HTTP redirect to HTTPS for web UI

Brad Bishop bradleyb at fuzziesquirrel.com
Tue Nov 5 11:36:18 AEDT 2019



> On Oct 31, 2019, at 11:26 PM, Lei YU <mine260309 at gmail.com> wrote:
> 
> On Thu, Oct 31, 2019 at 9:48 PM George Liu <liuxiwei1013 at gmail.com> wrote:
>> 
>> Hi All:
>> I'm working on http redirect to https task(https://github.com/ibm-openbmc/dev/issues/895).
>> I took a cursory look at the design(https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173) and did some testing.
>> 
>> In bmcweb, I find it the current communication logic can only listen to one communication protocol (http or https). If you listen to both protocols at the same time, you need to change a lot of code and communication logic.
>> If we are going to implement this feature in bmcweb, it costs extra effort and it's likely the implementation is no better than Nginx. so I prefer to use Nginx.
>> 
> 
>> From Ed's [mail in June][1], one approach is to use boost asio async_detect_ssl.
> 
> But I agree with George here that it costs extra and unnecessary
> effort, because with nginx it is so easy to config the http->https
> redirection, and it is easy to get all the https related configs
> right, including HSTS.
> In other words, we got such features for free (except for a few binary
> size), why bother re-write it?
> 
> Considering the binary size, maybe it's worth the effort to check how
> many bytes are increased compared between:
> 1. Current implement that bmcweb handles https only
> 2. Enable BMCWEB_INSECURE, opt-out all https related code in bmcweb,
> adding a basic nginx and a configure file that does the https
> redirect.
> 
> We could check the binary size to see if it's acceptable. Be noted
> that implementing this feature in bmcweb increases the binary size as
> well.
> 
> 
> [1]: https://lists.ozlabs.org/pipermail/openbmc/2019-June/016557.html

FWIW I generally support solutions that re-use existing software and have large communities behind them already but I do remember Ed having some concerns about using bmcweb behind a proxy.

James any chance you recall what those concerns were?  I don’t think I was ever able to wrap my head around them.  Do you share Ed’s concerns?

thx - brad


More information about the openbmc mailing list