Edgewall Software
Modify

Opened 3 years ago

Closed 13 months ago

Last modified 13 months ago

#12611 closed enhancement (fixed)

Add support for HTTPS to tracd

Reported by: krichter@… Owned by: Peter Suter
Priority: normal Milestone: 1.3.4
Component: web frontend/tracd Version:
Severity: normal Keywords:
Cc: Branch:
Release Notes:

Added support for HTTPS protocol to tracd (TracStandalone).

API Changes:

Description (last modified by Ryan J Ollos)

tracd doesn't support HTTPS in standalone mode. It'd be nice to add this feature because HTTPS connections are state of the art and it allows users to skip setting up a webserver or figure out how to migrate a standalone instance to a webserver in case that's even possible or to learn how to configure stunnel and deal with it's quite unintuitive behaviour.

experienced with 1.1.5dev

Attachments (2)

T12611_https_ssl_wrap_socket.diff (2.7 KB ) - added by Peter Suter 3 years ago.
T12611_https_ssl_wrap_socket.2.diff (2.7 KB ) - added by Ryan J Ollos 13 months ago.

Download all attachments as: .zip

Change History (13)

comment:1 by Ryan J Ollos, 3 years ago

Component: generalweb frontend/tracd
Description: modified (diff)
Milestone: undecided

by Peter Suter, 3 years ago

comment:2 by Peter Suter, 3 years ago

Searching for BaseHTTPServer python https I found this article suggesting this would surprisingly(?) not be very difficult (anymore?), so I quickly tried the attached patch without any obvious problems.

The suggested ssl.wrap_socket has a bunch of additional optional parameters I haven't looked at, and after Python 2.7.9 SSLContext.wrap_socket() might be better.

A PEM certificate is required for HTTPS servers. I guess this would have to be specified with a new parameter. I only tested with a self-signed certificate.

There might be other hidden downsides or complexities missing. Feel free to take or improve the patch if you think supporting this is worth it.

Last edited 3 years ago by Peter Suter (previous) (diff)

comment:3 by Jun Omae, 3 years ago

At least, ssl.wrap_socket() must be passed keyfile parameter.

in reply to:  3 ; comment:4 by Daniel Cantarín <canta@…>, 2 years ago

Replying to Peter Suter:

Searching for BaseHTTPServer python https I found this article suggesting this would surprisingly(?) not be very difficult (anymore?), so I quickly tried the attached patch without any obvious problems.

The suggested ssl.wrap_socket has a bunch of additional optional parameters I haven't looked at, and after Python 2.7.9 SSLContext.wrap_socket() might be better.

A PEM certificate is required for HTTPS servers. I guess this would have to be specified with a new parameter. I only tested with a self-signed certificate.

There might be other hidden downsides or complexities missing. Feel free to take or improve the patch if you think supporting this is worth it.


I've applied the patch in my local installation. Also, added the "—certificate" option in standalone.py, and setted the default protocol to "https".

At first it seems to work fine and the procedure is very simple. However, I have a problem. After every POST request (not GET), tracd sends me to http instead of https, which doesn't exists. I guess "http" is hardcoded somewhere, or is setted as protocol somewhere else aside from standalone.py.

Do you have any idea where could this be changed?


Replying to Jun Omae:

At least, ssl.wrap_socket() must be passed keyfile parameter.


I didn't needed it. Just passed certfile parameter and the setup worked.

comment:5 by Daniel Cantarín <canta@…>, 2 years ago

Nevermind, eventually found #2553 and others. Changing base_url to an absolute https url and using use_base_url_for_redirect = enabled did the trick.

by Ryan J Ollos, 13 months ago

comment:6 by Ryan J Ollos, 13 months ago

Milestone: undecided1.3.4
Owner: set to Ryan J Ollos
Status: newassigned

mkcert looks useful for creating dev certs to test this feature.

Untested patch rebased on trunk: T12611_https_ssl_wrap_socket.2.diff.

in reply to:  4 comment:7 by Ryan J Ollos, 13 months ago

Replying to Daniel Cantarín <canta@…>:

Replying to Jun Omae:

At least, ssl.wrap_socket() must be passed keyfile parameter.

I didn't needed it. Just passed certfile parameter and the setup worked.

Do you have a combined key and certificate?

comment:8 by Ryan J Ollos, 13 months ago

Create certificates with mkcert on OSX:

$ mkcert -install
$ mkcert trac.dev localhost 127.0.0.1 ::1
Using the local CA at "/Users/rjollos/Library/Application Support/mkcert" ✨

Created a new certificate valid for the following names 📜
 - "trac.dev"
 - "localhost"
 - "127.0.0.1"
 - "::1"

The certificate is at "./trac.dev+3.pem" and the key at "./trac.dev+3-key.pem" 

I put the following in my /etc/hosts:

$ cat /etc/hosts | grep trac.dev
127.0.0.1 trac.dev

Run tracd with --certfile and --keyfile parameters. Example:

$ tracd -s -p 8443 --protocol https --certfile ../trac.dev+3.pem --keyfile ../trac.dev+3-key.pem ../tracenvs/proj-1.3

Access Trac through browser at https://trac.dev:8443, https://localhost:8443, etc.

Proposed changes in log:rjollos.git:t12611_https_for_tracd.2. I read through the Python ssl documentation. I'm no expert on this topic, so let me know if you have any suggestions.

I dropped the flags for certfile and keyfile ([0f02a82d0/rjollos.git]), since this feature probably won't be used that much and it's nice to keep the flags available for commonly-used arguments. Let me know if you have a feeling about this one way or the other.

DONE Update 1.3/TracStandalone.

Last edited 13 months ago by Ryan J Ollos (previous) (diff)

comment:9 by Ryan J Ollos, 13 months ago

Release Notes: modified (diff)

comment:10 by Ryan J Ollos, 13 months ago

Resolution: fixed
Status: assignedclosed

Committed to trunk in r16761.

comment:11 by Ryan J Ollos, 13 months ago

Owner: changed from Ryan J Ollos to Peter Suter

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Peter Suter.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.