Can membrane manage mixed content issue ? (https ---> http proxy)

[fabien.bo...@solypse.com]

Hello,

I have a web app running on a https server. Unfortunately, I need to call APIs using http and I am now facing the mixed content issue. There used to be an easy way to allow unsecure content in chrome (with the shield icon) but it is not the case anymore. 

Thus, I am wondering if I can use membrane to handle the problem, eg doing the following :

Browser<-------------https------------------>Membrane<--------------------http----------------->API

It may be obvious but I can't figure it out even after reading SSL client and server cases.

Thank you for your help.

Cheers.

Fabien

[Thomas Bayer]

Hi Fabien,

use a proxy like this:

 

                               <serviceProxy port="443">

                                               <ssl>

                                                               <keystore location="../../conf/membrane.jks" password="secret" keyPassword="secret" />

                                                               <truststore location="../../conf/membrane.jks" password="secret" />

                                               </ssl>

                                               <target host="thomas-bayer.com" />

                               </serviceProxy>

 

see also $MEMBRANE_HOME/examples/ss-server and:

 

https://membrane-soa.org/service-proxy-doc/4.2/configuration/reference/ssl.htm

 

Cheers,

Thomas

 

 

Am 05.10.16, 21:32 schrieb "membrane...@googlegroups.com im Auftrag von fabien.bo...@solypse.com" <membrane...@googlegroups.com im Auftrag von fabien.bo...@solypse.com>:

--
You received this message because you are subscribed to the Google Groups "membrane-monitor" group.
To unsubscribe from this group and stop receiving emails from it, send an email to membrane-monit...@googlegroups.com.
To post to this group, send email to membrane...@googlegroups.com.
Visit this group at https://groups.google.com/group/membrane-monitor.
For more options, visit https://groups.google.com/d/optout.

[fabien.bo...@solypse.com]

Thank you Thomas for your quick reply. 

That was clearly the SSL server case. My thoughts were not clear yesterday. Everything seems to work today.

I have a bonus side question though : when I use self signed certificates, I run into the following warning :

"Could not retrieve DNS hostname for certificate, using '*': ./proxy.jks" . I used my membrane server hostname when I created the certificate with openssl. 

What could be the problem ?

Cheers,

Fabien

[Thomas Bayer]

Hi,

check that your DNS setup is working and that you use the DNS name to establish the connection. Also make sure that the hostname in the certificate matches.

 

Cheers,

Thomas

 

 

[fabien.bo...@solypse.com]

Thanks again Thomas. I will do as proposed.

Cheers.

[Tobias Polley]

Hi Fabien,

Membrane tries to extract the hostnames a certificate is valid for from the certificate.

Without further checking, I would say, this is only used when using the SNI protocol extension of TLS (=when hosting multiple domains on a single TLS port with different certificates). So, most probably, this not relevant for your use case.

To do this, Membrane only checks the "X509v3 Subject Alternative Name, DNS" field of the certificate. In theory, we should also check the "Common Name (CN)" field, but most official CAs write the domain into both fields.

If you generated the certificate yourself, you probably did not set the "X509v3 Subject Alternative Name, DNS" field. But, as I said, the warning is probably irrelevant in your use case.

Best
Tobias

[fabien bouquignaud]

Hello Tobias,

I indeed use a self-signed certificate. I don't remember having such alternative name to fullfill though. I will check again. 

This is just a warning as you mentionned. 

Thank you for your help.

Cheers,

Fabien

--

	Fabien Bouquignaud Founder, Solypse | Mobile: +33 (0)7 78 69 16 59 Address: 14 rue Charles V, 75004 Paris | http://www.solypse.com/
	Flair & frame your next idea !