Support https URLs
As requested by Fermilab, Frontend and Factory should support also httpsFrontend and Factory use their web servers for the staging and monitoring pages
- staging must continue to use http, otherwise caching is not possible. Even if the files are small, the number of glideins is high and caching is essential
- monitoring pages shoud use https by default
This means that:
- Apache configuration should be changed accordingly
- Should be possible to keep http for sites that desire so (provide instructions and/or alternative/commented config file)
The initial request from Fermilab was to move to https, but a move of everything is not possible for the reasons expressed above
#1 Updated by Marco Mambelli about 1 year ago
Even if small in sizes, the files from the Factory and Frontend are downloaded by thousands of glideins. They rely heavily on HTTP Proxies. Https would increase the load on the server and the latency for all jobs. We found no way to cache the files with https. Proxies are considered to be Man In The Middle attacker.
Only the monitoring pages should be moved to https.
Https should be enabled and the http requests for the monitoring area should be redirected to https.
An exemption should be requested for the staging area
#8 Updated by Lorena Lobato Pardavila 10 months ago
- Assignee changed from Lorena Lobato Pardavila to Dennis Box
- Status changed from Work in progress to Feedback
Changed done in v35/22579.
Now HTTPS connection is enabled for monitoring pages.
llobato@mac-126950:~/gwms_redmine_v36/glideinwms$ curl -I https://fermicloud332.fnal.gov/factory/monitor/ HTTP/1.1 200 OK Date: Sat, 28 Sep 2019 22:53:52 GMT Server: Apache/2.2.15 (Scientific Linux) Last-Modified: Fri, 20 Sep 2019 22:45:59 GMT ETag: "8008b-1793-59303d575b7c0" Accept-Ranges: bytes Content-Length: 6035 Connection: close Content-Type: text/html; charset=UTF-8
And also it's automatically redirected if typing http:
llobato@mac-126950:~/gwms_redmine_v36/glideinwms$ curl -I http://fermicloud332.fnal.gov/factory/monitor/ HTTP/1.1 301 Moved Permanently Date: Sat, 28 Sep 2019 22:53:47 GMT Server: Apache/2.2.15 (Scientific Linux) Location: https://fermicloud332.fnal.gov/factory/monitor/ Connection: close Content-Type: text/html; charset=iso-8859-1
Tested also in the web browsers Safari and Chrome (especially in incognito windows to double-check possible cache issues)
Instructions to enable or disable HTTPS connections are in https://glideinwms.fnal.gov/doc.prd/components/prerequisites.html#system_httpd
Notice that module mod_ssl must be installed in advance to have https working. Also, due to issues with modules oversteps (and to make things easier for the installation), the mod_ssl load must be commented in ssl.conf as it's coming by default in the gwms-service.conf.