SSL and SyncServer

When I started using SyncServer on AWS, I just directly incorporated SSL using letsencrypt into the Swift Kitura-based server. This was following IBM's advice. However, a few issues have led me away from that:

  1. It was necessary to run SyncServer as root.
    2. Standard use of https and SSL uses port 443, which needs root access. Running programs as root is not a generally accepted security practice.
  2. How do you run a dev or staging instance of the server?
    3. With an instance of SyncServer using port 443, this disallows other server instances from using port 443. Since SyncServer uses credentials from live accounts (e.g., Google or Facebook), we *always* want to be using SSL even when running dev or staging instances of the server.
  3. I wanted to experiment to try to solve a bug
    4. More specifically, the issue could possibly be due to SSL problems.
  4. SSL might be handled more securely in other ways.
    5. Until I started looking into this, I didn't realize that server configurations can play a role in SSL-related security. See for example.

I am going to leave this direct use of SSL available as a SyncServer configuration option but this doesn't seem the advisable way to use SSL. Instead, I'm now using NGINX to proxy requests into the SyncServer. HTTPS requests come into NGINX, and are proxied to SyncServer as HTTP requests.

To get NGINX running on Ubuntu 16.04 on AWS, I did the following:

  1. I installed NGINX
    2. sudo apt-get update
sudo apt-get install nginx
  2. I checked to see if NGINX was running
    3. The installation as above should start NGINX. 
    systemctl status nginx
  3. I modified the NGINX configuration at: /etc/nginx/sites-available/default
    4. You need to be signed in as `root` to edit this file. I read around on various references before making my changes (see references below). The bulk of my configuration came from this. I'm going to put this configuration in the file nginx.conf at the root of the SyncServer repo.
  4. Check the syntax of your config changes:
    5. sudo nginx -t
  5. Reload your conf changes:
    6. sudo systemctl reload nginx

Running SyncServer as a service on AWS/Ubuntu

This is next on my agenda.

Further Reading on devops matters

  1. Setting up Let's Encrypt for NGINX
  2. NGINX and Swift.
    3. Has some good ideas about security, and Swift devops.
  3. NGINX and Vapor
  4. More material on Let's Encrypt SSL certificates and NGINX
  5. This is a bit general, but has some useful ideas.
  6. At first I was missing some headers...
  7. Documentation on NGINX proxy_pass

Running SyncServer as a service on AWS/Ubuntu

This is next on my agenda.

Other notes and issues

  1. SyncServer.ServerAPI.DownloadFileError.couldNotObtainHeaderParameters
    2. 9/9/17; After getting things initially working, I started receiving this error in the SharedImages app. From this message, it first appeared that NGINX was not sending all headers back down to the client. More specifically, this error arises on the client when file download response messages don't have the header `SyncServer-Message-Params`. I had a corresponding problem with http request message headers but this has to do with response message headers. The problem, it turned out, was because response header keys were being returned in lower-case. I had them in camel-case. My change involved my client app, and using all lower-case response header keys.