[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[THREDDS #PCI-632644]: mixed contents in Godiva2



No problem - thank you guys for kicking the tires on this!

Sean

address@hidden> wrote:

> New Client Reply: mixed contents in Godiva2
>
> Hi Sean,
>
> We installed the server and it works great. Our security guy will check it
> out. If we found any issue I will let you know.
>
> Thanks again for the fix.
>
> -Fan
>
>
> address@hidden> wrote:
>
>     Greetings Fan,
>
>     You can grab the snapshot war from here:
>
>     https://www.unidata.ucar.edu/staff/sarms/war/thredds%23%
> 234.6.11-20171109T1910-SNAPSHOT.war
>
>     Let us know how it goes!
>
>     Cheers,
>
>     Sean
>
>     > Greetings Fan,
>     >
>     > I've implemented this in https://github.com/Unidata/thredds/pull/946,
> and you can
>     > test the result on thredds.ucar.edu.
>     >
>     > For example, http:
>     >
>     > http://thredds.ucar.edu/thredds/godiva2/godiva2.html?
> server=http://thredds.ucar.edu/thredds/wms/grib/NCEP/GFS/
> Puerto_Rico_0p5deg/GFS_Puerto_Rico_0p5deg_20171109_1200.grib2
>     >
>     > vs https:
>     >
>     > https://thredds.ucar.edu/thredds/godiva2/godiva2.html?
> server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/GFS/
> Puerto_Rico_0p5deg/GFS_Puerto_Rico_0p5deg_20171109_1200.grib2
>     >
>     > Once my PR is merged, I can make a snapshot war for you to test
> with. I'll
>     > update you, with a link, once it is ready.
>     >
>     > Cheers,
>     >
>     > Sean
>     >
>     >
>     > > Hi Sean,
>     > >
>     > > I think replacing the non-https âdeminâ server in the javascript
> call out would be a desirable solution. Letâs implement that if you can.
>     > >
>     > > Looking forward to your war file.  Thanks!
>     > >
>     > > -Fan
>     > >
> address@hidden> wrote:
>     > >
>     > > Greetings Fan,
>     > >
>     > > One of the demis servers is used as the default map background
> tile server, so you would
>     > > still see the javascript call out to a non-https resource,
> although Safari allows it. However,
>     > > I could modify the javascript to default to the nasa blue marble
> server and remove the demis
>     > > server options from the interface when https access to Godiva is
> detected. The http resources
>     > > would still be listed in the javascript, but would never actually
> be used or exposed as an option
>     > > to the end user. Would that be acceptable?
>     > >
>     > > Once we finalize on the above issue, I can cut you a snapshot war
> file to test with. I do not expect
>     > > a final release of 4.6.11 would take more than a week to get out
> the door, and it would not be
>     > > significantly different than the snapshot release I'd provide. We
> have a team meeting today
>     > > and I will see if there are any other things we need to get into a
> release and will have a better
>     > > idea then.
>     > >
>     > > Thanks for the info on EarthData login - very helpful information
> :-)
>     > >
>     > > Cheers,
>     > >
>     > > Sean
>     > >
>     > > > Thatâs excellent, Sean!
>     > > >
>     > > > I tried the URL you included. The first time the data didnât
> load, but it did when I hit reload, and it looked good.
>     > > >
>     > > > You said that the âdemisâ servers are still enabled, but would
> they show up in any transactions? I figured what you meant was that it is
> still in the code or configurations or both, but it shouldnât show up in
> any logs? I want to make sure that security scans would not detect any
> request to an HTTP server.
>     > > >
>     > > > So when would I be able to have the 4.6.11 .war file to test it
> out?
>     > > >
>     > > > Thanks so much for this quick turn-around.
>     > > >
>     > > > -Fan
>     > > >
>     > > > p.s. We did the EarthData URS-login implementation in the Apache
> server. It might be doable in Tomcat also but we didnât use that route. I
> know a few other NASA centers did the same. There is no need for TDS to
> implement anything specific for EarthData authorization, I think. At least
> not for now.
>     > > >
> address@hidden> wrote:
>     > > >
>     > > > Greetings Fan,
>     > > >
>     > > > I have a fix in for this issue. Part of the insecure resource
> access was addressed
>     > > > by https://github.com/Unidata/thredds/pull/825, but there were
> a few things I missed
>     > > > and have addressed them in https://github.com/Unidata/
> thredds/pull/945. To see a
>     > > > live example of the fixed code, check out:
>     > > >
>     > > > https://thredds.ucar.edu/thredds/godiva2/godiva2.html?
> server=https://thredds.ucar.edu/thredds/wms/grib/NCEP/
> HRRR/CONUS_2p5km/HRRR_CONUS_2p5km_20171108_2100.grib2
>     > > >
>     > > > Note that there are still issues with requesting tiles for two
> of the background map from the
>     > > > http://www2.demis.nl/wms/wms.ashx server. While the server does
> allow https access,
>     > > > their ssl certificate is not correct and, from what I can tell,
> something in OpenLayers
>     > > > fails to allow it it load. I'm not sure if that is something I
> can fix or not. However,
>     > > > there are two other map servers (NASA and NSIDC) that do work
> with https, and
>     > > > I've upgraded the code to use them (but the demis servers are
> still enabled in the interface).
>     > > >
>     > > > Both of the PRs I reference above are not in the current stable
> version (4.6.10), but we should
>     > > > cut a 4.6.11 stable release soon to get these fixes out.
>     > > >
>     > > > Cheers,
>     > > >
>     > > > Sean
>     > > >
>     > > > > Greetings Fan,
>     > > > >
>     > > > > I plan on taking at look at the issue today and will be able
> to update you
>     > > > > tomorrow as to the status.
>     > > > >
>     > > > > As a side note, I noticed the server in the logs below is
> setup to use the
>     > > > > EarthData Login system. Did you all write some code for an
> authorizer in
>     > > > > the TDS, or are you using Apache? I ask because I was going to
> write some
>     > > > > c for the TDS to handle EarthData Login auth, as we know that
> soon all
>     > > > > NASA data sources will require it, but if there is a solution
> in place, then I will
>     > > > > hold off writing anything.
>     > > > >
>     > > > > Cheers,
>     > > > >
>     > > > > Sean
>     > > > >
>     > > > > > Hi Sean,
>     > > > > >
>     > > > > > I want to add a note that NASA data centers, including us
> here at GES DISC, are mandated to make this HTTP to HTTPS transition. We
> would be forced to disable Godiva if there is any security hole found,
> including this mixed content issue. This would upset many of our TDS users.
> Therefore fixing this can become quite urgent.
>     > > > > >
>     > > > > > If you have put this into the planning, weâd appreciate it
> if you could share the schedule with us. Thanks.
>     > > > > >
>     > > > > > -Fan
>     > > > > >
> address@hidden> wrote:
>     > > > > >
>     > > > > > Would you mind if I open a github issue on this?
>     > > > > >
>     > > > > > > Greetings Fan,
>     > > > > > >
>     > > > > > > Since we do not run over https, I haven't encountered this
> behavior - thank you for your report!
>     > > > > > >
>     > > > > > > I'll take a look and see what can be done.
>     > > > > > >
>     > > > > > > Cheers,
>     > > > > > >
>     > > > > > > Sean
>     > > > > > >
>     > > > > > > > Hi. Ever since we migrated our servers from âHTTPâ to
> âHTTPSâ, the Godiva visualizer stopped working with some of the browsers.
> The Godiva setting makes a number of âHTTPâ requests internally and the
> browsers do not like it. For a sample list of such requests see below.
>     > > > > > > >
>     > > > > > > > Some browsers, such as Firefox and Chrome, detects
> unsecure requests and allows to temporarily disable âprotectionâ to make
> Godiva work as usual, while others, such as Safari, are entirely unhappy.
>     > > > > > > >
>     > > > > > > > I wonder if you plan to fix this in the next release of
> THREDDS server. Thanks.
>     > > > > > > >
>     > > > > > > > -Fan
>     > > > > > > >
>     > > > > > > > godiva2.html:11 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure stylesheet 'http://yui.yahooapis.com/2.5 .
> 2/build/reset-fonts-grids/reset-fonts-grids.css'. This request has been
> blocked; the content must be served over HTTPS.
>     > > > > > > > godiva2.html:28 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure stylesheet 'http://yui.yahooapis.com/2.5 .
> 2/build/treeview/assets/skins/sam/treeview.css'. This request has been
> blocked; the content must be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure script 'http://yui.yahooapis.com/2.5.
> 2/build/yahoo-dom-event/yahoo-dom-event.js'. This request has been
> blocked; the content must be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure script 'http://yui.yahooapis.com/2.5.
> 2/build/treeview/treeview-min.js'. This request has been blocked; the
> content must be served over HTTPS.
>     > > > > > > > godiva2.html:33 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure stylesheet 'http://yui.yahooapis.com/2.5 .
> 2/build/container/assets/skins/sam/container.css'. This request has been
> blocked; the content must be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure script 'http://yui.yahooapis.com/2.5.
> 2/build/container/container-min.js'. This request has been blocked; the
> content must be served over HTTPS.
>     > > > > > > > godiva2.html:60 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure image 'http://www.resc.reading.ac.
> uk/images/new_logo_72dpi_web.png'. This content should also be served
> over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure image 'http://www.met.reading.ac.uk/
> resc/home/images/new_logo_72dpi_web.png'. This content should also be
> served over HTTPS.
>     > > > > > > > www.met.reading.ac.uk/resc/home/images/new_logo_72dpi_
> web.png Failed to load resource: the server responded with a status of
> 404 (Not Found)
>     > > > > > > > godiva2.js:264 Uncaught ReferenceError: YAHOO is not
> defined at window.onload (godiva2.js:264)
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure image 'http://www2.demis.nl/wms/wms.
> ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. This
> content should also be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure image 'http://www2.demis.nl/wms/wms.
> ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'. This
> content should also be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure image 'http://www2.demis.nl/wms/wms.
> ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. This
> content should also be served over HTTPS.
>     > > > > > > > 2godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure image 'http://www2.demis.nl/wms/wms.
> ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...Fvnd.ogc.
> se_inimage&SRS=EPSG%3A4326&BBOX=0,-90,180,90&WIDTH=256&HEIGHT=256'. This
> content should also be served over HTTPS.
>     > > > > > > > 2godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure image 'http://www2.demis.nl/wms/wms.
> ashx?WMS=WorldMap&LAYERS=Countries%2CBathymetr...vnd.ogc.s
> e_inimage&SRS=EPSG%3A4326&BBOX=-180,-90,0,90&WIDTH=256&HEIGHT=256'. This
> content should also be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure stylesheet 'http://yui.yahooapis.com/2.5 .
> 2/build/reset-fonts-grids/reset-fonts-grids.css'. This request has been
> blocked; the content must be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure stylesheet 'http://yui.yahooapis.com/2.5 .
> 2/build/treeview/assets/skins/sam/treeview.css'. This request has been
> blocked; the content must be served over HTTPS.
>     > > > > > > > godiva2.html:1 Mixed Content: The page at '
> https://acdisc.gesdisc.eosdis.nasa.gov/thredds/
> godiva2/godiva2.html?server=...gregation/ncml/aggrega
> tion/AIRS3C28.005/AIRS3C28.005_Aggregation.ncml.ncml' was loaded over
> HTTPS, but requested an insecure stylesheet 'http://yui.yahooapis.com/2.5 .
> 2/build/container/assets/skins/sam/container.css'. This request has been
> blocked; the content must be served over HTTPS.
>     > > > > > > >
>     > > > > > > >
>     > > > > > >
>     > > > > >
>     > > > > >
>     > > > > > Ticket Details
>     > > > > > ===================
>     > > > > > Ticket ID: PCI-632644
>     > > > > > Department: Support THREDDS
>     > > > > > Priority: Normal
>     > > > > > Status: Open
>     > > > > > ===================
>     > > > > > NOTE: All email exchanges with Unidata User Support are
> recorded in the Unidata inquiry tracking system and then made publicly
> available through the web.  If you do not want to have your interactions
> made available in this way, you must let us know in each email you send to
> us.
>     > > > > >
>     > > > > >
>     > > > > >
>     > > > > >
>     > > > > >
>     > > > >
>     > > >
>     > > > Ticket Details
>     > > > ===================
>     > > > Ticket ID: PCI-632644
>     > > > Department: Support THREDDS
>     > > > Priority: High
>     > > > Status: Open
>     > > > ===================
>     > > > NOTE: All email exchanges with Unidata User Support are recorded
> in the Unidata inquiry tracking system and then made publicly available
> through the web.  If you do not want to have your interactions made
> available in this way, you must let us know in each email you send to us.
>     > > >
>     > > >
>     > > >
>     > > >
>     > > >
>     > >
>     > > Ticket Details
>     > > ===================
>     > > Ticket ID: PCI-632644
>     > > Department: Support THREDDS
>     > > Priority: High
>     > > Status: Open
>     > > ===================
>     > > NOTE: All email exchanges with Unidata User Support are recorded
> in the Unidata inquiry tracking system and then made publicly available
> through the web.  If you do not want to have your interactions made
> available in this way, you must let us know in each email you send to us.
>     > >
>     > >
>     > >
>     > >
>     > >
>
>     Ticket Details
>     ===================
>     Ticket ID: PCI-632644
>     Department: Support THREDDS
>     Priority: High
>     Status: Open
>     ===================
>     NOTE: All email exchanges with Unidata User Support are recorded in
> the Unidata inquiry tracking system and then made publicly available
> through the web.  If you do not want to have your interactions made
> available in this way, you must let us know in each email you send to us.
>
>
>
>
>
>
> Ticket Details
> ===================
> Ticket ID: PCI-632644
> Department: Support THREDDS
> Priority: High
> Status: Open
> Link:  https://andy.unidata.ucar.edu/esupport/staff/index.php?_m=
> tickets&_a=viewticket&ticketid=28804
>
>



Ticket Details
===================
Ticket ID: PCI-632644
Department: Support THREDDS
Priority: High
Status: Open
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata 
inquiry tracking system and then made publicly available through the web.  If 
you do not want to have your interactions made available in this way, you must 
let us know in each email you send to us.



NOTE: All email exchanges with Unidata User Support are recorded in the Unidata inquiry tracking system and then made publicly available through the web. If you do not want to have your interactions made available in this way, you must let us know in each email you send to us.