[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[THREDDS #PCI-632644]: mixed contents in Godiva2
- Subject: [THREDDS #PCI-632644]: mixed contents in Godiva2
- Date: Thu, 09 Nov 2017 12:27:34 -0700
Fan,
Sorry, I didn't see the question about Godiva3. There are issues with https
and Godiva3, but not like the ones here with the javascript libs. In the case
of Godiva3, it is using background tiles from the University of Reading's own
map server, and that does not look to support https at all. I'll touch base with
the devs to see what can be done so that we can be ready for 5.0 for you all.
Cheers,
Sean
> Greetings Fan,
>
> You can grab the snapshot war from here:
>
> https://www.unidata.ucar.edu/staff/sarms/war/thredds%23%234.6.11-20171109T1910-SNAPSHOT.war
>
> Let us know how it goes!
>
> Cheers,
>
> Sean
>
> > Greetings Fan,
> >
> > I've implemented this in https://github.com/Unidata/thredds/pull/946, and
> > you can
> > test the result on thredds.ucar.edu.
> >
> > For example, http:
> >
> > http://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=http://thredds.ucar.edu/thredds/wms/grib/NCEP/GFS/Puerto_Rico_0p5deg/GFS_Puerto_Rico_0p5deg_20171109_1200.grib2
> >
> > vs https:
> >
> > https://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/GFS/Puerto_Rico_0p5deg/GFS_Puerto_Rico_0p5deg_20171109_1200.grib2
> >
> > Once my PR is merged, I can make a snapshot war for you to test with. I'll
> > update you, with a link, once it is ready.
> >
> > Cheers,
> >
> > Sean
> >
> >
> > > Hi Sean,
> > >
> > > I think replacing the non-https ‘demin’ server in the javascript call out
> > > would be a desirable solution. Let’s implement that if you can.
> > >
> > > Looking forward to your war file. Thanks!
> > >
> > > -Fan
> > >
> > > On 11/9/17, 9:19 AM, "Unidata THREDDS Support" <address@hidden> wrote:
> > >
> > > Greetings Fan,
> > >
> > > One of the demis servers is used as the default map background tile
> > > server, so you would
> > > still see the javascript call out to a non-https resource, although
> > > Safari allows it. However,
> > > I could modify the javascript to default to the nasa blue marble server
> > > and remove the demis
> > > server options from the interface when https access to Godiva is
> > > detected. The http resources
> > > would still be listed in the javascript, but would never actually be used
> > > or exposed as an option
> > > to the end user. Would that be acceptable?
> > >
> > > Once we finalize on the above issue, I can cut you a snapshot war file to
> > > test with. I do not expect
> > > a final release of 4.6.11 would take more than a week to get out the
> > > door, and it would not be
> > > significantly different than the snapshot release I'd provide. We have a
> > > team meeting today
> > > and I will see if there are any other things we need to get into a
> > > release and will have a better
> > > idea then.
> > >
> > > Thanks for the info on EarthData login - very helpful information :-)
> > >
> > > Cheers,
> > >
> > > Sean
> > >
> > > > That’s excellent, Sean!
> > > >
> > > > I tried the URL you included. The first time the data didn’t load, but
> > > > it did when I hit reload, and it looked good.
> > > >
> > > > You said that the ‘demis’ servers are still enabled, but would they
> > > > show up in any transactions? I figured what you meant was that it is
> > > > still in the code or configurations or both, but it shouldn’t show up
> > > > in any logs? I want to make sure that security scans would not detect
> > > > any request to an HTTP server.
> > > >
> > > > So when would I be able to have the 4.6.11 .war file to test it out?
> > > >
> > > > Thanks so much for this quick turn-around.
> > > >
> > > > -Fan
> > > >
> > > > p.s. We did the EarthData URS-login implementation in the Apache
> > > > server. It might be doable in Tomcat also but we didn’t use that route.
> > > > I know a few other NASA centers did the same. There is no need for TDS
> > > > to implement anything specific for EarthData authorization, I think. At
> > > > least not for now.
> > > >
> > > > On 11/8/17, 9:08 PM, "Unidata THREDDS Support" <address@hidden> wrote:
> > > >
> > > > Greetings Fan,
> > > >
> > > > I have a fix in for this issue. Part of the insecure resource access
> > > > was addressed
> > > > by https://github.com/Unidata/thredds/pull/825, but there were a few
> > > > things I missed
> > > > and have addressed them in https://github.com/Unidata/thredds/pull/945.
> > > > To see a
> > > > live example of the fixed code, check out:
> > > >
> > > > https://thredds.ucar.edu/thredds/godiva2/godiva2.html?server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/HRRR/CONUS_2p5km/HRRR_CONUS_2p5km_20171108_2100.grib2
> > > >
> > > > Note that there are still issues with requesting tiles for two of the
> > > > background map from the
> > > > http://www2.demis.nl/wms/wms.ashx server. While the server does allow
> > > > https access,
> > > > their ssl certificate is not correct and, from what I can tell,
> > > > something in OpenLayers
> > > > fails to allow it it load. I'm not sure if that is something I can fix
> > > > or not. However,
> > > > there are two other map servers (NASA and NSIDC) that do work with
> > > > https, and
> > > > I've upgraded the code to use them (but the demis servers are still
> > > > enabled in the interface).
> > > >
> > > > Both of the PRs I reference above are not in the current stable version
> > > > (4.6.10), but we should
> > > > cut a 4.6.11 stable release soon to get these fixes out.
> > > >
> > > > Cheers,
> > > >
> > > > Sean
> > > >
> > > > > Greetings Fan,
> > > > >
> > > > > I plan on taking at look at the issue today and will be able to
> > > > > update you
> > > > > tomorrow as to the status.
> > > > >
> > > > > As a side note, I noticed the server in the logs below is setup to
> > > > > use the
> > > > > EarthData Login system. Did you all write some code for an authorizer
> > > > > in
> > > > > the TDS, or are you using Apache? I ask because I was going to write
> > > > > some
> > > > > c for the TDS to handle EarthData Login auth, as we know that soon all
> > > > > NASA data sources will require it, but if there is a solution in
> > > > > place, then I will
> > > > > hold off writing anything.
> > > > >
> > > > > Cheers,
> > > > >
> > > > > Sean
> > > > >
> > > > > > Hi Sean,
> > > > > >
> > > > > > I want to add a note that NASA data centers, including us here at
> > > > > > GES DISC, are mandated to make this HTTP to HTTPS transition. We
> > > > > > would be forced to disable Godiva if there is any security hole
> > > > > > found, including this mixed content issue. This would upset many of
> > > > > > our TDS users. Therefore fixing this can become quite urgent.
> > > > > >
> > > > > > If you have put this into the planning, we’d appreciate it if you
> > > > > > could share the schedule with us. Thanks.
> > > > > >
> > > > > > -Fan
> > > > > >
> > > > > > On 11/2/17, 12:14 PM, "Unidata THREDDS Support" <address@hidden>
> > > > > > wrote:
> > > > > >
> > > > > > Would you mind if I open a github issue on this?
> > > > > >
> > > > > > > Greetings Fan,
> > > > > > >
> > > > > > > Since we do not run over https, I haven't encountered this
> > > > > > > behavior - thank you for your report!
> > > > > > >
> > > > > > > I'll take a look and see what can be done.
> > > > > > >
> > > > > > > Cheers,
> > > > > > >
> > > > > > > Sean
> > > > > > >
> > > > > > > > Hi. Ever since we migrated our servers from ‘HTTP’ to ‘HTTPS’,
> > > > > > > > the Godiva visualizer stopped working with some of the
> > > > > > > > browsers. The Godiva setting makes a number of ‘HTTP’ requests
> > > > > > > > internally and the browsers do not like it. For a sample list
> > > > > > > > of such requests see below.
> > > > > > > >
> > > > > > > > Some browsers, such as Firefox and Chrome, detects unsecure
> > > > > > > > requests and allows to temporarily disable ‘protection’ to make
> > > > > > > > Godiva work as usual, while others, such as Safari, are
> > > > > > > > entirely unhappy.
> > > > > > > >
> > > > > > > > I wonder if you plan to fix this in the next release of THREDDS
> > > > > > > > server. Thanks.
> > > > > > > >
> > > > > > > > -Fan
> > > > > > > >
> > > > > > > > godiva2.html:11 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure stylesheet
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:28 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure stylesheet
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure script
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/yahoo-dom-event/yahoo-dom-event.js'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure script
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/treeview-min.js'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:33 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure stylesheet
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure script
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/container/container-min.js'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:60 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure image
> > > > > > > > 'http://www.resc.reading.ac.uk/images/new_logo_72dpi_web.png'.
> > > > > > > > This content should also be served over HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure image
> > > > > > > > 'http://www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png'.
> > > > > > > > This content should also be served over HTTPS.
> > > > > > > > www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_web.png
> > > > > > > > Failed to load resource: the server responded with a status of
> > > > > > > > 404 (Not Found)
> > > > > > > > godiva2.js:264 Uncaught ReferenceError: YAHOO is not defined at
> > > > > > > > window.onload (godiva2.js:264)
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure image
> > > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > > > > >
> > > > > > > > e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'.
> > > > > > > > This content should also be served over HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure image
> > > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > > > > > >
> > > > > > > > se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'.
> > > > > > > > This content should also be served over HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure image
> > > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > > > > >
> > > > > > > > e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'.
> > > > > > > > This content should also be served over HTTPS.
> > > > > > > > 2godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure image
> > > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> > > > > > > >
> > > > > > > > se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'.
> > > > > > > > This content should also be served over HTTPS.
> > > > > > > > 2godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure image
> > > > > > > > 'http://www2.demis.nl/wms/wms.ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> > > > > > > >
> > > > > > > > e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'.
> > > > > > > > This content should also be served over HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure stylesheet
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/reset-fonts-grids/reset-fonts-grids.css'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure stylesheet
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/treeview/assets/skins/sam/treeview.css'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > > godiva2.html:1 Mixed Content: The page at
> > > > > > > > 'https://acdisc.gesdisc.eosdis.nasa.gov/thredds/godiva2/godiva2.html?server=...gregation/ncml/aggrega
> > > > > > > > tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was
> > > > > > > > loaded over HTTPS, but requested an insecure stylesheet
> > > > > > > > 'http://yui.yahooapis.com/2.5.2/build/container/assets/skins/sam/container.css'.
> > > > > > > > This request has been blocked; the content must be served over
> > > > > > > > HTTPS.
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > > Ticket Details
> > > > > > ===================
> > > > > > Ticket ID: PCI-632644
> > > > > > Department: Support THREDDS
> > > > > > Priority: Normal
> > > > > > Status: Open
> > > > > > ===================
> > > > > > NOTE: All email exchanges with Unidata User Support are recorded in
> > > > > > the Unidata inquiry tracking system and then made publicly
> > > > > > available through the web. If you do not want to have your
> > > > > > interactions made available in this way, you must let us know in
> > > > > > each email you send to us.
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > > > Ticket Details
> > > > ===================
> > > > Ticket ID: PCI-632644
> > > > Department: Support THREDDS
> > > > Priority: High
> > > > Status: Open
> > > > ===================
> > > > NOTE: All email exchanges with Unidata User Support are recorded in the
> > > > Unidata inquiry tracking system and then made publicly available
> > > > through the web. If you do not want to have your interactions made
> > > > available in this way, you must let us know in each email you send to
> > > > us.
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> > > Ticket Details
> > > ===================
> > > Ticket ID: PCI-632644
> > > Department: Support THREDDS
> > > Priority: High
> > > Status: Open
> > > ===================
> > > NOTE: All email exchanges with Unidata User Support are recorded in the
> > > Unidata inquiry tracking system and then made publicly available through
> > > the web. If you do not want to have your interactions made available in
> > > this way, you must let us know in each email you send to us.
> > >
> > >
> > >
> > >
> > >
Ticket Details
===================
Ticket ID: PCI-632644
Department: Support THREDDS
Priority: High
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata
inquiry tracking system and then made publicly available through the web. If
you do not want to have your interactions made available in this way, you must
let us know in each email you send to us.
