[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #PCI-632644]: mixed contents in Godiva2



Greetings Fan,

You can grab the snapshot war from here:

https://www.unidata.ucar.edu/staff/sarms/war/thredds%23%234.6.11-20171109T1910-SNAPSHOT.war

Let us know how it goes!

Cheers,

Sean

> Greetings Fan,
> 
> I've implemented this in https://github.com/Unidata/thredds/pull/946, and you 
> can
> test the result on thredds.ucar.edu.
> 
> For example, http:
> 
> http://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=http://thredds.ucar.edu/thredds/wms/grib/NCEP/GFS/Puerto_Rico_0p5deg/GFS_Puerto_Rico_0p5deg_20171109_1200.grib2
> 
> vs https:
> 
> https://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/GFS/Puerto_Rico_0p5deg/GFS_Puerto_Rico_0p5deg_20171109_1200.grib2
> 
> Once my PR is merged, I can make a snapshot war for you to test with. I'll
> update you, with a link, once it is ready.
> 
> Cheers,
> 
> Sean
> 
> 
> > Hi Sean,
> >
> > I think replacing the non-https âdeminâ server in the javascript call 
> > out would be a desirable solution. Letâs implement that if you can.
> >
> > Looking forward to your war file.  Thanks!
> >
> > -Fan
> >
> > On 11/9/17, 9:19 AM, "Unidata THREDDS Support" <address@hidden> wrote:
> >
> > Greetings Fan,
> >
> > One of the demis servers is used as the default map background tile server, 
> > so you would
> > still see the javascript call out to a non-https resource, although Safari 
> > allows it. However,
> > I could modify the javascript to default to the nasa blue marble server and 
> > remove the demis
> > server options from the interface when https access to Godiva is detected. 
> > The http resources
> > would still be listed in the javascript, but would never actually be used 
> > or exposed as an option
> > to the end user. Would that be acceptable?
> >
> > Once we finalize on the above issue, I can cut you a snapshot war file to 
> > test with. I do not expect
> > a final release of 4.6.11 would take more than a week to get out the door, 
> > and it would not be
> > significantly different than the snapshot release I'd provide. We have a 
> > team meeting today
> > and I will see if there are any other things we need to get into a release 
> > and will have a better
> > idea then.
> >
> > Thanks for the info on EarthData login - very helpful information :-)
> >
> > Cheers,
> >
> > Sean
> >
> > > Thatâs excellent, Sean!
> > >
> > > I tried the URL you included. The first time the data didnât load, but 
> > > it did when I hit reload, and it looked good.
> > >
> > > You said that the âdemisâ servers are still enabled, but would they 
> > > show up in any transactions? I figured what you meant was that it is 
> > > still in the code or configurations or both, but it shouldnât show up 
> > > in any logs? I want to make sure that security scans would not detect any 
> > > request to an HTTP server.
> > >
> > > So when would I be able to have the 4.6.11 .war file to test it out?
> > >
> > > Thanks so much for this quick turn-around.
> > >
> > > -Fan
> > >
> > > p.s. We did the EarthData URS-login implementation in the Apache server. 
> > > It might be doable in Tomcat also but we didnât use that route. I know 
> > > a few other NASA centers did the same. There is no need for TDS to 
> > > implement anything specific for EarthData authorization, I think. At 
> > > least not for now.
> > >
> > > On 11/8/17, 9:08 PM, "Unidata THREDDS Support" <address@hidden> wrote:
> > >
> > > Greetings Fan,
> > >
> > > I have a fix in for this issue. Part of the insecure resource access was 
> > > addressed
> > > by https://github.com/Unidata/thredds/pull/825, but there were a few 
> > > things I missed
> > > and have addressed them in https://github.com/Unidata/thredds/pull/945. 
> > > To see a
> > > live example of the fixed code, check out:
> > >
> > > https://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/HRRR/CONUS_2p5km/HRRR_CONUS_2p5km_20171108_2100.grib2
> > >
> > > Note that there are still issues with requesting tiles for two of the 
> > > background map from the
> > > http://www2.demis.nl/wms/wms.ashx server. While the server does allow 
> > > https access,
> > > their ssl certificate is not correct and, from what I can tell, something 
> > > in OpenLayers
> > > fails to allow it it load. I'm not sure if that is something I can fix or 
> > > not. However,
> > > there are two other map servers (NASA and NSIDC) that do work with https, 
> > > and
> > > I've upgraded the code to use them (but the demis servers are still 
> > > enabled in the interface).
> > >
> > > Both of the PRs I reference above are not in the current stable version 
> > > (4.6.10), but we should
> > > cut a 4.6.11 stable release soon to get these fixes out.
> > >
> > > Cheers,
> > >
> > > Sean
> > >
> > > > Greetings Fan,
> > > >
> > > > I plan on taking at look at the issue today and will be able to update 
> > > > you
> > > > tomorrow as to the status.
> > > >
> > > > As a side note, I noticed the server in the logs below is setup to use 
> > > > the
> > > > EarthData Login system. Did you all write some code for an authorizer in
> > > > the TDS, or are you using Apache? I ask because I was going to write 
> > > > some
> > > > c for the TDS to handle EarthData Login auth, as we know that soon all
> > > > NASA data sources will require it, but if there is a solution in place, 
> > > > then I will
> > > > hold off writing anything.
> > > >
> > > > Cheers,
> > > >
> > > > Sean
> > > >
> > > > > Hi Sean,
> > > > >
> > > > > I want to add a note that NASA data centers, including us here at GES 
> > > > > DISC, are mandated to make this HTTP to HTTPS transition. We would be 
> > > > > forced to disable Godiva if there is any security hole found, 
> > > > > including this mixed content issue. This would upset many of our TDS 
> > > > > users. Therefore fixing this can become quite urgent.
> > > > >
> > > > > If you have put this into the planning, weâd appreciate it if you 
> > > > > could share the schedule with us. Thanks.
> > > > >
> > > > > -Fan
> > > > >
> > > > > On 11/2/17, 12:14 PM, "Unidata THREDDS Support" <address@hidden> 
> > > > > wrote:
> > > > >
> > > > > Would you mind if I open a github issue on this?
> > > > >
> > > > > > Greetings Fan,
> > > > > >
> > > > > > Since we do not run over https, I haven't encountered this behavior 
> > > > > > - thank you for your report!
> > > > > >
> > > > > > I'll take a look and see what can be done.
> > > > > >
> > > > > > Cheers,
> > > > > >
> > > > > > Sean
> > > > > >
> > > > > > > Hi. Ever since we migrated our servers from âHTTPâ to 
> > > > > > > âHTTPSâ, the Godiva visualizer stopped working with some of 
> > > > > > > the browsers. The Godiva setting makes a number of âHTTPâ 
> > > > > > > requests internally and the browsers do not like it. For a sample 
> > > > > > > list of such requests see below.
> > > > > > >
> > > > > > > Some browsers, such as Firefox and Chrome, detects unsecure 
> > > > > > > requests and allows to temporarily disable âprotectionâ to 
> > > > > > > make Godiva work as usual, while others, such as Safari, are 
> > > > > > > entirely unhappy.
> > > > > > >
> > > > > > > I wonder if you plan to fix this in the next release of THREDDS 
> > > > > > > server. Thanks.
> > > > > > >
> > > > > > > -Fan
> > > > > > >
> > > > > > > godiva2.html:11 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:28 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure script 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/yahoo-dom-event/yahoo-dom-event.js'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure script 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/treeview-min.js'. 
> > > > > > > This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:33 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure script 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/container/container-min.js'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:60 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure image 
> > > > > > > 'http://www.resc.reading.ac.uk/images/new_logo_72dpi_web.png'. 
> > > > > > > This content should also be served over HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure image 
> > > > > > > 'http://www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png'.
> > > > > > >  This content should also be served over HTTPS.
> > > > > > > www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png 
> > > > > > > Failed to load resource: the server responded with a status of 
> > > > > > > 404 (Not Found)
> > > > > > > godiva2.js:264 Uncaught ReferenceError: YAHOO is not defined at 
> > > > > > > window.onload (godiva2.js:264)
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure image 
> > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > > > >  
> > > > > > > e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'.
> > > > > > >  This content should also be served over HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure image 
> > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > > > > >  
> > > > > > > se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'.
> > > > > > >  This content should also be served over HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure image 
> > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > > > >  
> > > > > > > e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'.
> > > > > > >  This content should also be served over HTTPS.
> > > > > > > 2godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure image 
> > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > > > > >  
> > > > > > > se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'.
> > > > > > >  This content should also be served over HTTPS.
> > > > > > > 2godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure image 
> > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > > > >  
> > > > > > > e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'.
> > > > > > >  This content should also be served over HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > > godiva2.html:1 Mixed Content: The page at 
> > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > >  tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded 
> > > > > > > over HTTPS, but requested an insecure stylesheet 
> > > > > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > > > > >  This request has been blocked; the content must be served over 
> > > > > > > HTTPS.
> > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > > Ticket Details
> > > > > ===================
> > > > > Ticket ID: PCI-632644
> > > > > Department: Support THREDDS
> > > > > Priority: Normal
> > > > > Status: Open
> > > > > ===================
> > > > > NOTE: All email exchanges with Unidata User Support are recorded in 
> > > > > the Unidata inquiry tracking system and then made publicly available 
> > > > > through the web.  If you do not want to have your interactions made 
> > > > > available in this way, you must let us know in each email you send to 
> > > > > us.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> > > Ticket Details
> > > ===================
> > > Ticket ID: PCI-632644
> > > Department: Support THREDDS
> > > Priority: High
> > > Status: Open
> > > ===================
> > > NOTE: All email exchanges with Unidata User Support are recorded in the 
> > > Unidata inquiry tracking system and then made publicly available through 
> > > the web.  If you do not want to have your interactions made available in 
> > > this way, you must let us know in each email you send to us.
> > >
> > >
> > >
> > >
> > >
> >
> > Ticket Details
> > ===================
> > Ticket ID: PCI-632644
> > Department: Support THREDDS
> > Priority: High
> > Status: Open
> > ===================
> > NOTE: All email exchanges with Unidata User Support are recorded in the 
> > Unidata inquiry tracking system and then made publicly available through 
> > the web.  If you do not want to have your interactions made available in 
> > this way, you must let us know in each email you send to us.
> >
> >
> >
> >
> >

Ticket Details
===================
Ticket ID: PCI-632644
Department: Support THREDDS
Priority: High
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.



NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.