Polaris Https Support

Polaris should support Https. This issue is to discuss possibilities

Discussion from #106

TylerSiegrist Is there already HTTPS support? That should probably be added before authentication is used.

@tylerl0706 That's a good point. I'll have to look into this.

Throwing this link down so I don't forget: https://stackoverflow.com/questions/11403333/httplistener-with-https-support

@tylerl0706 Probably can hook in LetsEncrypt in some way

@TylerSiegrist Might want to keep it agnostic or provide a way to use a cert installed on the local machine. Some companies like their own internal certs for this kind of thing. 😄

Apr 15 '18 02:04 Tiberriver256

Did a bit of research.

Windows Side

Looks like @yusufozturk over in PoshServer has some good sample code to read through on creating SSL certs (if we want to) and registering existing certificates from the Cert drive using netsh.

Non-Windows Side

Not sure if it's supported at the moment. We'd have to give it a shot and see what it looks like. I believe since this is still open it's not going to be supported at the moment.

Apr 15 '18 02:04 Tiberriver256

@Tiberriver256 did you see this?

Never realized HttpListener was in maintenance mode. I always thought about moving to Kestrel. If it's easy, that'd be pretty nice 😄

Apr 17 '18 01:04 TylerLeonhardt

Request-PoSHCertificate looks nice! I wonder if it works in PowerShell Core on Windows.

Apr 17 '18 01:04 TylerLeonhardt

@tylerl0706 - I had not seen that no. That is sad but I suppose it shouldn't be too big to port our tiny usage of httplistener over.

Looks like it has a LOT of features in there.

Apr 21 '18 06:04 Tiberriver256

Yeah and we'll get a lot of reliability cross plat. I'm curious if Kestrel can be used in Windows PowerShell. That's what I'm unsure of.

Apr 22 '18 00:04 TylerLeonhardt

I also have had the need to encrypt this service, and I managed to with a LetsEncrypt certificate. I might add a merge request in the future. In essence, what you do is change the listener to https, instead of http. In lib\Polaris.Class.ps1, line 242. To bind a certificate to the chosen port, run

netsh http add sslcert ipport=0.0.0.0:<port> certhash=<certificate thumbprint> appid='{d9c86d71-cda6-431e-b297-34e0560f8e30}'

This was my result: C:\> Invoke-RestMethod -Uri https://subdomain.domain.com:8089/helloworld -Method POST Hello World

PS: When pasting the certificate thumbprint from the Cert Store, paste it in a plaintext editor first. I failed my first attempts because of some invisible trash bytes being pasted over.

Aug 05 '18 11:08 ItsNotRudy

This is awesome @ItsNotRudy! This would make a addition to Polaris.

Aug 08 '18 03:08 TylerLeonhardt

I think to fully address this, we could probably do something like:

Allow a -Https which will set this line to use http or https
Find a crossplat way of binding the cert to the chosen port that @ItsNotRudy pointed out
maybe have a -LetsEncrypt that uses this module to get the free cert using Lets Encrypt

Sep 30 '18 03:09 TylerLeonhardt

To add onto the great work @jeremymcgee73 did already on this I wanted to share this from a similar project NodePS from @TLaborde. He had some really great code here for automatically setting up some certificates.

https://github.com/TLaborde/NodePS/blob/85495bd521c229286b7a3a631a4ebd64df6c640a/NodePS/Public/Start-NodePSServer.ps1#L326-L340

https://github.com/TLaborde/NodePS/blob/master/NodePS/Private/Register-NodePSCertificate.ps1 https://github.com/TLaborde/NodePS/blob/master/NodePS/Private/Request-NodePSCertificate.ps1

Nov 01 '18 19:11 Tiberriver256

Do you think we should automatically create a SSL cert when there isn't one? I get it, I just wonder if that adds too much bloat? I also wonder if this would require admin on a windows box.

I do think a check should be added for HTTPS to be windows only for now. I can submit a PR for that.

Nov 01 '18 20:11 jeremymcgee73

That's a fair point. I like your suggestion on validating it for Windows.

On a side note for Linux support we could add a recommendation and instructions for wrapping the Polaris server in a proxy that does support https. Something like tinyproxy maybe?

Nov 01 '18 20:11 Tiberriver256

You can validate the certificate with powershell/.net. I use it for automated LE deployments. I have the function at work, I can post it tomorrow.

Rudy

On 1 Nov 2018, at 21:57, Micah Rairdon [email protected] wrote:

That's a fair point. I like your suggestion on validating it for Windows.

On a side note for Linux support we could add a recommendation and instructions for wrapping the Polaris server in a proxy that does support https. Something like tinyproxy maybe?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

Nov 01 '18 22:11 ItsNotRudy

Here is an example from UniversalDashboard of using https with Kestrel with and without a certificate file.

Dec 07 '18 19:12 ChrisMagnuson

@ChrisMagnuson Thanks Chris. When/If we switch to Kestrel that will work for us. Unfortunately https isn't support cross platform using HTTPlistener. We do support SSL now on Windows. The cert must be added using the netsh command. I will work on writing docs on this soon.

Dec 07 '18 21:12 jeremymcgee73

@jeremymcgee73 Whenever you go to add docs, I have found that Add-NetIPHttpsCertBinding works in place of netssh:

$CertificatePassword = "PasswordToDecryptCertificate" |
ConvertTo-SecureString -AsPlainText -Force

$CertificateImport = Import-PfxCertificate -FilePath "$Local\Certificate.pfx" -CertStoreLocation Cert:\LocalMachine\My -Password $CertificatePassword
                
$GUID = New-GUID | Select-Object -ExpandProperty GUID
Add-NetIPHttpsCertBinding -CertificateHash $CertificateImport.Thumbprint -ApplicationId "{$GUID}" -IpPort "0.0.0.0:$Port" -CertificateStoreName My -NullEncryption:$false

Dec 20 '18 18:12 ChrisMagnuson