SSL handling corrections

Report bugs found in Poker Mavens
Post Reply
Raventhon
Posts: 166
Joined: Thu Mar 20, 2014 3:37 pm

SSL handling corrections

Post by Raventhon »

We need to proxy to mavens and terminate SSL on our front-end web server, not at Mavens directly. We have successfully set this up on our production environment, but have run into two issues. First, even though we pass the remote address of the user with the standard HTTP header "X-Real-IP", Mavens does not pick this up, and instead considers users to be logged in from the IP address of the front-end web server.

Second, the web sockets which default to port 8088 use the "ws://" protocol, and we require the use of the web socket secure protocol specified by "wss://" to not get security warnings from browsers.

As such, it would be great to add X-Real-IP support to mavens, and an option to specify if web sockets should be secure or not. In the meantime we will work around these issues, but not having these things in place is seriously affecting our ability to operate our site in a secure and scalable manner.

Thanks, I appreciate your assistance.
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: SSL handling corrections

Post by Kent Briggs »

Second, the web sockets which default to port 8088 use the "ws://" protocol, and we require the use of the web socket secure protocol specified by "wss://" to not get security warnings from browsers.

As such, it would be great to add X-Real-IP support to mavens, and an option to specify if web sockets should be secure or not.
I'm not that familiar with proxy servers but "X-Forwarded-For" appears to to the standard HTTP header. The only info I see on "X-Real-IP" seems to only be associated exclusively with Nginx. Poker Mavens automatically changes the web socket protocol from ws to wss when you enable SSL inside Poker Mavens. You can't have a non-SSL connection between your proxy and the poker server and still use the SSL protocol. You have to pick one or the other.
Raventhon
Posts: 166
Joined: Thu Mar 20, 2014 3:37 pm

Re: SSL handling corrections

Post by Raventhon »

Thanks for looking into this, Kent. Actually, my tech team has informed me that neither "X-Forwarded-For" nor "X-Real-IP" are as yet standardized by any international standardization bodies such as the IETF, though a draft for "X-Forwarded-For" standardization was put up in 2012. The difference appears to be in the way they are used. The "X-Forwarded-For" header is meant to be a list of IP addresses through which forward proxies (such as squid) pass the IP addresses of proxies and the original host along through each other and to the final destination host so the full route can be traced back. The "X-Real-IP" header is meant to be a single IP address indicating the IP address of the originating host in a reverse-proxy scenario (such as nginx is used) where a front-end web server terminates web traffic and then proxies it behind its internal network to the destination server (in this case, Mavens).

 They tell me we are, in fact, using NginX as our front-end web-server and SSL terminator, in order to reduce load.

Unfortunately, until you support either "X-Forwarded-For" or "X-Real-IP", all of our users appear to come from the same IP address and are not able to rely on standard mavens features that allow us to deny users from the same IP address access to the same tables and tournaments. This is a serious matter for us! They suggest that it could be setup such that any arbitrary header may be specified in the configuration as the header containing the IP address, which would make it simpler for you, but they wanted to reiterate that "X-Forwarded-For" may contain a list of IPs, not a single IP, and thus is probably not as appropriate.



Please let us know if it is possible to make use of "X-Forwarded-For", "X-Real-IP", or something specific you define like, "X-Mavens-Remote" that you would prefer to see. It does not matter on their end for configuration!

Finally, with regards to the SSL thing, they are saying that we are using NginX to terminate SSL and that internal traffic in our network is not encrypted because there is no need for it to be and it reduces computational and bandwidth load on our servers. However, they'll be able to make NginX talk to Mavens over SSL, no problem, it just is not ideal. We would like to see the ability to serve WSS on an optional basis, but it is not as important as the above IP issue which is seriously affecting our ability to operate efficiently and securely.

Thanks again!
Kent Briggs
Site Admin
Posts: 5878
Joined: Wed Mar 19, 2008 8:47 pm

Re: SSL handling corrections

Post by Kent Briggs »

Raventhon wrote:

Please let us know if it is possible to make use of "X-Forwarded-For", "X-Real-IP", or something specific you define like, "X-Mavens-Remote" that you would prefer to see.
Allowing you to enter the header name as a setting would probably be the way to go. I'll look into it.


Finally, with regards to the SSL thing, they are saying that we are using NginX to terminate SSL and that internal traffic in our network is not encrypted because there is no need for it to be and it reduces computational and bandwidth load on our servers. However, they'll be able to make NginX talk to Mavens over SSL, no problem, it just is not ideal. We would like to see the ability to serve WSS on an optional basis
I get it now. Poker Mavens would need to put "wss" in the client code to force an encrypted packet port connection between the client and proxy when the connection between the proxy and Poker Mavens is not encrypted. This is a bit of a kludge but try this: in the Web Settings group, edit the "Top HTML" setting and insert this javascript:

Code: Select all

<script>params.useSSL = "Yes";</script>
That will override the "No" setting that appears above it in the HTML wrapper.
Post Reply