Force SSL by default

[ywecur]

Currently there is no way to force clients to connect via SSL, making communication insecure by default.

I'm not sure how this would be implemented, though I know of this meteor package that forces SSL, which might help.

And as @geekgonecrazy has pointed out to me: A toggle might be useful during the initial setup.

[geekgonecrazy]

Also as discussed maybe if the site url has https:// in it then we could force ssl by default. But for sure we need a toggle

[ywecur]

@geekgonecrazy Maybe add the contrib: easy lable?

[geekgonecrazy]

Going to tack on intermediate. Because I assume easy, but it might throw a curve ball :)

[engelgabriel]

Meteor won't handle the SSL directly, the NGINX or other reverse proxy will do that. I think it makes more sense to configure the redirect there (like we do on the demo server) rather than on the app level. It's far more effective/secure and much faster.

[Megatronic79]

@engelgabriel agree with you there, the reverse proxy should handle the SSL connection termination and can force all http to https easily. (as well as secure numerous other web security issues.)

[ywecur]

@Megatronic79 Will this also apply to the mobile apps?

[engelgabriel]

It will apply to ALL connections.

[Megatronic79]

The mobile apps connect to the same endpoint as the web services, if the reverse proxy is set to force all http to https then all traffic will be encrypted.

[ywecur]

Nevertheless, this is something that should be apparent in the tutorial. I found no mention of this before I deployed my instance to Heroku. Not forcing SSL is a big privacy and security risk IMO.

[vargasbo]

Agree. Maybe you can document this and issue the PR.

[ywecur]

@vargasbo How would one document this? I'd prefer a script that does this automatically, if this is possible to achieve that is.

[vargasbo]

You can add create a new wiki page (how to force SSL) add your 2 cents, and then link to the existing wiki page.

[Megatronic79]

SSL and reverse proxy is already part of the wiki here:

https://github.com/RocketChat/Rocket.Chat/wiki/Run-Rocket.Chat-behind-a-SSL-Reverse-Proxy

I guess a step on the Heroku page needs to point to this with a security note.

[engelgabriel]

I am not sure how you'd configure it at Heroku. They relay on the app to do that. So we may have to implement something on our side to support it at all.

[Sing-Li]

On Heroku ...

https://devcenter.heroku.com/articles/ssl-endpoint

... might have websocket or sticky sesssion problems ?

[engelgabriel]

@Sing-Li I've seen the article, but didn't find anything about forcing the SSL... from what I understand, they expect the app to do the redirect.

[mquandalle]

I also think that it is not the role of a Meteor application to handle http to https redirection. The force-ssl package from MDG was almost a hack to configure this redirection on Galaxy since at the time they didn’t have any Galaxy admin UI but this is kind of a weird package honestly.

Anyway even if the force-ssl package you still need to configure an server proxy like Nginx to handle the SSL certificate, and so it makes perfect sense to configure the redirection at Nginx level as well. Sure not everyone is configuring Nginx on top of Rocket.chat but these users will not be able to use https anyway.

[Sing-Li]

Perhaps add Nginx to front-end Rocket.Chat on Heroku? https://github.com/ryandotsmith/nginx-buildpack

[mquandalle]

And maybe the docker-compose could also have a Nginx proxy? Although IIRC docker-compose doesn't advertise itself as ready for production use, so I’m not sure if there is a clean way to install and update a full stack of containers (database, application, Nginx proxy) on production with it.

[MuhClaren]

@mquandalle A deployment guide exists for rocketchat using docker-compose and nginx (SSL): https://github.com/RocketChat/Rocket.Chat/wiki/Docker---Ubuntu-with-Nginx-SSL-and-Hubot although you're right about the non-production warning with docker-compose at the moment. I've banged on my docker-compose deployments as much as possible, never a problem.

As for nginx https rewrites, In general, the official method for having nginx force http connections to https is to use the return directive in the http server block:

server {
    listen       80;
    server_name  example.org;
    return       301 https://www.example.org$request_uri;
}

source: http://nginx.org/en/docs/http/converting_rewrite_rules.html

edit: removed cloudflare info

[engelgabriel]

Just because Rocket.Chat is the most popular button at Heroku (see https://elements.heroku.com/), should we try to implement something like https://github.com/kfatehi/meteor-my-force-ssl but make it ONLY triggered/installed if the administrator turns it on the the admin panel?

What do you think @RocketChat/core ?

[mquandalle]

(Ah, Wekan is on the list! I wasn’t aware of that at all!)

[engelgabriel]

From the top 5, 3 are Meteor apps :)

[ywecur]

@engelgabriel I agree with this. Heroku users will have no idea about this issue otherwise and will deploy without knowledge.