[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #PCI-632644]: mixed contents in Godiva2



Greetings Fan,

One of the demis servers is used as the default map background tile server, so 
you would
still see the javascript call out to a non-https resource, although Safari 
allows it. However,
I could modify the javascript to default to the nasa blue marble server and 
remove the demis
server options from the interface when https access to Godiva is detected. The 
http resources
would still be listed in the javascript, but would never actually be used or 
exposed as an option
to the end user. Would that be acceptable?

Once we finalize on the above issue, I can cut you a snapshot war file to test 
with. I do not expect
a final release of 4.6.11 would take more than a week to get out the door, and 
it would not be
significantly different than the snapshot release I'd provide. We have a team 
meeting today
and I will see if there are any other things we need to get into a release and 
will have a better
idea then.

Thanks for the info on EarthData login - very helpful information :-)

Cheers,

Sean

> That’s excellent, Sean!
> 
> I tried the URL you included. The first time the data didn’t load, but it did 
> when I hit reload, and it looked good.
> 
> You said that the ‘demis’ servers are still enabled, but would they show up 
> in any transactions? I figured what you meant was that it is still in the 
> code or configurations or both, but it shouldn’t show up in any logs? I want 
> to make sure that security scans would not detect any request to an HTTP 
> server.
> 
> So when would I be able to have the 4.6.11 .war file to test it out?
> 
> Thanks so much for this quick turn-around.
> 
> -Fan
> 
> p.s. We did the EarthData URS-login implementation in the Apache server. It 
> might be doable in Tomcat also but we didn’t use that route. I know a few 
> other NASA centers did the same. There is no need for TDS to implement 
> anything specific for EarthData authorization, I think. At least not for now.
> 
> On 11/8/17, 9:08 PM, "Unidata THREDDS Support" <address@hidden> wrote:
> 
> Greetings Fan,
> 
> I have a fix in for this issue. Part of the insecure resource access was 
> addressed
> by https://github.com/Unidata/thredds/pull/825, but there were a few things I 
> missed
> and have addressed them in https://github.com/Unidata/thredds/pull/945. To 
> see a
> live example of the fixed code, check out:
> 
> https://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/HRRR/CONUS_2p5km/HRRR_CONUS_2p5km_20171108_2100.grib2
> 
> Note that there are still issues with requesting tiles for two of the 
> background map from the
> http://www2.demis.nl/wms/wms.ashx server. While the server does allow https 
> access,
> their ssl certificate is not correct and, from what I can tell, something in 
> OpenLayers
> fails to allow it it load. I'm not sure if that is something I can fix or 
> not. However,
> there are two other map servers (NASA and NSIDC) that do work with https, and
> I've upgraded the code to use them (but the demis servers are still enabled 
> in the interface).
> 
> Both of the PRs I reference above are not in the current stable version 
> (4.6.10), but we should
> cut a 4.6.11 stable release soon to get these fixes out.
> 
> Cheers,
> 
> Sean
> 
> > Greetings Fan,
> >
> > I plan on taking at look at the issue today and will be able to update you
> > tomorrow as to the status.
> >
> > As a side note, I noticed the server in the logs below is setup to use the
> > EarthData Login system. Did you all write some code for an authorizer in
> > the TDS, or are you using Apache? I ask because I was going to write some
> > c for the TDS to handle EarthData Login auth, as we know that soon all
> > NASA data sources will require it, but if there is a solution in place, 
> > then I will
> > hold off writing anything.
> >
> > Cheers,
> >
> > Sean
> >
> > > Hi Sean,
> > >
> > > I want to add a note that NASA data centers, including us here at GES 
> > > DISC, are mandated to make this HTTP to HTTPS transition. We would be 
> > > forced to disable Godiva if there is any security hole found, including 
> > > this mixed content issue. This would upset many of our TDS users. 
> > > Therefore fixing this can become quite urgent.
> > >
> > > If you have put this into the planning, we’d appreciate it if you could 
> > > share the schedule with us. Thanks.
> > >
> > > -Fan
> > >
> > > On 11/2/17, 12:14 PM, "Unidata THREDDS Support" <address@hidden> wrote:
> > >
> > > Would you mind if I open a github issue on this?
> > >
> > > > Greetings Fan,
> > > >
> > > > Since we do not run over https, I haven't encountered this behavior - 
> > > > thank you for your report!
> > > >
> > > > I'll take a look and see what can be done.
> > > >
> > > > Cheers,
> > > >
> > > > Sean
> > > >
> > > > > Hi. Ever since we migrated our servers from ‘HTTP’ to ‘HTTPS’, the 
> > > > > Godiva visualizer stopped working with some of the browsers. The 
> > > > > Godiva setting makes a number of ‘HTTP’ requests internally and the 
> > > > > browsers do not like it. For a sample list of such requests see below.
> > > > >
> > > > > Some browsers, such as Firefox and Chrome, detects unsecure requests 
> > > > > and allows to temporarily disable ‘protection’ to make Godiva work as 
> > > > > usual, while others, such as Safari, are entirely unhappy.
> > > > >
> > > > > I wonder if you plan to fix this in the next release of THREDDS 
> > > > > server. Thanks.
> > > > >
> > > > > -Fan
> > > > >
> > > > > godiva2.html:11 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > > >  This request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:28 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > > >  This request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure script 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/yahoo-dom-event/yahoo-dom-event.js'.
> > > > >  This request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure script 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/treeview-min.js'. This 
> > > > > request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:33 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > > >  This request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure script 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/container/container-min.js'. 
> > > > > This request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:60 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure image 
> > > > > 'http://www.resc.reading.ac.uk/images/new_logo_72dpi_web.png'. This 
> > > > > content should also be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure image 
> > > > > 'http://www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png'.
> > > > >  This content should also be served over HTTPS.
> > > > > www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png Failed 
> > > > > to load resource: the server responded with a status of 404 (Not 
> > > > > Found)
> > > > > godiva2.js:264 Uncaught ReferenceError: YAHOO is not defined at 
> > > > > window.onload (godiva2.js:264)
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure image 
> > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > >  e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. 
> > > > > This content should also be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure image 
> > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > > >  se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'. 
> > > > > This content should also be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure image 
> > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > >  e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. 
> > > > > This content should also be served over HTTPS.
> > > > > 2godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure image 
> > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > > >  se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'. 
> > > > > This content should also be served over HTTPS.
> > > > > 2godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure image 
> > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > >  e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. 
> > > > > This content should also be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > > >  This request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > > >  This request has been blocked; the content must be served over HTTPS.
> > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > > >  This request has been blocked; the content must be served over HTTPS.
> > > > >
> > > > >
> > > >
> > >
> > >
> > > Ticket Details
> > > ===================
> > > Ticket ID: PCI-632644
> > > Department: Support THREDDS
> > > Priority: Normal
> > > Status: Open
> > > ===================
> > > NOTE: All email exchanges with Unidata User Support are recorded in the 
> > > Unidata inquiry tracking system and then made publicly available through 
> > > the web.  If you do not want to have your interactions made available in 
> > > this way, you must let us know in each email you send to us.
> > >
> > >
> > >
> > >
> > >
> >
> 
> Ticket Details
> ===================
> Ticket ID: PCI-632644
> Department: Support THREDDS
> Priority: High
> Status: Open
> ===================
> NOTE: All email exchanges with Unidata User Support are recorded in the 
> Unidata inquiry tracking system and then made publicly available through the 
> web.  If you do not want to have your interactions made available in this 
> way, you must let us know in each email you send to us.
> 
> 
> 
> 
> 

Ticket Details
===================
Ticket ID: PCI-632644
Department: Support THREDDS
Priority: High
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.