HTTP redirect to HTTPS for web UI
James Feist
james.feist at linux.intel.com
Thu Nov 7 04:21:25 AEDT 2019
On 11/5/19 7:23 PM, George Liu wrote:
>
>
> Lei YU <mine260309 at gmail.com <mailto:mine260309 at gmail.com>> 于2019年11月
> 6日周三 上午10:02写道:
>
> On Wed, Nov 6, 2019 at 1:20 AM James Feist
> <james.feist at linux.intel.com <mailto:james.feist at linux.intel.com>>
> wrote:
> >
> > On 11/4/19 4:36 PM, Brad Bishop wrote:
> > >
> > >
> > >> On Oct 31, 2019, at 11:26 PM, Lei YU <mine260309 at gmail.com
> <mailto:mine260309 at gmail.com>> wrote:
> > >>
> > >> On Thu, Oct 31, 2019 at 9:48 PM George Liu
> <liuxiwei1013 at gmail.com <mailto:liuxiwei1013 at gmail.com>> wrote:
> > >>>
> > >>> Hi All:
> > >>> I'm working on http redirect to https
> task(https://github.com/ibm-openbmc/dev/issues/895).
> > >>> I took a cursory look at the
> design(https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/24173)
> and did some testing.
> > >>>
> > >>> In bmcweb, I find it the current communication logic can only
> listen to one communication protocol (http or https). If you listen
> to both protocols at the same time, you need to change a lot of code
> and communication logic.
> > >>> If we are going to implement this feature in bmcweb, it costs
> extra effort and it's likely the implementation is no better than
> Nginx. so I prefer to use Nginx.
> > >>>
> > >>
> > >>> From Ed's [mail in June][1], one approach is to use boost
> asio async_detect_ssl.
> > >>
> > >> But I agree with George here that it costs extra and unnecessary
> > >> effort, because with nginx it is so easy to config the http->https
> > >> redirection, and it is easy to get all the https related configs
> > >> right, including HSTS.
> > >> In other words, we got such features for free (except for a
> few binary
> > >> size), why bother re-write it?
> > >>
> > >> Considering the binary size, maybe it's worth the effort to
> check how
> > >> many bytes are increased compared between:
> > >> 1. Current implement that bmcweb handles https only
> > >> 2. Enable BMCWEB_INSECURE, opt-out all https related code in
> bmcweb,
> > >> adding a basic nginx and a configure file that does the https
> > >> redirect.
> > >>
> > >> We could check the binary size to see if it's acceptable. Be noted
> > >> that implementing this feature in bmcweb increases the binary
> size as
> > >> well.
> > >>
> > >>
> > >> [1]:
> https://lists.ozlabs.org/pipermail/openbmc/2019-June/016557.html
> > >
> > > FWIW I generally support solutions that re-use existing
> software and have large communities behind them already but I do
> remember Ed having some concerns about using bmcweb behind a proxy.
> > >
> > > James any chance you recall what those concerns were? I don’t
> think I was ever able to wrap my head around them. Do you share
> Ed’s concerns?
> >
> > I think these were the main concerns:
> > https://security.stackexchange.com/a/107106
> >
> > Basically that since you're using HTTP, you leave yourself open for a
> > man-in-the-middle attack. bmcweb does do the header trick
> mentioned in
> > this post, so once you navigate to your bmc once, the browser
> remembers
> > to always use https. I think that, along with potential binary size
> > increases, were the biggest concerns. We also try to keep open the
> > minimum number of ports in general as a best practice.
> >
>
> As the answer indicates "A way to mitigate this is to use an HSTS
> HTTP header"
> It's easy to configure nginx to use HSTS header, so it's no big deal.
bmcweb already does this
https://github.com/openbmc/bmcweb/blob/07a602993f1007b0b0b764bdb3f14f302a8d2e26/http/websocket.h#L92
https://github.com/openbmc/bmcweb/blob/07a602993f1007b0b0b764bdb3f14f302a8d2e26/include/security_headers_middleware.hpp#L32
>
> The potential binary size increase is a valid concern, it's worthing
> comparing the binary size with and without nginx.
>
>
> Just now, I did a test.
>
> I completely copied the Nginx configuration of meta-ibm and compared the
> rofs binary size after compilation.
> with Nginx: 18509824
> without Nginx: 18022400
>
> refer to:
> https://github.com/openbmc/openbmc/tree/837851ae37a67b84f0f8c0fd310d33b5a731cc80/meta-ibm/recipes-httpd
>
>
> > >
> > > thx - brad
> > >
>
More information about the openbmc
mailing list