TW5 on nodejs via https and certificate-based user authentication using nginx as proxy
186 views
Skip to first unread message
Pietro Abano
Oct 1, 2019, 11:10:50 AM10/1/19
to TiddlyWiki
Hello everyone,
I could not find anything related to what I am trying to achieve here so if it's already covered somewhere please let me know.
As much as I love Jed's amazing work on BobWiki because it changes the ball game for TW5 completely, allowing to share and work on something with a team, over a local network, there is one thing that I'm missing - user authentication.
In my scenario it is not so much about who the actual individual is, only that it should be one of the authorized users.
So I thought the client certificate-based authentication would do it. I set up a reverse proxy using nginx to handle SSL/TLS (for the web server and the clients) and talking to a local nodejs application on client's behalf.
After some reading about nginx and tweaking my nginx configs I am finally able to access the TW5 on nodejs via https and even authenticate to it (actually to nginx) with client X.509 certs, but unfortunatelly I hit a problem:
- can't make any changes to TW5/BobWiki over the https.
The setup:
the TW5 runs on nodejs at 127.0.0.1:8080
Tiddlywiki version 5.1.21 with Bob version 1.2.4
Serving on 127.0.0.1:8080
on the same host with IP of 192.168.112.110 there's nginx listening at 80 or 443 forwarding all traffic to http://127.0.0.1:8080
It appears the TW5 is not aware of any requests done from the web client, while direct connection to nodejs works as usual.
Not being a web developer nor an experienced sysadmin (just a tinker) I have no clue as to where to look. Is it something with my nginx configuration, more specifically with websockets? When looking at the data being tranferred (Chrome, Inspect, Network) e.g. when adding a new tiddler, I don't see much going on.
I can see some websocket communication initiated by $:/plugins/OokTech/Bob/BrowserWebSocketsSetup.js which is different when I go directly to nodejs - there I can see $:/core/module/saver in action, while when I use the nginx-proxied access I don't see this at all.
Another symptom of the behavior is that when two users connect to the same TW5 on nodejs, they both see any changes done by one of them in almost real-time without refreshing the page while in ngix-proxied https access no such on-screen update happens.
Studying the errors in Chrome I've come up with this which seems relevant:
$:/plugins/OokTech/Bob/BrowserWebSocketsSetup.js:63 WebSocket connection to 'wss://192.168.112.110/' failed: Error during WebSocket handshake: Unexpected response code: 200 (of course without https, this looks like 'ws://192.168.112.110/')
Btw, the Firefox's error pinpoints the line in the code (does not say which source, I assume it's this BrowserWebSocketsSetup.js):
Firefox can’t establish a connection to the server at wss://192.168.112.110/. line 11345 > eval:63:48
This all happens regardless of http or https, it's the same error as long as nginx is in the middle.
At various forums I found the solution for that Chrome error and it looks like a websocket configuration thing in nginx:
"Had the same issue, my app is behind nginx. Making these changes to my Nginx config removed the error.
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
"
The same changes did not help in my case, so it must be somewhere else, maybe in the BobWiki code.
But that's about all I can do about it so I'd need someone's help.
Is there anyone here who would know where this comes from?
I can provide him/her with all the configs or even the full VM (Ubuntu18.04mini) if needed.
But the cert-based authentication seems to be too attractive for me to let it vanish to oblivion.
All the best to the community!
Pietro
Donald Coates
Oct 1, 2019, 10:56:00 PM10/1/19
to TiddlyWiki
You'll probably get a better answer here but in the mean time: is 192.168.112.110 the address that bob shows in the settings? On my own setup I do not have proxy_set_header Host $host so I wonder if that is causing the trouble. I believe that is for standard http connections and not web socket. If you look here you will see that line is not included. I still have trouble understanding the intricacies of nginx and end up throwing shit against the wall until something sticks.
Pietro Abano
Oct 2, 2019, 2:01:34 AM10/2/19
to TiddlyWiki
Hi Donald,
thank you for your hint: I did not see the IP address there indeed. Obviously not good.
So I was gonna try your suggestion (removing the Host $host parameter) but then I spotted my own typing error in the /etc/nginx/sites-enabled/default file.
One would think the nginx would not start at all or at least warn me, because it checks the configs for syntax errors I guess, it happens all the time, but not this simple typo ("Ugrade" instead of "Upgrade"!)
Everything works great now, the wiki is accessible only to clients with proper cert and its content is saved and updated accordingly.
You simply made my date by making me go through this one more time.
In case you'd want to see how it's done with client certs I can provide you (or anyone interested) with all the details.
Thanks!
Pietro
Jeremy Ruston
Oct 2, 2019, 3:17:46 AM10/2/19
to tiddl...@googlegroups.com
Hi Pietro
Glad you've got it sorted out. If you're able to write up the procedure it would be great to include it on tiddlywiki.com.
Best wishes
Jeremy
--
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/07723a91-ad33-4449-a556-d411ddf95d75%40googlegroups.com.
Pietro Abano
Oct 2, 2019, 5:01:04 AM10/2/19
to TiddlyWiki
Hi Jeremy,
it will be my pleasure to give something back to this community.
So I will put together a full procedure with commands, configs and pictures, where needed, having everything in one place.
Because all of this exists already somewhere it's just that it's scattered (and sometimes also slightly incorrect).
I should able to get it done over the coming weekend.
Thank you for your great work.
Kind regards,
Pietro
To unsubscribe from this group and stop receiving emails from it, send an email to tiddl...@googlegroups.com.
Donald Coates
Oct 2, 2019, 6:00:00 AM10/2/19
to tiddl...@googlegroups.com
Yes that is very odd!! maybe it has something to do with it being a string in quotes?? Regardless congrats and I will most certainly file that away in the old brain because I have no doubt I will do that very same thing in the future!!
--
You received this message because you are subscribed to a topic in the Google Groups "TiddlyWiki" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/tiddlywiki/StoO3ApsWJU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to tiddlywiki+...@googlegroups.com.
Pietro Abano
Oct 7, 2019, 1:05:04 PM10/7/19
to tiddl...@googlegroups.com
Hello everyone,
I have posted a detailed procedure on this here (http://di-sec.net/tw5ssl/tw5ssl.html). If Jeremy wants to include it in tiddlywiki.com, please feel free to do so, but I may have to add some more variants to this cert-based authentication later on. The topic is broader than I have originally thought.
Best regards to all,
Pietro
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/CADZpJMy_htemJ5hY%2BMFyaARCrv8PvKh9HE2XEiUdHceAf4wN_w%40mail.gmail.com.
Daniel
Oct 11, 2019, 3:14:44 PM10/11/19
to TiddlyWiki
Hi Pietro,
I myself wanted to have HTTPS to my wiki for some years, and just to add a note around this subject (and perhaps some inspiration) I solved this myself by running a proxy with let´s encrypt on a OPNsense firewall, And it is glorious without any certifciate warnings.
I myself wanted to have HTTPS to my wiki for some years, and just to add a note around this subject (and perhaps some inspiration) I solved this myself by running a proxy with let´s encrypt on a OPNsense firewall, And it is glorious without any certifciate warnings.
This requrires you to install the OPNsense firewall but if you are into that sort of a thing it might be fun.
I followed this guide in general for another site I have, but it works just fine for Tiddlywiki as well or any other thing you would like to have behind HTTPS.
https://blog.bagro.se/lets-encrypt-with-haproxy-on-opnsense/
https://blog.bagro.se/lets-encrypt-with-haproxy-on-opnsense/
Just wanted to share.
Kind regards
Kind regards
Pietro Abano
Nov 25, 2019, 3:19:48 PM11/25/19
to TiddlyWiki
Hi Daniel,
thank you, interesting in any case.
I might try it.
Kind regards,
Pietro
Reply all
Reply to author
Forward
0 new messages