Add support for HTTPS to tracd

[krichter@…]

tracd doesn't support HTTPS in standalone mode. It'd be nice to add this feature because HTTPS connections are state of the art and it allows users to skip setting up a webserver or figure out how to migrate a standalone instance to a webserver in case that's even possible or to learn how to configure stunnel and deal with it's quite unintuitive behaviour.

experienced with 1.1.5dev

[Peter Suter]

Searching for BaseHTTPServer python https I found ​this article suggesting this would surprisingly(?) not be very difficult (anymore?), so I quickly tried the attached patch​ without any obvious problems.

The suggested ​ssl.wrap_socket has a bunch of additional optional parameters I haven't looked at, and after Python 2.7.9 SSLContext.wrap_socket() might be better.

A PEM certificate is required for HTTPS servers. I guess this would have to be specified with a new parameter. I only tested with ​a self-signed certificate.

There might be other hidden downsides or complexities missing. Feel free to take or improve the patch if you think supporting this is worth it.

[Jun Omae]

At least, ssl.wrap_socket() must be passed keyfile parameter.

[Daniel Cantarín <canta@…>]

Replying to Peter Suter:

Searching for BaseHTTPServer python https I found ​this article suggesting this would surprisingly(?) not be very difficult (anymore?), so I quickly tried the attached patch​ without any obvious problems.

The suggested ​ssl.wrap_socket has a bunch of additional optional parameters I haven't looked at, and after Python 2.7.9 SSLContext.wrap_socket() might be better.

A PEM certificate is required for HTTPS servers. I guess this would have to be specified with a new parameter. I only tested with ​a self-signed certificate.

There might be other hidden downsides or complexities missing. Feel free to take or improve the patch if you think supporting this is worth it.

I've applied the patch in my local installation. Also, added the "—certificate" option in standalone.py, and setted the default protocol to "https".

At first it seems to work fine and the procedure is very simple. However, I have a problem. After every POST request (not GET), tracd sends me to http instead of https, which doesn't exists. I guess "http" is hardcoded somewhere, or is setted as protocol somewhere else aside from standalone.py.

Do you have any idea where could this be changed?

Replying to Jun Omae:

At least, ssl.wrap_socket() must be passed keyfile parameter.

I didn't needed it. Just passed certfile parameter and the setup worked.

[Daniel Cantarín <canta@…>]

Nevermind, eventually found #2553 and others. Changing base_url to an absolute https url and using use_base_url_for_redirect = enabled did the trick.

[Ryan J Ollos]

​mkcert looks useful for creating dev certs to test this feature.

Untested patch rebased on trunk: T12611_https_ssl_wrap_socket.2.diff​.

[Ryan J Ollos]

Replying to Daniel Cantarín <canta@…>:

Replying to Jun Omae:

At least, ssl.wrap_socket() must be passed keyfile parameter.

I didn't needed it. Just passed certfile parameter and the setup worked.

Do you have a ​combined key and certificate?

[Ryan J Ollos]

Create certificates with mkcert on OSX:

$ mkcert -install
$ mkcert trac.dev localhost 127.0.0.1 ::1
Using the local CA at "/Users/rjollos/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "trac.dev"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The certificate is at "./trac.dev+3.pem" and the key at "./trac.dev+3-key.pem" 

I put the following in my /etc/hosts:

$ cat /etc/hosts | grep trac.dev
127.0.0.1 trac.dev

Run tracd with --certfile and --keyfile parameters. Example:

$ tracd -s -p 8443 --protocol https --certfile ../trac.dev+3.pem --keyfile ../trac.dev+3-key.pem ../tracenvs/proj-1.3

Access Trac through browser at https://trac.dev:8443, https://localhost:8443, etc.

Proposed changes in log:rjollos.git:t12611_https_for_tracd.2. I read through the ​Python ssl documentation. I'm no expert on this topic, so let me know if you have any suggestions.

I dropped the flags for certfile and keyfile ([0f02a82d0/rjollos.git]), since this feature probably won't be used that much and it's nice to keep the flags available for commonly-used arguments. Let me know if you have a feeling about this one way or the other.

DONE Update 1.3/TracStandalone.

[Ryan J Ollos]

Edited 1.3/TracStandalone@4.

[Ryan J Ollos]

Committed to trunk in r16761.