github/libhalo
1
1
Fork 0
mirror of https://github.com/arx-research/libhalo.git synced 2026-01-09 13:18:04 -05:00
Code Issues Packages Projects Releases Wiki Activity

Bridge: Move the halo-bridge domain to .local TLD due to problems caused by anti-IP tracking features on Mac OS (#359)

Browse Source
This commit is contained in:
Michał Leszczyński
2024-09-04 14:29:08 +02:00
committed by GitHub
parent 805edae199
commit 048380b170
4 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
cli/macos_pkgbuild_scripts/postinstall
View File

@@ -16,23 +16,23 @@ rm -f /usr/local/etc/halo-bridge/private_key.pem
rm -f /usr/local/etc/halo-bridge/server.csr
rm -f /usr/local/etc/halo-bridge/server.crt
# ask user whether he wants to generate a certificate for halo-bridge.internal
if osascript -e 'display dialog "In order for halo-bridge to work correctly, we will need to generate a self-signed certificate for the '\''halo-bridge.internal'\'' domain and mark it as trusted in the system.\n\nYou can skip that step if you don'\''t need to use halo-bridge tool." buttons {"Skip", "Generate certificate"} default button "Generate certificate" cancel button "Skip" with icon caution with title "HaLo Tools Installer"'
# ask user whether he wants to generate a certificate for halo-bridge.local
if osascript -e 'display dialog "In order for halo-bridge to work correctly, we will need to generate a self-signed certificate for the '\''halo-bridge.local'\'' domain and mark it as trusted in the system.\n\nYou can skip that step if you don'\''t need to use halo-bridge tool." buttons {"Skip", "Generate certificate"} default button "Generate certificate" cancel button "Skip" with icon caution with title "HaLo Tools Installer"'
then
# generate new local certificate
openssl genrsa -out /usr/local/etc/halo-bridge/private_key.pem 2048
openssl req -new -sha256 -key /usr/local/etc/halo-bridge/private_key.pem -out /usr/local/etc/halo-bridge/server.csr -subj '/CN=halo-tools (Local Certificate)/'
openssl req -x509 -sha256 -days 3650 -extensions HALO -config <(printf "[HALO]\nsubjectAltName='DNS:halo-bridge.internal'\nbasicConstraints=critical,CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=critical,serverAuth") -key /usr/local/etc/halo-bridge/private_key.pem -in /usr/local/etc/halo-bridge/server.csr -out /usr/local/etc/halo-bridge/server.crt
openssl req -x509 -sha256 -days 3650 -extensions HALO -config <(printf "[HALO]\nsubjectAltName='DNS:halo-bridge.local'\nbasicConstraints=critical,CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=critical,serverAuth") -key /usr/local/etc/halo-bridge/private_key.pem -in /usr/local/etc/halo-bridge/server.csr -out /usr/local/etc/halo-bridge/server.crt
# add certificate to the trust list
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /usr/local/etc/halo-bridge/server.crt
fi
# add halo-bridge.internal domain to /etc/hosts if it doesn't exist yet
if ! grep -q "halo-bridge.internal" /etc/hosts
# add halo-bridge.local domain to /etc/hosts if it doesn't exist yet
if ! grep -q "halo-bridge.local" /etc/hosts
then
echo "" >> /etc/hosts
echo "127.0.0.1 halo-bridge.internal" >> /etc/hosts
echo "127.0.0.1 halo-bridge.local" >> /etc/hosts
fi
exit 0

2
cli/src.ts/ws_server.ts
View File

@@ -292,7 +292,7 @@ function wsCreateServer(args: Namespace, getReaderNames: () => string[]) {
permitted = true;
}
if (originHostname === "127.0.0.1" || originHostname === "localhost" || originHostname === "halo-bridge.internal") {
if (originHostname === "127.0.0.1" || originHostname === "localhost" || originHostname === "halo-bridge.local") {
permitted = true;
}

2
core/src.ts/web/web_utils.ts
View File

@@ -60,7 +60,7 @@ function createChecks(wsPort: number, wssPort: number, createWebSocket: (url: st
// A call to wss:// endpoint with incorrect certificate could hang the request
// for many seconds until it actually fails, and this would hang all remaining WS requests too.
// We need to skip this check on Firefox to avoid race conditions and have reasonable performance.
checks.push(runHealthCheck('wss://halo-bridge.internal:' + wssPort + '/ws', openTimeout, createWebSocket));
checks.push(runHealthCheck('wss://halo-bridge.local:' + wssPort + '/ws', openTimeout, createWebSocket));
}
return checks;

10
docs/halo-bridge.md
View File

@@ -120,7 +120,7 @@ for the detailed description of commands that may be requested.
In case of Mac OS platform, the HaLo Tools installer needs to generate a self-signed TLS certificate and mark it as trusted in the system. This is due to the fact that Safari would raise a mixed-content error if a secure external website would attempt to connect to an unsecured WebSocket on localhost, which is not the case for other browsers.
Due to that limitation, the installer will ask if you agree to generate a TLS certificate. The certificate will be stored at `/usr/local/etc/halo-bridge/` location. The generated certificate would only cover the `halo-bridge.internal` domain. It will be also clearly marked that it's not a Certificate Authority (to prevent issuing any additional trusted certificates on top of this one) and that it's purposed only for TLS Web Server authentication.
Due to that limitation, the installer will ask if you agree to generate a TLS certificate. The certificate will be stored at `/usr/local/etc/halo-bridge/` location. The generated certificate would only cover the `halo-bridge.local` domain. It will be also clearly marked that it's not a Certificate Authority (to prevent issuing any additional trusted certificates on top of this one) and that it's purposed only for TLS Web Server authentication.
### Manually generating a certificate
If you wish, it is possible to manually generate a certificate and mark it as trusted in the system.
@@ -129,16 +129,16 @@ If you wish, it is possible to manually generate a certificate and mark it as tr
# generate new local certificate
openssl genrsa -out /usr/local/etc/halo-bridge/private_key.pem 2048
openssl req -new -sha256 -key /usr/local/etc/halo-bridge/private_key.pem -out /usr/local/etc/halo-bridge/server.csr -subj '/CN=halo-tools (Local Certificate)/'
openssl req -x509 -sha256 -days 3650 -extensions HALO -config <(printf "[HALO]\nsubjectAltName='DNS:halo-bridge.internal'\nbasicConstraints=critical,CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=critical,serverAuth") -key /usr/local/etc/halo-bridge/private_key.pem -in /usr/local/etc/halo-bridge/server.csr -out /usr/local/etc/halo-bridge/server.crt
openssl req -x509 -sha256 -days 3650 -extensions HALO -config <(printf "[HALO]\nsubjectAltName='DNS:halo-bridge.local'\nbasicConstraints=critical,CA:FALSE\nkeyUsage=critical,digitalSignature,keyEncipherment\nextendedKeyUsage=critical,serverAuth") -key /usr/local/etc/halo-bridge/private_key.pem -in /usr/local/etc/halo-bridge/server.csr -out /usr/local/etc/halo-bridge/server.crt
# add certificate to the trust list
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /usr/local/etc/halo-bridge/server.crt
# add halo-bridge.internal domain to /etc/hosts if it doesn't exist yet
grep -v -q "halo-bridge.internal" /etc/hosts && echo "" >> /etc/hosts && echo "127.0.0.1 halo-bridge.internal" >> /etc/hosts
# add halo-bridge.local domain to /etc/hosts if it doesn't exist yet
grep -v -q "halo-bridge.local" /etc/hosts && echo "" >> /etc/hosts && echo "127.0.0.1 halo-bridge.local" >> /etc/hosts
```
The HaLo Bridge would automatically detect the certificate upon the next startup and start the Secure WebSocket server at `wss://halo-bridge.internal:32869`, in addition to the normal (unsecured) WebSocket endpoint at `ws://127.0.0.1:32868`.
The HaLo Bridge would automatically detect the certificate upon the next startup and start the Secure WebSocket server at `wss://halo-bridge.local:32869`, in addition to the normal (unsecured) WebSocket endpoint at `ws://127.0.0.1:32868`.
## Example project