To this point you have been accessing your web server using HTTP. If you notice your browser has been yelling at you that your connection is ⚠ Not Secure from the location bar.
During the first couple decades of the web, it was pretty common for websites to simply use HTTP (non-secure hypertext transport protocol) since it was difficult, non-performant, and expensive to secure the connection. Additionally, most websites just provided access to documents and so it didn't need to protect user's information. Usually, only websites that were doing commerce needed a secure connection. That all changed when computers got faster and the web moved from simple document servers (Web 1.0) to full on web applications (Web 2.0) that accepted information from users and displayed that information within the application. Without a secure connection anyone that had access to the network traffic, at any point, from the user's computer to the server handling the request could easily capture all the data sent in either direction. Remember when we used the console program traceroute to show you how many computers your connection goes through. You definitely do not want those computers to have access to your user's sensitive information.
The secure version of HTTP is called Secure Hypertext Transport Protocol (HTTPS). This is basically HTTP with a negotiated secure connection that happens before any data is exchanged. Having a secure connection means that all the data is encrypted using the TLS protocol. TLS is sometimes referred to by a now unsecure predecessor protocol named SSL. TLS works by negotiating a shared secret that is then used to encrypt data. You can see the actual negotiation that happens by using the console browser based application curl, along with the -v parameter to see the verbose output of the HTTPS exchange. The > /dev/null redirection throws away the actual HTTP response, since we only care about the negotiation, by redirecting the output to the null device.
➜ curl -v -s https://byu.edu > /dev/null
* Trying 128.187.16.184:443...
* Connected to byu.edu (128.187.16.184) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
} [312 bytes data]
* (304) (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* (304) (IN), TLS handshake, Unknown (8):
{ [25 bytes data]
* (304) (IN), TLS handshake, Certificate (11):
{ [3211 bytes data]
* (304) (IN), TLS handshake, CERT verify (15):
{ [520 bytes data]
* (304) (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* (304) (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted http/1.1
* Server certificate:
* subject: C=US; ST=Utah; L=Provo; O=Brigham Young University; CN=*.byu.edu
* start date: Jan 24 00:00:00 2022 GMT
* expire date: Jan 24 23:59:59 2023 GMT
* subjectAltName: host "byu.edu" matched cert's "byu.edu"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert TLS RSA SHA256 2020 CA1
* SSL certificate verify ok.You can see that the negotiation is fairly complex as it involves multiple steps in the handshake. A core piece of the handshake is the exchange of a web certificate that identifies the domain name of the server creating the secure connection. The browser will compare the certificate domain name to the one represented in the URL and if they don't match, or the certificate is invalid or out of date, it will display a massive warning.
In the example above we asked for byu.edu and got a valid certificate for byu.edu and so everything looks great.
Web certificates are generated by a trusted 3rd party using public/private key encryption. The certificate issuer is responsible for verifying that the certificate owner actually owns the domain name represented by the certificate. Once you have a certificate for your domain name, you can serve the certificate from your web server and then the browser can validate the certificate by using the public keys of the certificate issuer.
Until about 2014 it would cost you hundreds of dollars a year to get a web certificate, and you needed a certificate for every domain and subdomain that you owned. That would cost, even a small company, thousands of dollars a year because the certificates needed to be renewed in order to ensure that it still represented the owner of the domain name and to limit the impact of a stolen certificate.
That all changed when two Mozilla employees created a non-profit called Let's Encrypt with the goal of creating trusted web certificates for free. This effectively broke the monopoly that the trusted web certificate issuers had on the industry.
Now using a service like Let's Encrypt, and the IETF standard ACME protocol that they pioneered, anyone who owns a domain name, can dynamically generate and renew a certificate for free. This incredible contribution of critical web technology has made the web safer, and more reliable, for everyone.
Caddy uses Let's Encrypt to generate a web certificate every time an HTTPS request is made for a domain name that Caddy doesn't have a web certificate for. When this happens Caddy asks Let's Encrypt to verify that the domain for the requested certificate is actually owned by the requester. Let's Encrypt does that by telling the requester to return a specific digitally signed response for a temporary URL when an HTTP request to the domain is made. Let's Encrypt then makes the HTTP request, and if successful, issues the certificate to the requester.
If you are interested, you can learn about how the Let's Encrypt generates certificate from their documentation.
Modern browsers now expect web servers to exclusively use HTTPS for all communication. In fact, the next version of HTTP (v3) only supports secure connections. For this reason, you should always support HTTPS for any web application that you build.
You can obtain, and renew, a web certificate by enabling the ACME protocol for your web server and communicating with Let's Encrypt to generate the needed certificates. This is not difficult to do, and many languages such as Rust, Node.js, or Go support this functionality by simply including an additional library.
For our work we are using the web service Caddy to act as a gateway to our different services and to host our static web application files. Caddy has ACME support built into it by default, and so all you need to do is configure Caddy with the domain name for your web server. Here are the steps to take.
Note
This is one of the few modification that you will manually make to your web server. Most other production changes are completed with automated continuous integration processes.
-
Open a console window.
-
Use the
sshconsole program to shell into your production environment server.➜ ssh -i [key pair file] ubuntu@[yourdomainnamehere]
for example,
➜ ssh -i ~/keys/production.pem ubuntu@myfunkychickens.click -
Edit Caddy's configuration (
Caddyfile) file found in the ubuntu user's home directory.➜ cd ~ ➜ vi Caddyfile
-
Modify the Caddy rule for handling requests to port 80 (HTTP), to instead handle request for your domain name. By not specifying a port the rule will serve up files using port 443 (HTTPS), and any request to port 80 will automatically redirect the browser to port 443. Replace
:80with your domain name (e.g.myfunkychickens.click). Make sure that you delete the colon. -
Modify the Caddy rules that route the traffic for the two web applications that we will build. To do this replace the two places where
yourdomainappears with your domain name (e.g.myfunkychickens.click). -
Review the Caddyfile to make sure it looks right. If your domain name was
myfunkychickens.clickit would look like the following.myfunkychickens.click { root * /usr/share/caddy file_server header Cache-Control no-store header -etag header -server } startup.myfunkychickens.click { reverse_proxy * localhost:4000 header Cache-Control no-store header -server header -etag header Access-Control-Allow-Origin * } simon.myfunkychickens.click { reverse_proxy * localhost:3000 header Cache-Control no-store header -server header -etag header Access-Control-Allow-Origin * } -
Save the file and exit VI (
:wq) -
Restart Caddy so that your changes take effect. Note that this requires you to use
sudo(super user do) to elevate your user to have the rights to restart the gateway.sudo service caddy restart
If you open your browser and navigate to your domain name you will now see that the browser is displaying a lock icon, using HTTPS, and your certificate has been automatically requested by Caddy and issued by Let's Encrypt.
If you have not already leased a domain name then go back and review that instruction.
Secure your web server communication by configuring Caddy to request a certificate from Let's Encrypt for you domain name.
If your section of this course requires that you submit assignments for grading: Submit a URL for web server's hostname to the Canvas assignment.
Don't forget to update your GitHub startup repository notes.md with all of the things you learned and want to remember.
| Symptom | Reason |
|---|---|
| The browser doesn't display by website | Check that the browser hasn't inserted a www subdomain prefix. Some browsers will hide this. You must actually click on the domain name in the address bar to see what it is really using |
My root domain works, but not the simon or startup subdomains |
Your Caddy file is not configured properly. Check for typos. Also make sure you removed the : from the start of the Caddy rule. |
My simon or start up subdomains work, but not my root domain |
Your Caddy file is not configured properly. Check for typos. |