view · edit · sidebar · attach · print · history

Index>

20170830-support-https

Summary

  • Status page is no longer refreshed
  • Ajax Mouse Over do not work in the Drugshortage view
  • Move all LNFs to support https
  • Keep in Mind

Commits

Index

Status page is no longer refreshed

The page http://ch.oddb.org/resources/downloads/status reports as last line 2017-08-29 14:48:23: sessions: 171 - threads: 7 - memory: 2071MB Why? Because it uses now the APPNAME oddb as the other Rack-Apps. It is available under http://ch.oddb.org/resources/downloads/status_oddb

The following status pages work correctly

Created a logical link

cd /var/www/oddb.org/doc/resources/downloads
ln -s status_oddb status
chown apache:apache status

Ajax Mouse Over do not work in the Drugshortage view

Is this still? I tested by entering on the homepage drug_shortage using price-comparision. The the mouse over work (Using chromium). See

Only the first two mouse over worked. Fixed with commit Display all Ajax-MouseOver for drugshortage. I needed to make the CSS-ID uniq for each mouse over.

Make all LNFs to support https

Redirected in my firewall ports 80 and 443 to oddb-ci2.

Installed letsenrypt certbot on oddb-ci2 by calling sudo emerge --ask app-crypt/certbot

Installed the certificates using

/etc/init.d/apache2 stop
certbot --standalone certonly -w /var/www/oddb.org \
 -d evidentia.oddb-ci2.dyndns.org \
 -d generika.oddb-ci2.dyndns.org \
 -d generika.oddb-ci2.dyndns.org \
 -d i.oddb-ci2.dyndns.org \
 -d oddb-ci2.dyndns.org \
 -d oekk.oddb-ci2.dyndns.org \
 -d santesuisse.oddb-ci2.dyndns.org
cd /etc/letsencrypt/live/
ln -s  evidentia.oddb-ci2.dyndns.org/ ch.oddb.org
/etc/init.d/apache2 start

Adding some ServerAliases and setting the correct IP for oddb-ci2.dyndns.org above to etc/20_oddb.org.rack.conf

As Zeno wanted to install letsencrypt from source I used

sudo emerge --unmerge app-crypt/certbot 
git clone https://github.com/letsencrypt/letsencrypt /usr/local/src/letsencrypt
cd  /usr/local/src/letsencrypt
sudo rm -rf /etc/letsencrypt
sudo ./certbot-auto certonly --standalone -w /var/www/oddb.org -d oddb-ci2.dyndns.org -d i.oddb-ci2.dyndns.org
WARNING: certbot-auto support for this Gentoo is DEPRECATED!
Please visit certbot.eff.org to learn how to download a version of
Certbot that is packaged for your system. While an existing version
of certbot-auto may work currently, we have stopped supporting updating
system packages for your system. Please switch to a packaged version
as soon as possible.

Looked at the source code of the warning https://github.com/certbot/certbot/commit/bb6a22b9853cfab2a06cb020ddf57dd5a6ae8eba?diff=split

Now I am trying

sudo ./certbot-auto certonly --debug --standalone -w /var/www/oddb.org -d oddb-ci2.dyndns.org -d i.oddb-ci2.dyndns.org
 sudo ./certbot-auto certonly --debug --standalone -w /var/www/oddb.org -d oddb-ci2.dyndns.org -d i.oddb-ci2.dyndns.org
Bootstrapping dependencies for Gentoo... (you can skip this with --no-bootstrap)

These are the packages that would be merged, in order:

Calculating dependencies... done!

Nothing to merge; quitting.

Creating virtual environment...
Installing Python packages...
Installation succeeded.
...
:

Had to repeat the command above after running /etc/init.d/apache2 stop. Now the certificate is saved under /etc/letsencrypt/live/oddb-ci2.dyndns.org/fullchain.pem

Setting the following variables in 00_default_ssl_vhost.conf

       SSLCertificateFile /etc/letsencrypt/live/oddb-ci2.dyndns.org/cert.pem               
       SSLCertificateKeyFile /etc/letsencrypt/live/oddb-ci2.dyndns.org/privkey.pem
       SSLCertificateChainFile /etc/letsencrypt/live/oddb-ci2.dyndns.org/fullchain.pem

Restarted apache. Now https://oddb-ci2.dyndns.org/ shows It works. Serving localhost (not server oddb-ci2.dyndns.org)! and leads to the following entry in var/log/apache2/ssl_access_log 192.168.0.75 - - [30/Aug/2017:12:08:24 +0200] "GET / HTTP/1.1" 304 -

We must correct the apache conf again. Setting <VirtualHost 192.168.0.75:443> solved the problem and https://oddb-ci2.dyndns.org/ shows the home page without the correct CSS. Clicking on a link produces however e.g when visiting https://oddb-ci2.dyndns.orgde/gcc/fachinfo/reg/65082 the error Der Server unter oddb-ci2.dyndns.orgde konnte nicht gefunden werden. as there is a missing '/' after the server address.

Placed a binding.pry in /home/niklaus/git/sbsm/lib/sbsm/session.rb to analyse the incoming rack_request (for https://oddb-ci2.dyndns.org/) which looks like this

=> #<Rack::Request:0x00560e56eac350
 @env=
  {"GATEWAY_INTERFACE"=>"CGI/1.1",
   "PATH_INFO"=>"/",
   "QUERY_STRING"=>"",
   "REMOTE_ADDR"=>"::1",
   "REMOTE_HOST"=>"::1",
   "REQUEST_METHOD"=>"GET",
   "REQUEST_URI"=>"http://oddb-ci2.dyndns.org/",
   "SCRIPT_NAME"=>"",
   "SERVER_NAME"=>"oddb-ci2.dyndns.org",
   "SERVER_PORT"=>"80",
   "SERVER_PROTOCOL"=>"HTTP/1.1",
   "SERVER_SOFTWARE"=>"WEBrick/1.3.1 (Ruby/2.4.0/2016-12-24)",
   "HTTP_HOST"=>"localhost:8012",
   "HTTP_USER_AGENT"=>"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
   "HTTP_ACCEPT"=>"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
   "HTTP_ACCEPT_LANGUAGE"=>"en-US,en;q=0.5",
   "HTTP_ACCEPT_ENCODING"=>"gzip, deflate, br",
   "HTTP_COOKIE"=>"oddb.org=language%3Dde%3Bresultview%3Dpages; _session_id=1f50b73d45ff1d2c5b1cb4a7ce5; __utma=120231382.1168033660.1499166184.1499259000.1502478569.4; __utmz=120231382.1499166185.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=120231382",
   "HTTP_DNT"=>"1",
   "HTTP_UPGRADE_INSECURE_REQUESTS"=>"1",
   "HTTP_X_FORWARDED_FOR"=>"212.101.17.47",
   "HTTP_X_FORWARDED_HOST"=>"oddb-ci2.dyndns.org",
   "HTTP_X_FORWARDED_SERVER"=>"oddb-ci2.dyndns.org",
   "HTTP_CONNECTION"=>"close",
   "rack.version"=>[1, 3],
   "rack.input"=>#<Rack::Lint::InputWrapper:0x00560e56eac3c8 @input=#<Rack::Lint::InputWrapper:0x00560e56eba0e0 @input=#<StringIO:0x00560e56ed4198>>>,
   "rack.errors"=>#<Rack::Lint::ErrorWrapper:0x00560e56eac378 @error=#<Rack::Lint::ErrorWrapper:0x00560e56eba040 @error=#<File:/var/www/oddb.org/log/2017/08/30/oddb_log>>>,
   "rack.multithread"=>true,
   "rack.multiprocess"=>false,
   "rack.run_once"=>false,
   "rack.url_scheme"=>"http",
   "rack.hijack?"=>true,
   "rack.hijack"=>#<Proc:0x00560e56eaca80@/var/www/oddb.org/vendor/ruby/2.4.0/gems/rack-2.0.3/lib/rack/lint.rb:525>,
   "rack.hijack_io"=>nil,
   "HTTP_VERSION"=>"HTTP/1.1",
   "REQUEST_PATH"=>"/",
   "rack.tempfiles"=>[],
   "rack.request.cookie_hash"=>{"oddb.org"=>"language=de;resultview=pages", "_session_id"=>"1f50b73d45ff1d2c5b1cb4a7ce5", "__utma"=>"120231382.1168033660.1499166184.1499259000.1502478569.4", "__utmz"=>"120231382.1499166185.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)", "__utmc"=>"120231382"},
   "rack.request.cookie_string"=>"oddb.org=language%3Dde%3Bresultview%3Dpages; _session_id=1f50b73d45ff1d2c5b1cb4a7ce5; __utma=120231382.1168033660.1499166184.1499259000.1502478569.4; __utmz=120231382.1499166185.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=120231382"},
 @params=nil>

What puzzles me, is that the REQUEST_URI is http and not https. Similar for SERVER_PORT and SERVER_PROTOCOL.

Replacing in the apache.conf (as suggested by https://wiki.apache.org/httpd/RewriteHTTPToHTTPS) Redirect permanent / https://oddb-ci2.dyndns.org by

RewriteEngine On
# This will enable the Rewrite capabilities

RewriteCond %{HTTPS} !=on        
# This checks to make sure the connection is not already HTTPS

RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

This did not help neither. Must we replace http by https in all redirections? Did not work and lead to Internal Server Error

Tried appending a custom header to detect HTTPS by adding to the apache conf RequestHeader append ODDB_WITH_SSL "ODDB_WITH_SSL after the SLL-commands. This shows up in the rack_request passed to SBSM.

Reverted the /etc/apache2/vhosts.d/00_default_ssl_vhost.conf to it original content. Minimized /etc/apache2/vhosts.d/oddb.conf, see Attach:apache_oddb_https_conf.txt. Now I do not have the correct CSS, but I am able to load the home page and links seem to work, e.g. https://oddb-ci2.dyndns.org/de/gcc/fachinfo/reg/63118.

When using a search I get a warning, that I am forwarded to unsecure page. But this page gets correctly redirected to something like https://oddb-ci2.dyndns.org/de/gcc/search/zone/drugs/search_query/Inderal/search_type/st_sequence#best_result

The CSS do not get loaded as they use still http, eg. I see in the source code of the HTML import "http://oddb-ci2.dyndns.org:80/resources/dojo/dojo/resources/dojo.css"

Other people seem to have the same problem with the port 443 see https://github.com/phusion/passenger/issues/1421. Added a line RequestHeader set SERVER_PORT "443" in <VirtualHost 192.168.0.75:443>, fixed.

There is a more elegant and correct way to insert instead of the above mentioned line RequestHeader set SERVER_PORT "443", RequestHeader set X-Forwarded-Proto "https". If it set the rack_request receive by SBSM has the following fields

<...>
  "REQUEST_URI"=>  "https://oddb-ci2.dyndns.org/de/gcc/show/fachinfo/63059/diff",
  "SERVER_PORT"=>"443",
  "HTTP_X_FORWARDED_PROTO"=>"https",
  "HTTP_X_FORWARDED_FOR"=>"192.168.0.75",
  "HTTP_X_FORWARDED_HOST"=>"oddb-ci2.dyndns.org",
  "HTTP_X_FORWARDED_SERVER"=>"oddb-ci2.dyndns.org",
<...>

which are the values I expected.

Pushed commit Fix using http_headers in views and recognition of HTTPS and Updated history.txt. Released sbsm 1.5.9.

Updated my apache2/vhost.d/oddb.conf for generika. Running all spec tests.

There are quite a few things I must check before we can activate the changes on ch.oddb.org.

rspec ./spec/address_correction_spec.rb:84 # ch.oddb.org should be possible to correct an address for a company
rspec ./spec/admin_spec.rb[1:1] # ch.oddb.org should be possible to upload dummy_patinfo.pdf to a given package
rspec ./spec/admin_spec.rb[1:2] # ch.oddb.org should be possible to upload dummy_patinfo_2.pdf to a given package
rspec ./spec/admin_spec.rb:129 # ch.oddb.org should be possible to create a CompanyUser
rspec ./spec/download_spec.rb:27 # ch.oddb.org should download the results of a search to Marcoumar
rspec ./spec/download_spec.rb:73 # ch.oddb.org should be possible to run grant_download oddb2.csv
rspec ./spec/evidentia_spec.rb:49 # ch.oddb.org should list C09DB02 before C09DX03 when looking for Sevikar
rspec ./spec/evidentia_spec.rb:60 # ch.oddb.org should list Keppra at the top when searching for Levetiracetam
rspec ./spec/evidentia_spec.rb:66 # ch.oddb.org should list Levetiracetam Desitin at the top when searching for Levetiracetam Desitin
rspec ./spec/evidentia_spec.rb:72 # ch.oddb.org should list all SL products before the Non-SL
rspec ./spec/evidentia_spec.rb:93 # ch.oddb.org should not contain a column Fachinfo
rspec ./spec/evidentia_spec.rb:106 # ch.oddb.org should contain a link to the limiation in Sevikar HCT preparation
rspec ./spec/evidentia_spec.rb:117 # ch.oddb.org should contain a link to the price comparision in price public
rspec ./spec/evidentia_spec.rb:127 # ch.oddb.org should contain a link to the FI for the drug when in price comparison
rspec ./spec/evidentia_spec.rb:143 # ch.oddb.org should contain a link to the fachinfo for Lamivudin-Zidovudin
rspec ./spec/evidentia_spec.rb:151 # ch.oddb.org should display a limitation link for Sevikar HCT
rspec ./spec/evidentia_spec.rb:165 # ch.oddb.org should display lamivudin with SO and SG in category (price comparision)
rspec ./spec/evidentia_spec.rb:172 # ch.oddb.org should list trademark first e.g. Duodopa
rspec ./spec/evidentia_spec.rb:210 # ch.oddb.org should display Cellcept before other
rspec ./spec/evidentia_spec.rb:218 # ch.oddb.org should list Levetiracetam Desitin with a link to the product overview
rspec ./spec/paypal_spec.rb:86 # ch.oddb.org should be possible to checkout oddb.csv via paypal
rspec ./spec/paypal_spec.rb:144 # ch.oddb.org should return a correct link to a CSV file if the payment is okay
rspec ./spec/paypal_spec.rb:169 # ch.oddb.org should not download a CSV file if the payment was not accepted
rspec ./spec/paypal_spec.rb:185 # ch.oddb.org should be possible to cancel a paypal before login
rspec ./spec/paypal_spec.rb:198 # ch.oddb.org should be possible to cancel a paypal after login but before paying
rspec ./spec/rezept_and_instantsearch_spec.rb:452 # ch.oddb.org should not loose existing comment after adding a new prescription
rspec ./spec/rezept_and_instantsearch_spec.rb:571 # ch.oddb.org should be possible to print a presciption with 10 drugs
rspec ./spec/rss_spec.rb[1:1] # ch.oddb.org should have a working RSS-feed hpc
rspec ./spec/rss_spec.rb[1:2] # ch.oddb.org should have a working RSS-feed price_cut
rspec ./spec/rss_spec.rb[1:3] # ch.oddb.org should have a working RSS-feed price_rise
rspec ./spec/rss_spec.rb[1:4] # ch.oddb.org should have a working RSS-feed recall
rspec ./spec/rss_spec.rb[1:5] # ch.oddb.org should have a working RSS-feed sl_introduction
rspec ./spec/rss_spec.rb[1:6] # ch.oddb.org should have a working RSS-feed fachinfo
rspec ./spec/rss_spec.rb:67 # ch.oddb.org should have a working fachinfo-2008
rspec ./spec/searchbar_spec.rb[1:2] # ch.oddb.org should be possible to find 1,25-Dihydroxycholecalciferol when searching via 125 in analysen
rspec ./spec/searchbar_spec.rb:339 # ch.oddb.org should show no drugs for Fortex via unwanted effects search
rspec ./spec/searchbar_spec.rb:391 # ch.oddb.org should set best_result when searching Rivoleve via search_type
rspec ./spec/smoketest_spec.rb:220 # ch.oddb.org should find redirect an iphone to the mobile flavor
rspec ./spec/smoketest_spec.rb[1:34] # ch.oddb.org should have a working status page status

Trying to make generika and evidentia work. Added a new service for evidentia. Added the certificates like this

cd /usr/local/src/letsencrypt
sudo ./certbot-auto certonly --debug --standalone -w /var/www/oddb.org \
                                     -d oddb-ci2.dyndns.org \
                                     -d i.oddb-ci2.dyndns.org \
                                     -d generika.oddb-ci2.dyndns.org \
                                     -d evidentia.oddb-ci2.dyndns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/oddb-ci2.dyndns.org.conf)

It contains these names: oddb-ci2.dyndns.org, i.oddb-ci2.dyndns.org

You requested these names for the new certificate: oddb-ci2.dyndns.org,
i.oddb-ci2.dyndns.org, generika.oddb-ci2.dyndns.org,
evidentia.oddb-ci2.dyndns.org.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: E
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for oddb-ci2.dyndns.org
tls-sni-01 challenge for i.oddb-ci2.dyndns.org
tls-sni-01 challenge for generika.oddb-ci2.dyndns.org
tls-sni-01 challenge for evidentia.oddb-ci2.dyndns.org
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/oddb-ci2.dyndns.org/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/oddb-ci2.dyndns.org/privkey.pem
   Your cert will expire on 2017-11-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Found why https://evidentia.oddb-ci2.dyndns.org/ does not work, whereas https://generika.oddb-ci2.dyndns.org has no problem. evidentia.oddb-ci2.dyndns.org was listed as alias for 127.0.0.1 in the /etc/hosts file.

Now I got only one error in the evidentia_spec test namely rspec ./spec/evidentia_spec.rb:179 # ch.oddb.org should list trademark first e.g. Duodopa

view · edit · sidebar · attach · print · history
Page last modified on August 30, 2017, at 07:53 PM