Re: [Pharo-users] Teapot and SSL

[Pierce Ng]

On Sat, Dec 22, 2018 at 02:07:06PM -0500, Offray Vladimir Luna Cárdenas wrote:
> In your setup, you talk about SmallCMS1 as a blog engine that runs on
> Pharo 6 and seems kind of integrated with Fossil. Brea [1] (in early
> stages now), pursuits similar goals. Do you have any link to SmallCMS1?

Hi Offray,

I wrote SmallCMS1 as a programming exercise. Its code is like a ball of
wax and I have no plan to release it. 

It's not particularly integrated to Fossil per se. SmallCMS1 serves
content from an open Fossil repo. The repo has a push-hook defined and
there is a Fossil server running for that repo.  When I 'fossil push'
from my laptop to the server, the push-hook is triggered to update the
repo, and the new content is transparently served by SmallCMS1. The
mechanism is conceptually similar to Git push hooks on which much has
been written.

I blogged about the pre-Docker setup.

  https://www.samadhiweb.com/blog/2016.08.12.fossil.html

I'm not satisfied with the way the Fossil thing is done for several
reasons, but hey it works for me on my computers. :-)

> [1] https://mutabit.com/repos.fossil/brea/

Good stuff!

Pierce

Re: [Pharo-users] Teapot and SSL

[Offray Vladimir Luna Cárdenas]

HI,

On 21/12/18 21:59, Pierce Ng wrote:
> See my recent blog post:
>
>   https://www.samadhiweb.com/blog/2018.12.09.https.html


In your setup, you talk about SmallCMS1 as a blog engine that runs on
Pharo 6 and seems kind of integrated with Fossil. Brea [1] (in early
stages now), pursuits similar goals. Do you have any link to SmallCMS1?

[1] https://mutabit.com/repos.fossil/brea/

Thanks,

Offray

Re: [Pharo-users] Teapot and SSL

[horrido]

Ignore this message. I got confused by my web browser. Everything is A-okay.



horrido wrote
> So you're saying that when users sign in with their passwords or otherwise
> enter sensitive data, they're protected by SSL, even though the web
> application is still operating through HTTP?
> 
> 
> 
> Sven Van Caekenberghe-2 wrote
>>> On 22 Dec 2018, at 16:52, horrido 
> 
>> horrido.hobbies@
> 
>>  wrote:
>>> 
>>> I need help with one issue, though. Do I need to enable SSL in Pharo?
>> 
>> No
>> 
>>> After proxy pass, I only get HTTP.
>> 
>> That is the idea: the browser talks HTTPS to nginx which proxies to pharo
>> in HTTP.
> 
> 
> 
> 
> 
> --
> Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Re: [Pharo-users] Teapot and SSL

[horrido]

I noticed this in my post...

*server { 
listen 80; 
location / { 
proxy_pass  http://192.99.58.29:1701;
} 
} 

server { 
listen 443; 

ssl_certificate /etc/nginx/cert_chain.crt; 
ssl_certificate_key /etc/nginx/cert.key; 
ssl on; 

location / { 
proxy_pass   http://192.99.58.29:1701;
} 
}*  
Ben Coman wrote
> On Sat, 22 Dec 2018 at 23:57, horrido 

> horrido.hobbies@

>  wrote:
>>
>> Why does the forum editor add those stupid anchor tags without
>> permission???
> 
> I'm not clear what you are referring to. Which anchor tags?
> 
> cheers -ben





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Re: [Pharo-users] Teapot and SSL

[horrido]

So you're saying that when users sign in with their passwords or otherwise
enter sensitive data, they're protected by SSL, even though the web
application is still operating through HTTP?



Sven Van Caekenberghe-2 wrote
>> On 22 Dec 2018, at 16:52, horrido 

> horrido.hobbies@

>  wrote:
>> 
>> I need help with one issue, though. Do I need to enable SSL in Pharo?
> 
> No
> 
>> After proxy pass, I only get HTTP.
> 
> That is the idea: the browser talks HTTPS to nginx which proxies to pharo
> in HTTP.





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Re: [Pharo-users] Teapot and SSL

[Ben Coman]

On Sat, 22 Dec 2018 at 23:57, horrido  wrote:
>
> Why does the forum editor add those stupid anchor tags without permission???

I'm not clear what you are referring to. Which anchor tags?

cheers -ben

Re: [Pharo-users] Teapot and SSL

[Sven Van Caekenberghe]

> On 22 Dec 2018, at 16:52, horrido  wrote:
> 
> I need help with one issue, though. Do I need to enable SSL in Pharo?

No

> After proxy pass, I only get HTTP.

That is the idea: the browser talks HTTPS to nginx which proxies to pharo in 
HTTP.

Re: [Pharo-users] Teapot and SSL

[horrido]

Why does the forum editor add those stupid anchor tags without permission???



horrido wrote
> I've had tons of trouble trying to get Letsencrypt working. It was so
> frustrating that I decided to go with PositiveSSL from Comodo. It only
> cost
> me US$15.76 for two years, so I don't care about price.
> 
> Letsencrypt's setup procedure is extremely arcane. For a noob like myself,
> this is not good.
> 
> Moreover, it's a PITA to have to manually renew every three months.
> PositiveSSL removes all obstacles in one fell swoop.
> 
> I'm using nginx as a reverse proxy. Again, as a total noob, I used the
> minimum, simplest configuration.
> 
> I need help with one issue, though. Do I need to enable SSL in Pharo?
> After
> proxy pass, I only get HTTP.
> 
> Here's my reverse-proxy.conf:
> 
> *server {
> listen 80;
> location / {
> proxy_pass http://192.99.58.29:1701;
> }
> }
> 
> server {
> listen 443;
> 
> ssl_certificate /etc/nginx/cert_chain.crt;
> ssl_certificate_key /etc/nginx/cert.key;
> ssl on;
> 
> location / {
> proxy_pass http://192.99.58.29:1701;
> }
> }*
> 
> BTW, if you're curious about how my website looks, visit
> https://teams.jrmpc.ca
> 
> It's still a work in progress. Things will undoubtedly change.
> 
> 
> 
> Ben Coman wrote
>> On Sat, 22 Dec 2018 at 04:42, horrido 
> 
>> horrido.hobbies@
> 
>>  wrote:
>>>
>>> Okay, I will dispense with the self-signed certificate and purchase a
>>> commercial one, say, from Comodo (PositiveSSL).
>> 
>> My web host uses "Lets Encrypt"
>> https://www.dreamhost.com/hosting/ssl-tls-certificates/
>> 
>> I haven't looked into it deeply, but I've had no trouble with it.
>> 
>> cheers -ben
> 
> 
> 
> 
> 
> --
> Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Re: [Pharo-users] Teapot and SSL

[horrido]

I've had tons of trouble trying to get Letsencrypt working. It was so
frustrating that I decided to go with PositiveSSL from Comodo. It only cost
me US$15.76 for two years, so I don't care about price.

Letsencrypt's setup procedure is extremely arcane. For a noob like myself,
this is not good.

Moreover, it's a PITA to have to manually renew every three months.
PositiveSSL removes all obstacles in one fell swoop.

I'm using nginx as a reverse proxy. Again, as a total noob, I used the
minimum, simplest configuration.

I need help with one issue, though. Do I need to enable SSL in Pharo? After
proxy pass, I only get HTTP.

Here's my reverse-proxy.conf:

*server {
listen 80;
location / {
proxy_pass http://192.99.58.29:1701;
}
}

server {
listen 443;

ssl_certificate /etc/nginx/cert_chain.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;

location / {
proxy_pass http://192.99.58.29:1701;
}
}*

BTW, if you're curious about how my website looks, visit
https://teams.jrmpc.ca

It's still a work in progress. Things will undoubtedly change.



Ben Coman wrote
> On Sat, 22 Dec 2018 at 04:42, horrido 

> horrido.hobbies@

>  wrote:
>>
>> Okay, I will dispense with the self-signed certificate and purchase a
>> commercial one, say, from Comodo (PositiveSSL).
> 
> My web host uses "Lets Encrypt"
> https://www.dreamhost.com/hosting/ssl-tls-certificates/
> 
> I haven't looked into it deeply, but I've had no trouble with it.
> 
> cheers -ben





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Re: [Pharo-users] Teapot and SSL

[Sven Van Caekenberghe]

> On 22 Dec 2018, at 03:59, Pierce Ng  wrote:
> 
> See my recent blog post:
> 
>  https://www.samadhiweb.com/blog/2018.12.09.https.html

Wow, very well done, very well written, thank you.

Re: [Pharo-users] Teapot and SSL

[Pierce Ng]

On Fri, Dec 21, 2018 at 02:42:04PM -0600, horrido wrote:
> Okay, I will dispense with the self-signed certificate and purchase a
> commercial one, say, from Comodo (PositiveSSL).

Use Let's Encrypt-issued certificates, available without charge. Let's
Encrypt's CA certificate is built-in trusted by all the major web
browsers, meaning no action is required on the part of the web browser
user when visiting a site over HTTPS with certificate issued by Let's
Encrypt.

Use Caddy as reverse proxy for your webapp. Caddy has transparent
integration with Let's Encrypt: it generates/saves crypto keys, performs
the Let's Encrypt protocol dances to request for and renew Let's Encrypt
certificates, meaning no action is required on the part of the web
site/app administrator after setting it up.

Use Docker, which makes it easy to set up Caddy and your Pharo webapp. 

See my recent blog post:

  https://www.samadhiweb.com/blog/2018.12.09.https.html

Pierce

Re: [Pharo-users] Teapot and SSL

[Ben Coman]

On Sat, 22 Dec 2018 at 04:42, horrido  wrote:
>
> Okay, I will dispense with the self-signed certificate and purchase a
> commercial one, say, from Comodo (PositiveSSL).

My web host uses "Lets Encrypt"
https://www.dreamhost.com/hosting/ssl-tls-certificates/

I haven't looked into it deeply, but I've had no trouble with it.

cheers -ben

Re: [Pharo-users] Teapot and SSL

[Sven Van Caekenberghe]

> On 21 Dec 2018, at 21:42, horrido  wrote:
> 
> Okay, I will dispense with the self-signed certificate and purchase a
> commercial one, say, from Comodo (PositiveSSL).

But you cannot buy a certificate for localhost, only for a real domain name 
(that you host for real).

> I presume once I get it, the code below will work correctly (?). If not,
> I'll be back.

Linux only, I would say.

If you want to deploy for real, in some form of production, put nginx in front 
of pharo (as a proxy). That will work infinitely better and easier.

> Sven Van Caekenberghe-2 wrote
>>> On 20 Dec 2018, at 22:09, horrido 
> 
>> horrido.hobbies@
> 
>>  wrote:
>>> 
>>> I had this working some many months ago, but now I can't get it to work.
>>> Really annoying. The entire process is so arcane...
>>> 
>>> My HTTP server starts like this:
>>> 
>>> Teapot stopAll.
>>> Teapot on
>>>  Get: blah blah blah
>>> 
>>> Then I visit http://localhost:1701/.
>>> 
>>> I created a self-signed cert called newcert.pem. My HTTPS server starts
>>> like
>>> this:
>>> 
>>> Teapot stopAll.
>>> secureServer := (ZnSecureServer on: 1443)
>>>  certificate: '/home/richard/newcert.pem';
>>>  logToTranscript;
>>>  start;
>>>  yourself.
>>> teapot := Teapot configure: { #znServer -> secureServer }.
>>> teapot
>>>  Get: blah blah blah
>>> 
>>> When I visit https://localhost/, I get "Unable to connect". I tried
>>> localhost:1701, localhost:1443, just about every damn port number I can
>>> think of. No joy.
>>> 
>>> So what the devil am I doing wrong???
>> 
>> First, this only works for Linux (as far as I know, have experienced,
>> others have reported differently).
>> 
>> Second, a self-signed certificate is considered insecure (more so
>> nowadays), so you will have to force your browser to continue through lots
>> of scary warnings.
>> 
>> I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and
>> it worked.
>> 
>> As an aside, I would not do stuff like this, SSL is no joke, it is serious
>> business: a certificate means something for real. This is not something
>> you slam on for fun in a demo. In production systems, it is much better to
>> put nginx or something like that in front of your app to add high quality
>> ssl (with infinitely more documentation, options, users, experience, etc
>> ...), but even there a quick and dirty self signed certificate won't get
>> you very far.
>> 
>> Sven
> 
> 
> 
> 
> 
> --
> Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html
> 

Re: [Pharo-users] Teapot and SSL

[horrido]

Okay, I will dispense with the self-signed certificate and purchase a
commercial one, say, from Comodo (PositiveSSL).

I presume once I get it, the code below will work correctly (?). If not,
I'll be back. 


Sven Van Caekenberghe-2 wrote
>> On 20 Dec 2018, at 22:09, horrido 

> horrido.hobbies@

>  wrote:
>> 
>> I had this working some many months ago, but now I can't get it to work.
>> Really annoying. The entire process is so arcane...
>> 
>> My HTTP server starts like this:
>> 
>> Teapot stopAll.
>> Teapot on
>>   Get: blah blah blah
>> 
>> Then I visit http://localhost:1701/.
>> 
>> I created a self-signed cert called newcert.pem. My HTTPS server starts
>> like
>> this:
>> 
>> Teapot stopAll.
>> secureServer := (ZnSecureServer on: 1443)
>>   certificate: '/home/richard/newcert.pem';
>>   logToTranscript;
>>   start;
>>   yourself.
>> teapot := Teapot configure: { #znServer -> secureServer }.
>> teapot
>>   Get: blah blah blah
>> 
>> When I visit https://localhost/, I get "Unable to connect". I tried
>> localhost:1701, localhost:1443, just about every damn port number I can
>> think of. No joy.
>> 
>> So what the devil am I doing wrong???
> 
> First, this only works for Linux (as far as I know, have experienced,
> others have reported differently).
> 
> Second, a self-signed certificate is considered insecure (more so
> nowadays), so you will have to force your browser to continue through lots
> of scary warnings.
> 
> I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and
> it worked.
> 
> As an aside, I would not do stuff like this, SSL is no joke, it is serious
> business: a certificate means something for real. This is not something
> you slam on for fun in a demo. In production systems, it is much better to
> put nginx or something like that in front of your app to add high quality
> ssl (with infinitely more documentation, options, users, experience, etc
> ...), but even there a quick and dirty self signed certificate won't get
> you very far.
> 
> Sven





--
Sent from: http://forum.world.st/Pharo-Smalltalk-Users-f1310670.html

Re: [Pharo-users] Teapot and SSL

[Sven Van Caekenberghe]

> On 21 Dec 2018, at 12:00, Sven Van Caekenberghe  wrote:
> 
> I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and it 
> worked.

BTW, I made my certificate like this (on macOS):

prometheus:tmp sven$ mkdir ssl
prometheus:tmp sven$ cd ssl
prometheus:ssl sven$ openssl genrsa -out privkey.pem 1024
Generating RSA private key, 1024 bit long modulus
..++
..++
e is 65537 (0x10001)
prometheus:ssl sven$ openssl req -new -key privkey.pem -out certreq.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-
Country Name (2 letter code) []:BE
State or Province Name (full name) []:
Locality Name (eg, city) []:Hasselt
Organization Name (eg, company) []:Beta Nine
Organizational Unit Name (eg, section) []:
Common Name (eg, fully qualified host name) []:Sven Van Caekenberghe
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
prometheus:ssl sven$ openssl x509 -req -days 3650 -in certreq.csr -signkey 
privkey.pem -out newcert.pem
Signature ok
subject=/C=BE/L=Hasselt/O=Beta Nine/CN=Sven Van Caekenberghe
Getting Private key
prometheus:ssl sven$ ( openssl x509 -in newcert.pem; cat privkey.pem ) > 
server.pem
prometheus:ssl sven$ ls
certreq.csr newcert.pem privkey.pem server.pem
prometheus:ssl sven$ ls -la server.pem 
-rw-r--r--  1 sven  staff  1681 Dec 21 11:28 server.pem
prometheus:ssl sven$ pwd
/Users/sven/tmp/ssl
prometheus:ssl sven$ 
Display all 2771 possibilities? (y or n)
prometheus:ssl sven$ ls
certreq.csr newcert.pem privkey.pem server.pem

Re: [Pharo-users] Teapot and SSL

[Sven Van Caekenberghe]

> On 20 Dec 2018, at 22:09, horrido  wrote:
> 
> I had this working some many months ago, but now I can't get it to work.
> Really annoying. The entire process is so arcane...
> 
> My HTTP server starts like this:
> 
> Teapot stopAll.
> Teapot on
>   Get: blah blah blah
> 
> Then I visit http://localhost:1701/.
> 
> I created a self-signed cert called newcert.pem. My HTTPS server starts like
> this:
> 
> Teapot stopAll.
> secureServer := (ZnSecureServer on: 1443)
>   certificate: '/home/richard/newcert.pem';
>   logToTranscript;
>   start;
>   yourself.
> teapot := Teapot configure: { #znServer -> secureServer }.
> teapot
>   Get: blah blah blah
> 
> When I visit https://localhost/, I get "Unable to connect". I tried
> localhost:1701, localhost:1443, just about every damn port number I can
> think of. No joy.
> 
> So what the devil am I doing wrong???

First, this only works for Linux (as far as I know, have experienced, others 
have reported differently).

Second, a self-signed certificate is considered insecure (more so nowadays), so 
you will have to force your browser to continue through lots of scary warnings.

I just tried in Ubuntu 18.04.O1 LTS 64-bit, using Pharo 7 and FireFox, and it 
worked.

As an aside, I would not do stuff like this, SSL is no joke, it is serious 
business: a certificate means something for real. This is not something you 
slam on for fun in a demo. In production systems, it is much better to put 
nginx or something like that in front of your app to add high quality ssl (with 
infinitely more documentation, options, users, experience, etc ...), but even 
there a quick and dirty self signed certificate won't get you very far.

Sven