[BitShares 2.0] Community Questions for the Devs (Discussion)

[tarugo]

Hi guys,

how about putting a phone number where one can call you for some q&a. something like this website: http://theswedishnumber.com/

[xeroc]

FUUUUUUUUUUUUUUUUUUUUUU....
it was working all along!
just the light wallet doesnt work with it
The online wallet is working

Would anyone of you mind writing this all together into a markdown/reStrucut tutorial so that I can put it into docs.bts.eu?
That would be awesome!

i will write one on beyondbitcoin.org
if you want, you can use it

EDIT: https://beyondbitcoin.org/how-to-graphene-websocket-over-ssl-with-nginx-ubuntu-14-04/

Cool .. I'll put it there .. with a link to bb

[JA]

One minor point - you should add this to your last step in the tutorial:

Not quite all you need to do -- after clicking the "Confirm" button you must also select the URL you just entered from the drop list on the left and refresh your browser to connect to it.

yea thanks updated

[Thom]

One minor point - you should add this to your last step in the tutorial:

Not quite all you need to do -- after clicking the "Confirm" button you must also select the URL you just entered from the drop list on the left and refresh your browser to connect to it.

[JA]

ok
wss://sync.cryptofeed.net has now proper ssl sertficate from StartSSL.com (free)
so it can also be used in the light wallet

i will monitor nginx and see how many connections and bandwith etc.... it uses

would be nice if you could connect your client to it so i can make proper statistics
i will post them here on the forums without the ip's of course

[brads]

Beware of self-signed certificates, they make websocket (wss) connection silently fail (Firefox at least).

[JA]

FUUUUUUUUUUUUUUUUUUUUUU....
it was working all along!
just the light wallet doesnt work with it
The online wallet is working

Would anyone of you mind writing this all together into a markdown/reStrucut tutorial so that I can put it into docs.bts.eu?
That would be awesome!

i will write one on beyondbitcoin.org
if you want, you can use it

EDIT: https://beyondbitcoin.org/how-to-graphene-websocket-over-ssl-with-nginx-ubuntu-14-04/

[xeroc]

Would anyone of you mind writing this all together into a markdown/reStrucut tutorial so that I can put it into docs.bts.eu?
That would be awesome!

[JA]

Here's how to use nginx as an SSL proxy server for wss connections. I found this, which is almost exactly what is needed:

I succesfully used this configuration for a reverse proxy to a selfmade wss chat.

both your configs work for me for https.
https://sync.cryptofeed.net
but i still cant connect the light wallet via wss://sync.cryptofeed.net

edit: are you guys testing with your light wallet or with the online wallet?

[brads]

I succesfully used this configuration for a reverse proxy to a selfmade wss chat.

worker_processes 1;

events {
    worker_connections 1024;
}

http {
    upstream wsbackends {
        server 127.0.0.1:8081;
    }

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    server {
        listen 192.168.1.92:443 ssl;
        ssl on;
        ssl_certificate cert.pem;
        ssl_certificate_key cert.key;
        ssl_session_cache off;
        ssl_session_timeout 5m;
        ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        location / {
            proxy_http_version 1.1;
            proxy_connect_timeout 5;
            proxy_pass http://wsbackends;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_read_timeout 86400;
        }
    }
}

[Thom]

Here's how to use nginx as an SSL proxy server for wss connections. I found this, which is almost exactly what is needed: https://github.com/nicokaiser/nginx-websocket-proxy/blob/master/simple-wss.conf.

Code: [Select]

# WebSocketSecure SSL Endpoint
#
# The proxy is also an SSL endpoint for WSS and HTTPS connections.
# So the clients can use wss:// connections
# (e.g. from pages served via HTTPS) which work better with broken
# proxy servers, etc.

server {
    listen 443;

    # host name to respond to
    server_name <yourServerIP or domain name>;

    # your SSL configuration
    ssl on;
    # See https://www.digitalocean.com/community/tutorials/how-to-create-an-ssl-certificate-on-nginx-for-ubuntu-14-04
    ssl_certificate /etc/ssl/localcerts/ws.example.com.bundle.crt;
    ssl_certificate_key /etc/ssl/localcerts/ws.example.com.key;

    location / {
        # switch off logging
        #access_log off;

        # redirect all HTTP traffic to localhost:8090
        proxy_pass http://localhost:8090;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # WebSocket support (nginx 1.4)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}
If you go to settings, click the + button and enter another API url, then go to the left and click on the URL displayed it will show a drop down list of all API connection URLs available. Select the wss://<yourLocalServerIP>/ws you just entered from the drop down list, then reload the page to connect to the server. Go to the Explorer and you should see the blockchain update.

[Thom]

Well, the nginx http proxy was just that easy. I can point my browser at it and the witness responds:

Code: [Select]

11 eof_exception: End Of File
stringstream
    {}
    th_a  sstream.cpp:109 peek

    {"str":""}
    th_a  json.cpp:478 from_string

That's using an https:// prefix. If I use wss:// that's a different story.

How are you doing the proxy for https://bitshares.openledger.info/ ?
What web server are you using?
Will another protocol definition be required?

Here's the nginx config that proxied the https --> rpc:8090

server {
        listen 443 ssl;
        server_name thom.domain.mine;

        ssl on;
        ssl_certificate /etc/nginx/ssl/certs/server.crt;
        ssl_certificate_key /etc/nginx/ssl/private/server.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;

#       ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
#       ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
#       ssl_prefer_server_ciphers on;

       location /wallet {
                proxy_pass http://localhost:8090;
       }
}

[Thom]

Yes I did mean to say "yet", as I'm sure it will get added eventually, they just haven't had the time yet. GL with the proxy, nginx is generally nice to work with so should be ok

Indeed. An answer was quick to find. Here is the basic nginix configuration needed for a proxy, assuming you already have a server defined to accept SSL requests:

Code: [Select]

server {
       listen 443;
       server_name mydomain.com;

       location / {
                proxy_pass http://localhost:8090;
       }
}

[svk]

Is the websocket TLS interface of the witness_node functional now? If not it seems like a major shortcoming, as MITM attacks can occur between the browser and witness server. I am running a local seed node and want to enable a secure SSL (i.e. TLS) websocket channel for use with mobile devices.

I will make this node publicly accessable for people in my local community, who have confidence in my computer skills and would feel more secure knowing a local guy was running the server their wallets connect to. It also allows me to track activity in my local area.

They want a point of contact to run their pitch-forks into if something goes wrong rather than some nebulous "cloud" contact.

Code: [Select]

# Endpoint for TLS websocket RPC to listen on
rpc-tls-endpoint = 1.2.3.4:5000

# The TLS certificate file for this server
server-pem = serverWeb.crt

# Password for this certificate
server-pem-password = "this is the password for self signed cert used for www"

If so is there not a config parameter for the private half of the key as well? When I config a web server like nginx or apache there is the public .crt file and the private server.key file. Why only one in witness config?

Valentine told me we're using proxying for secure websocket to normal websocket so I don't think the witness_node can do wss directly.

Yet clearly it is anticipated, based on the comments in the config.ini.

But you did address the question. It may not be as efficient, but I'll look into how to setup a proxy server using nginx. I know how to setup SSL with sef-signed SSL cert for that, just a matter of forwarding those requests to 127.0.0.1:8090. Sounds easy, but may not be so to implement.

  for your response svk.

Yes I did mean to say "yet", as I'm sure it will get added eventually, they just haven't had the time yet. GL with the proxy, nginx is generally nice to work with so should be ok

[Thom]

Is the websocket TLS interface of the witness_node functional now? If not it seems like a major shortcoming, as MITM attacks can occur between the browser and witness server. I am running a local seed node and want to enable a secure SSL (i.e. TLS) websocket channel for use with mobile devices.

I will make this node publicly accessable for people in my local community, who have confidence in my computer skills and would feel more secure knowing a local guy was running the server their wallets connect to. It also allows me to track activity in my local area.

They want a point of contact to run their pitch-forks into if something goes wrong rather than some nebulous "cloud" contact.

Code: [Select]

# Endpoint for TLS websocket RPC to listen on
rpc-tls-endpoint = 1.2.3.4:5000

# The TLS certificate file for this server
server-pem = serverWeb.crt

# Password for this certificate
server-pem-password = "this is the password for self signed cert used for www"

If so is there not a config parameter for the private half of the key as well? When I config a web server like nginx or apache there is the public .crt file and the private server.key file. Why only one in witness config?

Valentine told me we're using proxying for secure websocket to normal websocket so I don't think the witness_node can do wss directly.

Yet clearly it is anticipated, based on the comments in the config.ini.

But you did address the question. It may not be as efficient, but I'll look into how to setup a proxy server using nginx. I know how to setup SSL with sef-signed SSL cert for that, just a matter of forwarding those requests to 127.0.0.1:8090. Sounds easy, but may not be so to implement.

  for your response svk.