diff --git a/CHANGES_NEXT_RELEASE b/CHANGES_NEXT_RELEASE
index a2226ea..9c45772 100644
--- a/CHANGES_NEXT_RELEASE
+++ b/CHANGES_NEXT_RELEASE
@@ -22,4 +22,5 @@
- [cosmos-gui] [HARDENING] Allow the storage and computing clusters to be the same (#61)
- [cosmos] [HARDENING] Add a User and Programmer Manual (#69)
- [cosmos] [HARDENING] Add a Administration and Configuration Manual (#70)
+- [cosmos-gui] [HARDENING] Add TLS support (#77)
- [cosmos-gui] [BUG] The new_password route uses the stored username instead of the email-based one (#65)
diff --git a/cosmos-gui/README.md b/cosmos-gui/README.md
index 5b69d9a..2c6faf6 100644
--- a/cosmos-gui/README.md
+++ b/cosmos-gui/README.md
@@ -32,6 +32,8 @@ As seen, the storage cluster is always shared, and depending on the chosen flavo
In addition, the cosmos-gui can be used as a centralized dashboard where a user can explore its HDFS space and run [predefined MapReduce](https://github.com/telefonicaid/fiware-tidoop/tree/develop/tidoop-mr-lib-api) jobs, once his/her Cosmos account has been provisioned.
+[Transport Layer Security](https://en.wikipedia.org/wiki/Transport_Layer_Security) (TLS) is used to provide communications security through asymetric cryptography (public/private encryption keys).
+
[Top](#top)
##Installation
@@ -156,7 +158,9 @@ To be done.
cosmos-gui is configured through `conf/cosmos-gui.json`. There you will find a JSON document with six main *sections*:
* **gui**:
- * **port**: specifies the listening port for the application. By default it is 80, but can be changed if such a port is being used in your deployment.
+ * **port**: Specifies the listening port for the application. By default it is 80, but can be changed if such a port is being used in your deployment.
+ * **private\_key\_file**: File name containing the private key used to encrypt the communications with the clients.
+ * **certificate\_file**: File name containing the self-signed X509 certificate used by the server to send the clients the public counterpart of the above private key.
* **clusters**:
* **storage**
* **endpoint**: IP address or FQDN of the Namenode/HttpFS server of the storage cluster.
@@ -165,26 +169,26 @@ cosmos-gui is configured through `conf/cosmos-gui.json`. There you will find a J
* **computing**
* **endpoint**: IP address or FQDN of the Namenode/HttpFS server of the computing cluster.
* **user**: Unix user within the Namenode/HttpFS server having sudo permissions.
- * **private_key**: user's private key used to ssh into the Namenode/HttpFS server.
+ * **private_key**: User's private key used to ssh into the Namenode/HttpFS server.
* **hdfs**:
- * **quota**: measured in gigabytes, defines the size of the HDFS space assigned to each Cosmos user.
+ * **quota**: Measured in gigabytes, defines the size of the HDFS space assigned to each Cosmos user.
* **superuser**: HDFS superuser, typically `hdfs`.
* **oauth2**:
* **idmURL**: URL where the FIWARE Identity Manager runs. If using the global instance at FIWARE LAB, it is `https://account.lab.fiware.org`.
- * **client_id**: this is given by the Identity Manager once the cosmos-gui has been registered.
- * **client_secre**t: this is given by the Identity Manager once the cosmos-gui has been registered.
+ * **client_id**: This is given by the Identity Manager once the cosmos-gui has been registered.
+ * **client_secret**: This is given by the Identity Manager once the cosmos-gui has been registered.
* **callbackURL**: URL used by the Identity Manager to return the control to the GUI once the delegated authentication step has finished. This must be `http://localhost:/auth`.
- * **response_type**: must be `code`.
+ * **response_type**: Must be `code`.
* **mysql**:
* **host**: IP or FQDN of the host running the MySQL server.
- * **port**: port the MySQL server is listening for new incoming connections. Typically 3306.
- * **user**: a valid user in the MySQL server with permissions to insert into the `cosmos_user` table.
- * **password**: password for the above user in MySQL.
- * **database**: must be `cosmos`.
-* **users_blacklist**: an array of strings not allowed to be a username.
+ * **port**: Port the MySQL server is listening for new incoming connections. Typically 3306.
+ * **user**: A valid user in the MySQL server with permissions to insert into the `cosmos_user` table.
+ * **password**: Password for the above user in MySQL.
+ * **database**: Must be `cosmos`.
+* **users_blacklist**: An array of strings not allowed to be a username.
* **log**:
- * **file_name**: path of the file where the log traces will be saved in a daily rotation basis. This file must be within the logging folder owned by the the user `cosmos-gui`.
- * **date_pattern**: data pattern to be appended to the log file name when the log file is rotated.
+ * **file_name**: Path of the file where the log traces will be saved in a daily rotation basis. This file must be within the logging folder owned by the the user `cosmos-gui`.
+ * **date_pattern**: Data pattern to be appended to the log file name when the log file is rotated.
[Top](#top)
@@ -205,7 +209,7 @@ If everything goes well, you should be able to see in a web browser the login pa
![](doc/images/cosmos_gui__init.png)
-cosmos-gui typically listens in the TCP/80 port, but you can change it by editing `conf/cosmos-gui.conf`.
+cosmos-gui typically listens in the TCP/443 port (TLS encryption), but you can change it by editing `conf/cosmos-gui.conf`.
[Top](#top)
diff --git a/cosmos-gui/conf/cosmos-gui.json b/cosmos-gui/conf/cosmos-gui.json
index 80ba119..282210a 100644
--- a/cosmos-gui/conf/cosmos-gui.json
+++ b/cosmos-gui/conf/cosmos-gui.json
@@ -1,6 +1,8 @@
{
"gui": {
- "port": 80
+ "port": 443,
+ "private_key_file": "",
+ "certificate_file": ""
},
"clusters": {
"storage": {
diff --git a/cosmos-gui/src/app.js b/cosmos-gui/src/app.js
index d57bf0a..85869fd 100644
--- a/cosmos-gui/src/app.js
+++ b/cosmos-gui/src/app.js
@@ -25,6 +25,8 @@
// Module dependencies
var express = require('express');
+var https = require('https');
+var fs = require('fs');
var boom = require('boom');
var stylus = require('stylus');
var nib = require('nib');
@@ -49,6 +51,10 @@ var scEndpoint = config.clusters.storage.endpoint;
var ccPrivKey = config.clusters.computing.private_key;
var ccUser = config.clusters.computing.user;
var ccEndpoint = config.clusters.computing.endpoint;
+var httpsOptions = {
+ key: fs.readFileSync(config.private_key_file),
+ cert: fs.readFileSync(config.certificate_file)
+}
// Express configuration
var app = express();
@@ -209,6 +215,6 @@ mysqlDriver.connect(function(error, result) {
} else {
// Start the application, listening at the configured port
logger.info("cosmos-gui running at http://localhost:" + port);
- app.listen(port);
+ https.createServer(httpsOptions, app).listen(port);
} // if else
});