Https Support

[Tiberriver256]

Polaris should support Https. This issue is to discuss possibilities

---

Discussion from #106

---

TylerSiegrist
Is there already HTTPS support? That should probably be added before authentication is used.

@tylerl0706
That's a good point. I'll have to look into this.

Throwing this link down so I don't forget:
https://stackoverflow.com/questions/11403333/httplistener-with-https-support

@tylerl0706
Probably can hook in LetsEncrypt in some way

@TylerSiegrist
Might want to keep it agnostic or provide a way to use a cert installed on the local machine. Some companies like their own internal certs for this kind of thing. 😄

[Tiberriver256]

Did a bit of research.

Windows Side

Looks like @yusufozturk over in PoshServer has some good sample code to read through on creating SSL certs (if we want to) and registering existing certificates from the Cert drive using netsh.

Non-Windows Side

Not sure if it's supported at the moment. We'd have to give it a shot and see what it looks like. I believe since this is still open it's not going to be supported at the moment.

[TylerLeonhardt]

@Tiberriver256 did you see this?

Never realized HttpListener was in maintenance mode. I always thought about moving to Kestrel. If it's easy, that'd be pretty nice 😄

[TylerLeonhardt]

Request-PoSHCertificate looks nice! I wonder if it works in PowerShell Core on Windows.

[Tiberriver256]

@tylerl0706 - I had not seen that no. That is sad but I suppose it shouldn't be too big to port our tiny usage of httplistener over.

Looks like it has a LOT of features in there.

[TylerLeonhardt]

Yeah and we'll get a lot of reliability cross plat. I'm curious if Kestrel can be used in Windows PowerShell. That's what I'm unsure of.

[ItsNotRudy]

I also have had the need to encrypt this service, and I managed to with a LetsEncrypt certificate. I might add a merge request in the future. In essence, what you do is change the listener to https, instead of http. In lib\Polaris.Class.ps1, line 242. To bind a certificate to the chosen port, run

netsh http add sslcert ipport=0.0.0.0:<port> certhash=<certificate thumbprint> appid='{d9c86d71-cda6-431e-b297-34e0560f8e30}'

This was my result:
C:\> Invoke-RestMethod -Uri https://subdomain.domain.com:8089/helloworld -Method POST
Hello World

PS: When pasting the certificate thumbprint from the Cert Store, paste it in a plaintext editor first. I failed my first attempts because of some invisible trash bytes being pasted over.

[TylerLeonhardt]

This is awesome @ItsNotRudy! This would make a addition to Polaris.

[TylerLeonhardt]

I think to fully address this, we could probably do something like:

• Allow a -Https which will set this line to use http or https
• Find a crossplat way of binding the cert to the chosen port that @ItsNotRudy pointed out
• maybe have a -LetsEncrypt that uses this module to get the free cert using Lets Encrypt

[Tiberriver256]

To add onto the great work @jeremymcgee73 did already on this I wanted to share this from a similar project NodePS from @TLaborde. He had some really great code here for automatically setting up some certificates.

https://github.com/TLaborde/NodePS/blob/85495bd521c229286b7a3a631a4ebd64df6c640a/NodePS/Public/Start-NodePSServer.ps1#L326-L340

https://github.com/TLaborde/NodePS/blob/master/NodePS/Private/Register-NodePSCertificate.ps1
https://github.com/TLaborde/NodePS/blob/master/NodePS/Private/Request-NodePSCertificate.ps1

[jeremymcgee73]

Do you think we should automatically create a SSL cert when there isn't one? I get it, I just wonder if that adds too much bloat? I also wonder if this would require admin on a windows box.

I do think a check should be added for HTTPS to be windows only for now. I can submit a PR for that.

[Tiberriver256]

That's a fair point. I like your suggestion on validating it for Windows.

On a side note for Linux support we could add a recommendation and instructions for wrapping the Polaris server in a proxy that does support https. Something like tinyproxy maybe?

[ItsNotRudy]

You can validate the certificate with powershell/.net. I use it for automated LE deployments. I have the function at work, I can post it tomorrow. Rudy

…

On 1 Nov 2018, at 21:57, Micah Rairdon ***@***.***> wrote: That's a fair point. I like your suggestion on validating it for Windows. On a side note for Linux support we could add a recommendation and instructions for wrapping the Polaris server in a proxy that does support https. Something like tinyproxy maybe? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[ChrisMagnuson]

Here is an example from UniversalDashboard of using https with Kestrel with and without a certificate file.

[jeremymcgee73]

@ChrisMagnuson Thanks Chris. When/If we switch to Kestrel that will work for us. Unfortunately https isn't support cross platform using HTTPlistener. We do support SSL now on Windows. The cert must be added using the netsh command. I will work on writing docs on this soon.

[ChrisMagnuson]

@jeremymcgee73 Whenever you go to add docs, I have found that Add-NetIPHttpsCertBinding works in place of netssh:

$CertificatePassword = "PasswordToDecryptCertificate" |
ConvertTo-SecureString -AsPlainText -Force

$CertificateImport = Import-PfxCertificate -FilePath "$Local\Certificate.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $CertificatePassword
                
$GUID = New-GUID | Select-Object -ExpandProperty GUID
Add-NetIPHttpsCertBinding -CertificateHash $CertificateImport.Thumbprint -ApplicationId "{$GUID}" -IpPort "0.0.0.0:$Port" -CertificateStoreName My -NullEncryption:$false