Force https for Lora App interface

Vlado_Portos · May 11, 2019, 7:57am

Hello,
Is there a way to force https for Lora App Web interface ? When you use TLS the normal http will not work, it will throw error something like:

TLS handshake error from 195.***.*.:******: tls: first record does not look like a TLS handshake

Of course switching to https manually works fine, I know its just cosmetic stuff but there should be a way to force every http connection to switch to https automatically.

brocaar · May 13, 2019, 11:47am

I don’t think this is possible. Usually http:// is served on port 80 and https:// on 443. You could put a proxy like NGINX in front which will redirect port 80 requests to https:// on port 443.

Vlado_Portos · May 13, 2019, 1:43pm

Yes normally, but this is on port 8080, and both http://<server_name>:8080 and https://<server_name>:8080 seems to “work” at the same time. Would be nice to have option in /etc/lora-app-server/lora-app-server.toml under [application_server.external_api] option to disable http if TLS certificates are provided than it would not show errors when visiting just http version. Right now it doesn’t seems to be handled.

There must be some kind of web server ( since its providing output on that port for browser ) so there should be also option for automatic redirect to https ( somewhere )

brocaar · May 13, 2019, 2:23pm

It is not that http:// and https:// work at the same time. In both cases a request is being made to port 8080. In the first case the browser is instructed to make a plain HTTP request to port 8080, in the second case, the browser is instructed to make a HTTP over TLS request to port 8080.

That is why you see the TLS handshake error in the logs when your browser makes a plain HTTP request. In the eyes of the server it receives a “garbage” and it stops there.

In essence what would be needed is to serve both HTTP and HTTPS on the same port (currently with TLS certificates, it is TLS only). There are ways to do this, but I’m not sure if this should be supported by LoRa App Server. For some examples, see: https://groups.google.com/forum/#!topic/golang-nuts/4oZp1csAm2o.

A better solution would be to put NGINX as proxy in front of LoRa App Server. NGINX would:

Redirect http://example.com (port 80 / no TLS) --> https://example.com (port 443 / TLS)
Proxy https://example.com (port 443 / TLS) to http://localhost:8080 (no TLS)

The reason why LoRa App Server is using port 8080 is that it is an unprivileged port. As LoRa App Server runs (when using the .deb package) under a non-root user, additional commands must be executed to let it bind to port 443. This is easy, but my experience is that you might forget this on an update and it would fail to start.

Vlado_Portos · May 14, 2019, 2:51pm

True, looks like the nginx would be the best solution for redirect