1

I would like to know how I configure the PEP Proxy so that I can exchange messages through HTTPS. I have an instance of Orion context broker that is accessed only after pass by the PEP Proxy. My PEP Proxy (Wilma) configuration file (config.js) has the following:

config.https = {
   enabled: true,
   cert_file: 'cert/idm.crt',
   key_file: 'cert/idm.key',
   port: 443
};

config.account_host = 'https://localhost:8000';   //account.lab.fiware.org';
config.keystone_host = 'localhost'; //'cloud.lab.fiware.org';
config.keystone_port = 5000; //4731;

config.app_host = 'https://orion'; //'localhost';
config.app_port = ''; //Nginx is configured to redirect to port 1026
// Use true if the app server listens in https
config.app_ssl = true;

config.username = 'pep_proxy_credential_obtained_at_portal';
config.password = 'password_obtained_at_portal';

I have also HTTPS to HTTP (Nginx configured as reverse proxy) so that my requests directly sent to Orion are secure. The HTTPS is working only without PEP Proxy flow. When I insert the authorization/authentication flow, I am facing problems, because the PEP Proxy does not handle with the SSL certificate. Here is the Nginx configuration:

location / {
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;

    # Fix the “It appears that your reverse proxy set up is broken" error.
    proxy_pass          http://orion:1026;
    proxy_read_timeout  90;
    proxy_redirect      http://orion:1026 https://orion;
}

I want to integrate what I have in a way I can communicate with Orion only by HTTPS, including the PEP Proxy flow. I've searched but I did not find nothing useful related to HTTPS configuration in PEP Proxy.

EDIT: There is an error when the PEP Proxy redirects to the application:

2017-01-17 20:52:55.544  - INFO: Server - Success authenticating PEP proxy. 
Proxy Auth-token:  d7ec08edd87d43418edfd558df26f427
2017-01-17 20:53:49.450  - INFO: IDM-Client - Checking token with IDM...
2017-01-17 20:53:49.508  - INFO: Root - Access-token OK. Redirecting to app...
Refused to set unsafe header "accept-encoding"
Refused to set unsafe header "content-length"

The error presented by the application is:

('Connection aborted.', BadStatusLine('HTTP/1.1 0 unknown\r\n',))
Dalton Cézane
  • 3,672
  • 2
  • 35
  • 60
  • I have doubts about the setup... either PEP-ngsix-Orion or ngsix-PEP-Orion. Could you clarify, please? – fgalan Jan 18 '17 at 12:09
  • @fgalan , I am trying PEP-Nginx-Orion: the request goes to PEP and PEP redirects to Orion that is accessed through reverse proxy by Nginx. I will add the Nginx configuration at the question now. – Dalton Cézane Jan 18 '17 at 13:53
  • Maybe a ngnix-PEP-Orion setup could simplify things? – fgalan Jan 18 '17 at 16:01
  • But, in this case, I would have HTTPS just between Nginx and PEP, and PEP can be hosted in a different machine from Orion. I'd like to secure the channel between client and Orion. Now, Nginx is configured together with Orion. Do you have another sugestion @fgalan to better secure this channel end-to-end? In time, I turned off the nginx and tested access to Orion only using PEP Proxy configured to HTTPS: same error ('Connection aborted.', BadStatusLine('HTTP/1.1 0 unknown\r\n',) and in the PEP: Redirecting to app... Refused to set unsafe header "accept-encoding" - Maybe PEP is the problem. – Dalton Cézane Jan 18 '17 at 17:35
  • 1
    Try to stop Orion and run `nc -l -p 1026` in the same machine, thus "impersonating". Then repeat the test, in order to see which exact request (if any) is PEP forwarding to Orion in this situation. Please post the result of the test in your question post. – fgalan Jan 18 '17 at 18:49
  • @fgalan, nothing. There is no response. Nothings happens. – Dalton Cézane Jan 18 '17 at 19:16
  • Do you have some other suggestion about this problem (Wilma-Nginx-Orion), @fgalan? I am still thinking this can be an error of Wilma... – Dalton Cézane Jan 24 '17 at 13:57
  • 1
    Unfortunatelly, I'm not familiary with PEP-Nginx-Orion setups but with Nginx-PEP-Orion ones. In my case this makes sense as PEP-Orion connection is implemented using a secure channel (by L2/L3 security means) so we try to pass from HTTPS to HTTP as soon as possible (i.e. at the nginx point). Anyway, I hope that Wilma team can have a look to confirm if there is a bug in that software or request more information to debug the case. – fgalan Jan 26 '17 at 20:19
  • 1
    Ah... I have just realized that you self-answer with the solution to the problem. Happy to see that at the end the problem was solved :) – fgalan Jan 26 '17 at 20:22
  • Anyway, could you give me a better explanation about your Nginx-PEP-Orion configuration, @fgalan ? – Dalton Cézane Jan 26 '17 at 20:29
  • Basically is a matter of configuring Nginx in a way similar to the one you describe at http://stackoverflow.com/questions/40999447/fiware-how-to-integrate-keyrock-idm-wilma-pep-proxy-and-orion-context-broker. The difference is that in port 1026 you don't have Orion listening, but a PEP instance that proxies to the actual Orion (in our case, running in the same host in port 10026). In my case, I'm not using Wilma, but an alternative GEi implementation named Steelskin (https://github.com/telefonicaid/fiware-pep-steelskin) although in theory Wilma should work the same way. – fgalan Jan 26 '17 at 21:21
  • Ok, @fgalan . In this case, you do not have PEP-Orion via HTTPS because both are in the same machine, right? So, HTTPS is just in "world-Nginx" part? Thanks. – Dalton Cézane Jan 26 '17 at 21:52
  • 1
    Yes. However, PEP and Orion could be in separate machines as long as there is a secure channel, eg. they are in the dame L2 isolated segment – fgalan Jan 26 '17 at 22:04

2 Answers2

1

The problem was the https at configuration:

config.app_host = 'https://orion';

I had to debug to find this. The PEP Proxy Wilma adds the protocol (http or https) to the application host configured. The correct is to configure without the protocol:

config.app_host = 'orion';

Maybe this observation can be added to Wilma documentation in order to avoid errors like mine.

Dalton Cézane
  • 3,672
  • 2
  • 35
  • 60
  • 1
    Strictly speaking, if a given URL is `http:://orion`, then the host is `orion` (while `http://` is the URL schema). However, I agree with you it would be a good idea to add a remark about it in the Wilma documenation (maybe in the config.js.template file itself, as a comment just above the `config.app_host` parameter). Maybe you could even contribute to the https://github.com/ging/fiware-pep-proxy repository with a pull request with that change :) – fgalan Jan 26 '17 at 20:26
  • 1
    You're right, @fgalan . But it is a bit confused because another parameter in the config.js file works with the protocol: `account_host = 'http://127.0.0.1';` . Maybe it could be standardized, including the ports configuration: one is passed as int ( `config.keystone_port = 5000;` ), the other as string ( `config.app_port = '1026';` ). =) – Dalton Cézane Jan 26 '17 at 20:42
0

You can configure PEP Proxy to listen in HTTPS using the parameter "https" in the config file

https://github.com/ging/fiware-pep-proxy/blob/master/config.js.template#L7

Álvaro Alonso
  • 385
  • 1
  • 3