Merge pull request #79 from diogob/tls

Add native TLS server support

Author: diogob

.gitignore

@@ -12,3 +12,5 @@ site
 rails.conf
 cabal-helper*
 .dir-locals.el
+server.key
+server.crt

CHANGELOG.md

@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 0.11.1.0
+
+- Add TLS native connection so we can have `wss://` connections without using any sort of proxy `PGWS_CERTIFICATE_FILE` and `PGWS_KEY_FILE` should be used to set the the TLS certificate and enable secure connections.
+
 ## 0.11.0.0
 
 - Add `PGWS_CHECK_LISTENER_INTERVAL` to configure interval to check database listener connection and respawn listener in case the connection is not found.

README.md

@@ -26,6 +26,10 @@ cd postgres-websockets
 docker-compose up
 ```
 
+### Pre-compiled binaries
+
+You can download binaries from the [releases page](./releases). Currently only linux binaries complied against Ubuntu on amd64 are provided.
+
 ### Building from source
 To build the project I recommend the use of [Stack](http://docs.haskellstack.org/en/stable/README/).
 You also need to have [git](https://git-scm.com) installed to download the source code.
@@ -86,7 +90,13 @@ The address will look like:
 ws://eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJtb2RlIjoicnciLCJjaGFubmVsIjoiY2hhdCJ9.fEm6P7GHeJWZG8OtZhv3H0JdqPljE5dainvsoupM9pA
 ```
 
-To use a secure socket (`wss://`) you will need a proxy server like nginx to handle the TLS layer. Some services (e.g. Heroku) will handle this automatially.
+To use a secure socket (`wss://`) you can set the configuration variables `PGWS_CERTIFICATE_FILE` and `PGWS_KEY_FILE`. Once these two variables point to a valid X.509 certificate the server will enable TLS connections. Bellow a quick example of how to generate a self-signed certificate using [OpenSSL](https://www.openssl.org/) command line tool:
+
+```
+openssl genrsa -out key.pem 2048
+openssl req -new -key key.pem -out certificate.csr
+openssl x509 -req -in certificate.csr -signkey key.pem -out certificate.pem
+```
 
 ## Receiving messages from the browser
 

postgres-websockets.cabal

@@ -1,5 +1,5 @@
 name:                postgres-websockets
-version:             0.11.0.0
+version:             0.11.1.0
 synopsis:            Middleware to map LISTEN/NOTIFY messages to Websockets
 description:         WAI middleware that adds websockets capabilites on top of PostgreSQL's asynchronous notifications using LISTEN and NOTIFY commands. Fully functioning server included.
 homepage:            https://github.com/diogob/postgres-websockets#readme
@@ -52,6 +52,7 @@ library
                      , base64-bytestring >= 1.0.0.3 && < 1.2
                      , bytestring >= 0.10
                      , warp >= 3.2 && < 4
+                     , warp-tls >= 3.2 && < 4
                      , wai-extra >= 3.0.29 && < 3.2
                      , wai-app-static >= 3.1.7.1 && < 3.2
                      , auto-update >= 0.1.6 && < 0.2

sample-env

@@ -25,3 +25,7 @@ export PGWS_JWT_SECRET_BASE64=False
 ## Check database listener every 10 seconds
 ## comment it out to disable and shutdown the server on listener errors (can be useful when using external process supervisors)
 export PGWS_CHECK_LISTENER_INTERVAL=10000
+
+## Place server.crt and server.key in the working directory and uncomment the following lines for TLS connections (wss)
+# export PGWS_CERTIFICATE_FILE="./certificate.pem"
+# export PGWS_KEY_FILE="./key.pem"

src/PostgresWebsockets/Config.hs

@@ -37,16 +37,23 @@ data AppConfig = AppConfig
     configJwtSecretIsBase64 :: Bool,
     configPool :: Int,
     configRetries :: Int,
-    configReconnectInterval :: Maybe Int
+    configReconnectInterval :: Maybe Int,
+    configCertificateFile :: Maybe Text,
+    configKeyFile :: Maybe Text
   }
+  deriving (Show)
 
 -- | User friendly version number
 prettyVersion :: Text
 prettyVersion = intercalate "." $ map show $ versionBranch version
 
 -- | Load all postgres-websockets config from Environment variables. This can be used to use just the middleware or to feed into warpSettings
 loadConfig :: IO AppConfig
-loadConfig = readOptions >>= loadSecretFile >>= loadDatabaseURIFile
+loadConfig =
+  readOptions
+    >>= verifyTLSConfig
+    >>= loadSecretFile
+    >>= loadDatabaseURIFile
 
 -- | Given a shutdown handler and an AppConfig builds a Warp Settings to start a stand-alone server
 warpSettings :: (IO () -> IO ()) -> AppConfig -> Settings
@@ -76,6 +83,14 @@ readOptions =
       <*> var auto "PGWS_POOL_SIZE" (def 10 <> helpDef show <> help "How many connection to the database should be used by the connection pool")
       <*> var auto "PGWS_RETRIES" (def 5 <> helpDef show <> help "How many times it should try to connect to the database on startup before exiting with an error")
       <*> optional (var auto "PGWS_CHECK_LISTENER_INTERVAL" (helpDef show <> help "Interval for supervisor thread to check if listener connection is alive. 0 to disable it."))
+      <*> optional (var str "PGWS_CERTIFICATE_FILE" (helpDef show <> help "Certificate file to serve secure websockets connection (wss)."))
+      <*> optional (var str "PGWS_KEY_FILE" (helpDef show <> help "Key file to serve secure websockets connection (wss)."))
+
+verifyTLSConfig :: AppConfig -> IO AppConfig
+verifyTLSConfig conf@AppConfig {..} = do
+  when (isJust configCertificateFile /= isJust configKeyFile) $
+    panic "PGWS_TLS_CERTIFICATE and PGWS_TLS_KEY must be set in tandem"
+  pure conf
 
 loadDatabaseURIFile :: AppConfig -> IO AppConfig
 loadDatabaseURIFile conf@AppConfig {..} =

src/PostgresWebsockets/Server.hs

@@ -1,42 +1,43 @@
-{-|
-Module      : PostgresWebsockets.Server
-Description : Functions to start a full stand-alone PostgresWebsockets server.
--}
+-- |
+-- Module      : PostgresWebsockets.Server
+-- Description : Functions to start a full stand-alone PostgresWebsockets server.
 module PostgresWebsockets.Server
-        ( serve 
-        ) where
+  ( serve,
+  )
+where
 
-import Protolude
-import Network.Wai.Application.Static ( staticApp, defaultFileServerSettings )
-import Network.Wai (Application, responseLBS)
 import Network.HTTP.Types (status200)
-import Network.Wai.Handler.Warp ( runSettings )
+import Network.Wai (Application, responseLBS)
+import Network.Wai.Application.Static (defaultFileServerSettings, staticApp)
+import Network.Wai.Handler.Warp (runSettings)
+import Network.Wai.Handler.WarpTLS (runTLS, tlsSettings)
 import Network.Wai.Middleware.RequestLogger (logStdout)
-
-import PostgresWebsockets.Middleware ( postgresWsMiddleware )
-import PostgresWebsockets.Config ( AppConfig(..), warpSettings )
-import PostgresWebsockets.Context ( mkContext )
+import PostgresWebsockets.Config (AppConfig (..), warpSettings)
+import PostgresWebsockets.Context (mkContext)
+import PostgresWebsockets.Middleware (postgresWsMiddleware)
+import Protolude
 
 -- | Start a stand-alone warp server using the parameters from AppConfig and a opening a database connection pool.
 serve :: AppConfig -> IO ()
-serve conf@AppConfig{..} = do
+serve conf@AppConfig {..} = do
   shutdownSignal <- newEmptyMVar
-  let waitForShutdown cl = void $ forkIO (takeMVar shutdownSignal >> cl)
-      appSettings = warpSettings waitForShutdown conf
-
   putStrLn $ ("Listening on port " :: Text) <> show configPort
 
   let shutdown = putErrLn ("Broadcaster connection is dead" :: Text) >> putMVar shutdownSignal ()
   ctx <- mkContext conf shutdown
 
-  runSettings appSettings $
-    postgresWsMiddleware ctx $
-    logStdout $ maybe dummyApp staticApp' configPath
-  die "Shutting down server..."
+  let waitForShutdown cl = void $ forkIO (takeMVar shutdownSignal >> cl)
+      appSettings = warpSettings waitForShutdown conf
+      app = postgresWsMiddleware ctx $ logStdout $ maybe dummyApp staticApp' configPath
+
+  case (configCertificateFile, configKeyFile) of
+    (Just certificate, Just key) -> runTLS (tlsSettings (toS certificate) (toS key)) appSettings app
+    _ -> runSettings appSettings app
 
+  die "Shutting down server..."
   where
     staticApp' :: Text -> Application
     staticApp' = staticApp . defaultFileServerSettings . toS
     dummyApp :: Application
     dummyApp _ respond =
-        respond $ responseLBS status200 [("Content-Type", "text/plain")] "Hello, Web!"
+      respond $ responseLBS status200 [("Content-Type", "text/plain")] "Hello, Web!"

test/ServerSpec.hs

@@ -22,7 +22,9 @@ testServerConfig =
       configJwtSecretIsBase64 = False,
       configPool = 10,
       configRetries = 5,
-      configReconnectInterval = Nothing
+      configReconnectInterval = Nothing,
+      configCertificateFile = Nothing,
+      configKeyFile = Nothing
     }
 
 startTestServer :: IO ThreadId