Community
Participate
Working Groups
orionhub.org should really be using HTTPS, since we need to pass information such as Git credentials over the wire.
Denis, is this something that can be done on your end? I assume you already have a certificate since you use HTTPS for bugzilla.
The Bugzilla cert is a wildcard cert for the eclipse.org domain. eclipsehub.org is a different domain, so we'd need to purchase a new cert. And since we do hosting, the cert would need to be a wildcard cert. 3 Year $475 / year 1425 USD 2 Year $535 / year 1070 USD 1 Year $595 / year I'll look into getting approval for the expense.
From bug 386166 comment 3 ... It appears Eclipse committers are sending their Eclipse.org SSH credentials in plaintext to orion*. Let's get both of those on https.
I've enabled https (only) on orion.eclipse.org. Can we confirm that it all works? I also have authorization to get a wildcard cert for orionhub.
It looks like we need to tell jetty about the keystore location and password: jetty.https.enabled = true jetty.https.port = 8443 jetty.ssl.keystore = [the keystore location] jetty.ssl.password = [password] jetty.ssl.keypassword = [password] jetty.ssl.protocol = SSLv3 Denis can you provide this information? Maybe write it in a file on orionhub.org in the admin home directory.
Jetty shouldn't need to know that the site is https enabled. I enabled it on Apache, which proxypasses everything to the jetty backend on port 8080. https://orion.eclipse.org/
Ok orion.eclipse.org seems to be working fine. I misread your message and I was testing orionhub.org.
Does anyone have problems in authentication with openid? I get "Authentication response is not sufficient" error.
(In reply to comment #8) > Does anyone have problems in authentication with openid? I get > "Authentication response is not sufficient" error. Yes I am seeing that too. The login actually works but we are showing an error handling the response. I have entered bug 38651 for this.
Fixed: I have entered bug 386510 for this.
It looks like this change is severely breaking orion. We have had several errors in Orion since this was setup. It looks like your apache proxy is not fully transparent. See bug 386585 for all the details. Can you disable this on your Apache front end and we can configure Orion's Jetty server for https instead?
At this time the only URIs that we need https for are the transmission of login credentials. If you can help me isolate those, we can switch to https for the login, then switch back to http after auth.
Well login is only part of it. We also transmit git credentials, which in the case of git.eclipse.org is committer credentials. I am wondering if the Apache proxy server should or could be rewriting response headers coming back from Orion from http to https. We are just using the very common HTTP Location response header, so I would think for a proxy server to be truly transparent to the proxied server (orion) that it would rewrite those headers coming back from Orion so everything is consistent on the client side. What seems to happen now: 1) Client sends HTTPS POST request 2) Proxy server redirects as an HTTP POST to Orion 3) Orion sends a response including a header with an HTTP URL 4) Client receives HTTP response in javascript code and attempts to perform GET on it. 5) Proxy server sends 302 Found back to the client to tell it to use HTTPS 6) Client cannot follow redirect because the changed protocol violates browser same origin policy If the proxy server rewrites the response header from 3) to be HTTPS it should all work.
I've tweaked the proxy setup and things look ok, but I'm not actually able to test anything as I don't have an account. Could I get one created for webmaster, or have someone tell me if things are better or worse? Or what I should be doing to repeat this? -M.
I've sent an email with login credentials and how to repeat. Essentially, the login provided has a single repository. Try to get the log for that repository from the Orion UI and you will get errors in your browser console referring to http connections.
Ok, I've updated the config to re-write the Location part of the response headers to correct the URL . With that change it seems to be happier(the log URL now displays and the javascript console isn't filled with errors). Can you tell me if Orion is genrating any part of the headers returned after the post? I'm just wondering if this is 'hardcoded' somehow. -M.
Mark, do you have any answer for Matt's question? Also, yes it appears to be working better now
(In reply to comment #16) > Can you tell me if Orion is genrating any part of the headers returned after > the post? I'm just wondering if this is 'hardcoded' somehow. > Yes-- Orion generates URLs by taking the protocol, hostname, etc, of the incoming request and appending some stuff. This is usually only done in the 'Location' header, although I can think of a second header where we do something similar: 'X-Edit-Server'. It's used when dealing with virtual hosts for site hosting. It should probably be rewritten by the proxy as well (though it isn't as critical as Location).
Cool. Since the 'initial' request to Orion redirects to HTTPS (over which all subsequent communitcation should happen), is it possible that the protocol 'switch' isn't being properly detected? Or is the forms post address not being updated to reflect the protocol? -M.
As we blog about how easy it is to edit www.eclipse.org with Orion (and Orionhub) it is imperative that we get both sites working with https. From what I can tell, orion.eclipse.org is now using https for authentication. Can I assume we can replicate that setup on orionhub.org?
Yes the proxy setup we use for orion.eclipse.org should be easy to replicate on orionhub. The only barrier I believe is purchasing the cert (comment #2).
I know we have wildcard DNS set up for OrionHub.. as far as SSL certs go, do we need a wildcard cert? Are credentials transferred over any domain, or only http://orionhub.org ?
(In reply to comment #22) > I know we have wildcard DNS set up for OrionHub.. as far as SSL certs go, do > we need a wildcard cert? Are credentials transferred over any domain, or > only http://orionhub.org ? There is one possible case. Sub-domains are only used to host user-generated content that is launched from within Orion. Generally this is entirely static HTML+CSS+JS with no interaction with any server beyond static resource retrieval. I.e., no credentials involved. However there is a special self-hosting mode that can be enabled when you are developing the Orion client itself. In this mode you can use the Orion client git pages and credentials are transferred. This is only useful for people developing Orion itself, but Orion team never does this because the build on orionhub is generally too old (we use orion.eclipse.org for that). So, short answer is that it is theoretically possible, but unlikely. Having said that, if we didn't have a wildcard cert, what would be the exact behaviour? If someone went to orionhub.org they would be redirected to HTTPS, but if they went to mycoolsite.orionhub.org it would remain raw HTTP? It's possible this protocol flipping might reveal some bad assumptions in our code but we can likely address them to support this.
(In reply to comment #23) > Having said that, if we didn't have a wildcard cert, what would be the exact > behaviour? If someone went to orionhub.org they would be redirected to > HTTPS, but if they went to mycoolsite.orionhub.org it would remain raw HTTP? > It's possible this protocol flipping might reveal some bad assumptions in > our code but we can likely address them to support this. That would be the exact behaviour. wildcard certs are more expensive, but in this case they make sense. We'll go with the wildcard cert for 2yrs and when I'm told to cut my budget we'll revisit in 2014 :-)
I've just switched orionhub.org to https ... can anyone else test it out?
4 of us are going to poke around and see if it's normal...
We need to make the following orion.conf change: orion.auth.host=http://orionhub.org to orion.auth.host=https://orionhub.org so that OpenID and Persona logins work. I've made the change and am going to restart the server in a minute
Thanks, Ken. I fired up wireshark on my home computer, logged into orionhub.org, cloned a git repo from git.eclipse.org, did a few things, and confirmed that all network traffic was on the encrypted channel. Yesterday I also brought the server up to the current SLES patchlevel, which required a reboot. I think we're in good shape now.
Yup, after my change we can now login using Persona and OpenID again! Very cool! Thanks
Awesome, thanks. Let's consider this done.
