How one thing leads to an other

 Posted on 7.2.2018  |  4 minutes  |  Gregory Bleiker

TL;DR

Sometimes we set out to do one thing, only to find that it entails doing a lot of other things. See how this applies to introducing user management to uberview.io

Introducing user management to Überview, or not (yet)

As described in my first post , I will show how the Überview approach can be used to create a better access to bookmarks. Naturally, I would like you to be able to have a try and so I set up a cloud instance to host the app. As this project is still in its very early stages, there are quite a few essential things missing, one being user management, or even more the ability to have anything else than a single global instance of the data. So I started looking in to ArangoDB’s user management . And after auth0’s heavy presence in podcasts I am listening to, I decided to try their service as well. I had listened to a show about multi-tenancy on Full Stack Radio with some insights on how to set up such projects, so in my mind I was more or less set to go. But then it occurred to me that users would be expected to enter passwords and no one in their right mind would do that on an unencrypted web site. I had heard that this was made easy by letsencrypt , so off down that rabbit hole…

The setup of Überview is the following: Überview All the traffic is routed through nginx which means that nginx is proxying for the arangodb foxx service. The encryption needs to happen between the browser and nginx. The whole setup is in docker, and I used the preconfigured docker jwilder image. This image has a companion image for letsencrypt in order to automatically acquire and install certificates for all proxied hosts. Unluckily I was not only proxying the traffic but also doing some custom redirections (like http to https) and translating the incoming request because I wanted nicer URLs for the app.

Letsencrypt works the following way: you prove to letsencrypt that you own a domain and then they send you a certificate valid for 3 months. You can then renew the certificate periodically. There are several ways you can prove to letsencrypt that you have control over a domain which is nicely explained on their site . You basically have to either be able to set a DNS record (thus proving that you can control the DNS entry and effectively have control over the domain) or place file at a predefined place on the website thus proving that you can control the contents of the domain (this is called webroot or http method). There are also a lot of tools that help you with this process, the one recommended by letsencrypt being certbot . Unfortunately, just at the moment I was trying to install the certificate on my site there was a third way to prove that you own a site, which was by having the webserver present a special temporary certificate (this method is named tls-sni). This was also the standard way in which certbot would choose to get a certificate for nginx. However, tls-sni seems to have been insecure, so just at the moment I was trying to get my certificate for my site (January 2018), which made the certbot tool fall flat on its face. This is also the moment when things started to go much longer than I had expected. Because I couldn’t use the default options for nginx and certbot and hope that it just would work, I first had to understand how letsencrypt actually works and then understand the certbot tool. Both things are in itself probably good ideas, but its one of those things I had actually hoped would work magically. Isn’t there a saying? “Magic always comes at a price…?” In hindsight I’m not really sure it would have worked out of the box anyway, because I am using a custom nginx config file together with the docker image, so I’m not sure that certbot would actually have figured out the right location to place the tsl-sni settings anyway. Now I have manually installed the the certificate using the webroot method. This worked ok (after I had figured out how nginx actually serves static files, an other thing that took longer than I imagined), but I haven’t configured the automatic renew which also seems to be a part of certbot functionality. At least I have 3 months to figure that one out :)

You can have a look at the site as it is evolving or just want to see a great letsencrypt certificate in action at uberview

You can also check out the project with all the config files discussed above at the uberview gitlab page

SSL  letsencrypt  user management