos taiga-events]# openssl s_client -connect 127.0.0.1:5671 -ssl3

CONNECTED(00000003)

139969333970600:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:s3_pkt.c:1472:SSL alert number 70

139969333970600:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:656:

Frontend and backend are working really well with HTTPS.

Any idea? Thank you in advance!

[Nacho Álvarez]

I forgot to include taiga-events config.json content, which is:

{

    "url": "amqp://taiga:taiga@localhost:5671/taiga",

    "secret": "onesecret;)",

    "webSocketServer": {

        "port": 8094

    }

}

and this two lines in taiga-back local.py file:

EVENTS_PUSH_BACKEND = "taiga.events.backends.rabbitmq.EventsPushBackend"

EVENTS_PUSH_BACKEND_OPTIONS = {"url": "amqp://taiga:taiga@localhost:5671/taiga"}

[Alejandro Alonso]

Hello Nacho,

Your config.json file is using port 8094, are you proxy_passing to that port in your nginx config file?

Depending on your browser it's possible that you can't use dummy certificates for wss -> http://stackoverflow.com/questions/5312311/secure-websockets-with-self-signed-certificate

Regards!,

--
You received this message because you are subscribed to the Google Groups "taigaio" group.
To unsubscribe from this group and stop receiving emails from it, send an email to taigaio+u...@googlegroups.com.
To post to this group, send email to tai...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/taigaio/b8834178-0c53-4fb6-aacf-2ec4e65fb33a%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Alejandro Alonso Fernández   CIO & Co-founder alejandr...@kaleidos.net  | Tel: (+34) 627263808 | (+34) 913562995 www.kaleidos.net/FC8EAC/

[Nacho Álvarez]

Yep, I have this in my nginx config file (as https):

proxy_pass https://mydomain.es:8094/events;

I didn't know the problem with self-signed certificates for wss :| I'm going to take a look on this.

[jialvare...@gmail.com]

Sorry for reopening this, but I'm still trying to configure Taiga Events with SSL capabilities. I have trusted SSL certificates now (https://letsencrypt.org/).

When I try to access to https://mydomain.es:8080/events (to check the /events section of nginx config), it seems that it's proxypassing to correct https://127.0.0.1:8094/events.
I have a node process running on 8094 port too, and the only log reporting something (rest of logs are quiet) it's the nginx.access.log showing me this 502 bad gateway:

185.13.202.189 - - [11/Feb/2016:23:13:51 +0100] "GET /events HTTP/1.1" 502 181 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:43.0) Gecko/20100101 Firefox/43.0"

Any ideas to see a more detailed log or some clues to get this working with a secure environment? Rabbit must to be configured in port 5671 or it's enough with 5672 port and config from the Setup Production doc?

Thanks in advance!

[Juan Francisco Alcántara]

Hi,

How do you access to https://mydomain.es:8080/events ?, to test it you need access throught websock, this in you browser dev tool must work "new WebSocket('wss://mydomain.es:8080/events')"

you can put any port in rabbit, but remember to change it in the config.json in taiga-events.

Regards

--
Please help us keep the Taiga.io Community open and inclusive, follow our Code of Conduct:
https://github.com/taigaio/code-of-conduct/blob/master/CODE_OF_CONDUCT.md
---

You received this message because you are subscribed to the Google Groups "taigaio" group.
To unsubscribe from this group and stop receiving emails from it, send an email to taigaio+u...@googlegroups.com.
To post to this group, send email to tai...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/taigaio/47c38a6f-b29c-456f-ac4a-5243d700f951%40googlegroups.com.

[Nacho Álvarez]

Yep, the answer to that is:

WebSocket connection to 'wss://mydomain.es:8080/events' failed: Error during WebSocket handshake: Unexpected response code: 502

How can I trace or debug this to get a bit more info?

Regards

[Nacho Álvarez]

Just resolved this thing too :-)

I'm going to put this here for the case another people had the same problem.

I started checking the connection to RabbitMQ. Mysteriously, I can't connect to rabbit@localhost.

root@machineHostName:/home/myusername# rabbitmqctl -n rabbit@localhost list_queues
Listing queues ...
Error: unable to connect to node rabbit@localhost: nodedown


DIAGNOSTICS
===========


nodes in question: [rabbit@localhost]


hosts, their running nodes and ports:
- localhost: [{rabbit,58503},{rabbitmqctl1232,55941}]


current node details:
- node name: rabbitmqctl1232@localhost
- home dir: /var/lib/rabbitmq
- cookie hash: vqORbz/ADoyiVuy41LKbrg==

So, I checked the status of RabbitMQ. Through several lines of "all is OK", I realize the first line said I'm in rabbit@machineHostName and NOT rabbit@localhost.

root@machineHostName:/home/myusername# rabbitmqctl status
Status of node rabbit@machineHostName ... <--- THE FIRST LINE!
[{pid,29511},
 {running_applications,
[...] // several configs
...done.

So I tried to connect to rabbit@machineHostName and it was successful:

root@machineHostName:/home/myusername# rabbitmqctl -n rabbit@machineHostName list_queues
Listing queues ...
...done.

And then I changed the config of taiga-events config to include machineHostName instead localhost:

{
    "url": "amqp://taiga:taiga@machineHostName:5671/taiga",

    "secret": "onesecret;)",
    "webSocketServer": {
        "port": 8094
    }
}

And changed my mistake from nginx config, I was calling to a internal https, it's not necessary, you can use the proxy_pass to an internal http and the browser won't complain about that:

    location /events {
       proxy_pass http://127.0.0.1:8094/events;

       proxy_http_version 1.1;
       proxy_set_header Upgrade $http_upgrade;
       proxy_set_header Connection "upgrade";
       proxy_connect_timeout 7d;
       proxy_send_timeout 7d;
       proxy_read_timeout 7d;
    }

And all it's working with SSL: frontend, backend and wss events ;-)

Thank you for all your help! Now it's time to fully enjoy Taiga.

[Nacho Álvarez]

Oh, and you have to change the backend config local.py:

EVENTS_PUSH_BACKEND_OPTIONS = {"url": "amqp://taiga:taiga@machineHostName:5672/taiga"}

Regards!

[Juan Francisco Alcántara]

thanks Nacho!

To view this discussion on the web, visit https://groups.google.com/d/msgid/taigaio/cefa6f16-3431-40d0-9091-0e55e73f27b3%40googlegroups.com.

[Alejandro Alonso]

Thank you very much Nacho! :)

To view this discussion on the web, visit https://groups.google.com/d/msgid/taigaio/cefa6f16-3431-40d0-9091-0e55e73f27b3%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.