1

While preparing to submit an app, I discovered that Apple requires that all calls must be in HTTPS. In my code, the server URL in SyncUser.logIn is just a normal plain HTTP call http://mywebsite:9080.

Details of my configuration

  • I have a registered domain http://example.com. It's only a domain and nothing is hosted under it.
  • ROS is installed on Amazon EC2 instance (Ubuntu 16.04)
  • From the domain registrar of http://example.com, I pointed the URL to the elastic IP address on my EC2 instance.
  • I can access the realm dashboard just fine through: http://example.com:9080

Dilemma

SSL / HTTPS is a new territory for me. I did a bit of reading and I realized that I need an SSL certificate for my domain. However:

  1. I issued a certificate for the domain through AWS Certificate Manager, but it cannot be deployed onto my instance. EC2 isn't supported.
  2. I also tried certbot — it generated keys which are saved under the /etc directory of my EC2 instance, but I don't know how to make them in use.

So when I enter my website in an SSL checker, it rightly says that no SSL certificates were found.

Do I need to opt-out of AWS?

I found an answer here but it seems like an outdated answer (or probably too hacky). I also found these slides that do the whole trick, but they totally went over my head.

Community
  • 1
  • 1
j_theislander
  • 45
  • 8

2 Answers2

1

Apple's requirements are a bit more nuanced than your original question and the deadline has been extended, yet to be specified.

See the pinned forum post from Feb 2017 with points quoted:

  • NSAllowsArbitraryLoadsInWebContent lets you have a strict ATS dictionary but still load arbitrary content in a web view (WKWebView, UIWebView, WebView)
  • (new since WWDC) NSAllowsLocalNetworking lets you opt out of ATS for local networking — To learn more, see the NSAppTransportSecurity section of the Information Property List Key Reference.
  • (new since WWDC) NSAllowsArbitraryLoadsForMedia lets you opt out of ATS for media resources — To learn more, see the NSAppTransportSecurity section of theInformation Property List Key Reference.
  • NSRequiresCertificateTransparency lets you opt in to Certificate Transparency checking
  • cypher suites employing RC4 are now disabled by default
  • the SSLv3 protocol is now disabled by default at the Secure Transport layer
  • cypher suites employing SHA-1 or 3DES are still supported but you should consider moving away from them
  • (new since WWDC) NSURLConnection now honours the ATS minimum TLS version — Previously NSURLConnection would ignore the minimum TLS version prescribed by ATS (r. 23167645). This bug has been fixed. If you’re using NSURLConnection for your networking, make sure to run your app on the latest released OS to ensure that it still works as expected.

Apple announced on Dec 21 2016 that this deadline has been extended and we will provide another update when a new deadline is confirmed

Andy Dent
  • 17,578
  • 6
  • 88
  • 115
0

I'm not intimately familiar with AWS's SSL stuff, but a simple way to accomplish this would be to use Nginx on your EC2 instance as an SSL reverse proxy. You would set up your SSL certificate with Nginx, and have Nginx route the traffic to your Realm Object Server. You also get the benefit of listening on the standard port 443 (if you want to) and you can keep the 9080 port closed to outside traffic.

Here's instructions on setting up a reverse proxy with Nginx: https://www.techandme.se/set-up-nginx-reverse-proxy/

And here's info on setting up WebSockets proxying (which ROS uses): https://www.nginx.com/blog/websocket-nginx/

Also, here's a guide on how to use Let's Encrypt (a free, trusted certificate authority) to get a free certificate as well as keeping it renewed: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

Here's my actual working Nginx config using all of the above:

# Realm Object Server http to https redirection
#
server {
    listen 80;
    listen [::]:80;
    server_name yourdomain.com;
    return 301 https://yourdomain.com$request_uri;
}

# Realm Object Server reverse proxy
#
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    ssl_session_cache shared:SSL:200m;
    ssl_session_timeout 180m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/yourdomain.com/chain.pem;
    resolver 8.8.8.8 8.8.4.4;

    add_header Strict-Transport-Security "max-age=31536000" always;

    server_name yourdomain.com;

    set $upstream 127.0.0.1:9080;

    location / {
        proxy_pass http://$upstream;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass_request_headers      on;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_read_timeout 36000s;
        proxy_redirect off;
        proxy_ssl_session_reuse off;
    }
}
Ben Baron
  • 14,496
  • 12
  • 55
  • 65