Commit 2f461da8 authored by Thomas Gambier's avatar Thomas Gambier 🚴🏼

software/galene: use new insecure option

Since Galene is behind our frontend, no need to take care of the HTTPS certificates.
parent 15388d59
Pipeline #13070 failed with stage
in 0 seconds
......@@ -15,4 +15,4 @@
[instance-cfg]
filename = instance.cfg.in
md5sum = 270b39f448ec553fa9e203c5fbb49856
md5sum = cc1f28b6906f00b9fab2da7728fcdcb7
......@@ -36,14 +36,6 @@ data = $${:srv}/data
groups = $${:srv}/groups
recordings = $${:srv}/recordings
[galene-ssl]
recipe = plone.recipe.command
cert-file = $${directory:data}/cert.pem
key-file = $${directory:data}/key.pem
command = ${openssl:location}/bin/openssl req -newkey rsa:2048 -batch -new -x509 -days 3650 -nodes -keyout "$${:key-file}" -out "$${:cert-file}"
update-command =
stop-on-error = true
[admin-password]
recipe = slapos.cookbook:generate.password
storage-path = $${directory:data}/.passwd
......@@ -77,9 +69,9 @@ command-line =
-groups $${directory:groups}
-data $${directory:data}
-http [$${:ip}]:$${:port}
-insecure
wrapper-path = $${directory:services}/galene
depends =
$${ice-servers.json:recipe}
$${groups-json:recipe}
$${galene-ssl:recipe}
  • it's still a bit better to use https anyway, we can not trust the link between frontend and backend

  • ( but I'm not sure how much https with a non verified self signed certificate is better than plain http )

  • @tomo, I just wanted to say here what @jerome said: is it a good idea? With plain HTTP in between frontend-backend anyone can intercept that traffic...

  • I agree with @jerome and @kirr.

    What is the problem using ssl @tomo ? Or, do you expect galene to be hosted only on the CDN servers?

    Edited by Romain Courteaud
  • mentioned in commit 84a54732

    Toggle commit list
  • you're right. I just reverted the commit.

    I just took into account the simplicity of the slapos recipe but not the security.

Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment