I don’t do much front-end software engineering. If I can avoid, I don’t really do it at all. Prefer the backends etc. But for my personal projects no-one else is going to do it. I figured I should move to use HTTPS for some of the content. Using my lack of front-ending for past years as an excuse, I then proceeded to make the silliest of mistakes.
I spent some 1-2+h trying to search the internetz for the reason why my website would only load up 7 bytes of seemingly random data on the browser when trying to load it over HTTPS, which would most of the time get downloaded as a file instead of showing anything in the browser. I was using a self-signed certificate for testing, so given that my first few attempts gave me a certificate warning and later ones did not give warnings, rather just garbage data, I was feeling rather confused.
In the end it finally turned out to be because I was typing “localhost:8443/mysite” in the browser address bar, and this of course causes the browsers to load it as a HTTP page.8443 is the port I was hosting the web-server on as opposed to the 443 regular HTTPS port. Initially I must have put the HTTPS in the start as I got the certificate warnings, later not I somehow managed to leave it out.
So I guess the browser tried to load a HTTP page and got handed some parts of an SSL handshake, failed the handshake and got left with 7 bytes of seemingly random data that it downloaded for me. That’s my theory, couldn’t quite figure out the handshake byte content with a quick internet search. Using https://localhost:8443 as the URL worked great. Maybe next time I forget this and need to search again I will hit this blog entry and save myself some hours and frustration.
But what does CloudFlare have to do with any of this? Nothing much really for the part above. But I put my service behind CloudFlare and needed also to change it to give me HTTPS connections for part of the service.
I also needed a certificate that the browser would not complain about. LetsEncrypt seems to be a nice service to do this for free. But it also seems to be quite geared for Apache and Nginx. Having neither of those and running the service behind CloudFlare was bit hard. With embedded Jetty, there was also no way I was going to enable directory listings (who does that for security anyway…) and it was unclear what I should put where to get it to work. Also, CloudFlare being in the way seemed to be an issue.
So CloudFlare has some of these nice options also at its “free” tier. “Full” SSL lets me use self-signed certificates between CloudFlare server and my own server, while having CloudFlare provide the browser client with a valid certificate from an authorized party. Nice for some poor little guys project like mine.
But it only works for sites such as “bob.sitename.com” and not, for example, “admin.bob.sitename.com”. So that has to be “adminbob.sitename.com”. It also seems to be want to push the SSL connection on me even if I explicitly try to go on the address “http://adminbob.sitename.com:80 “. So not sure if mixing HTTP and HTTPS for a single site is an option, at least on the free plan. Not a real problem as I can just put it all in different services and run some of the fully on HTTPS. But for redirects etc…
So sometimes, for me, the SSL never happens, other times it happens when I try to avoid it. Maybe I should just learn something better, but this security stuff could certainly be a bit simpler to get right.. It’s not really asking for that complex requirements (like maybe the browser could try to ID a HTTPS connection and inform me, large hosting providers/fronts could make the basic stuff simply work easily and give clear errors, and LetsEncrypt could make it easy for running their clients regardless of used webserver, etc.) . Well, its free stuff so what am I complaining.. 🙂