-
Notifications
You must be signed in to change notification settings - Fork 3
Using HTTPS and WebAPI
Since the CernVM WebAPI daemon runs an HTTP server, bound to the localhost address it's not possible to use SSL encryption. That's because it's not possible to issue an SSL certificate for the localhost address, and installing our own CA in user's computer implies additional security risks.
Unfortunately, due to the latest HTML5 security policies, that restrict the mixing of HTTP and HTTPS content, the javascript library cannot establish a websocket connection to the WebAPI Daemon if it's served under HTTPS.
There is a simple solution to this problem, but it only works if you do not need to have real-time feedback to the hosting website:
- Prepare your VMCP response while in the secure session
- Store it under a key with unique ID and
- open an HTTP pop-up window to handle the request.
You can read more in the next section:
As mentioned before, the easiest trick is to compile the configuration of your VM while in a secure session and open an insecure pop-up window to handle the launching process. Let's explore this option in a step-by-step example:
Let's say that the user is in your website https://website.com/repository and picks to start a particular VM. You can use your session information (ex. current user's name, preferences etc.) and his/her choice to compile the specifications of the VM you want to serve as a VMCP object:
{
"name": "John__UbuntuVM",
"secret": "us3rspassword",
"vcpus": 1,
"memory": 512,
"cernvmVersion": "latest",
"flags": 8,
"userData": "[amiconfig]\nplugins=cernvm\n[cernvm]\nusers=user:users:usersecret",
}Then create a cryptographically unique ID and store this object in a key/value store under this ID.
Let's say for our example that the ID is 4DC05982-614C-4539-8E0E-D2C4B37C6C92
In order to pass these data to CernVM WebAPI you will need a VMCP endpoint. Since we are going to serve it under an HTTP session you will need to expose these information.