Thursday, May 26, 2016

Please, use HTTPS for your APEX apps

Why use HTTPS?

When you Google this question you get many different answers, but this answer of Google Developers answers it for me in short (click the link for more details):
  • HTTPS protects the integrity of your website/APEX app
  • HTTPS protects the privacy and security of your users
  • HTTPS is the future of the web; many new technologies only work with https (for example Service Workers; you can read more about Service Workers and APEX in my presentation)
Industry going to HTTPS

Before websites had an HTTP portion and an HTTPS portion, which became active when you would login to the site, but nowadays everything is under HTTPS. Google will actually rank your site higher when it's using HTTPS. Look at the sites you visit; many of them will now use HTTPS as a default.

HTTPS on localhost

If you're developing locally, you don't really need HTTPS on localhost, but I still like to have that.
Here're the steps I did in Chrome on my Mac (OSX) to get the nice green lock when developing locally (works also with APEX Front-End Boost)
  • In the address bar, click the little lock with the X. This will bring up a small information screen. Click the button that says "Certificate Information."
  • Click and drag the certificate image to your desktop. 
  • Double-click it. This will bring up the Keychain Access utility. Enter your password to unlock it.
  • Be sure you add the certificate to the System keychain, NOT the login keychain. 
  • After it has been added, double-click it. 
  • Expand the "Trust" section. "When using this certificate," set to "Always Trust"
  • Close Keychain Access and restart Chrome, and your self-signed certificate should be recognized now by the browser.
HTTPS on your own server

For years I've been using SSL certificates ordered from Godaddy, but depending the certificate you get, it might not be that cheap. The APEX R&D website is a multi-site certificate - the same certificate is used for the APEX Office Print website.

But there's some good news... you can get SSL for free too (and it's very easy to do!), thanks to Letsencrypt. I used Letsencrypt to protect the Euro2016challenge.eu APEX app/website for example.
Here's the Getting Started Guide from Let's Encrypt. This is the command I used (after installing the package):

./letsencrypt-auto certonly --webroot -w /var/www/euro2016 -d euro2016challenge.eu -d www.euro2016challenge.eu


If you're not yet on https with your APEX app/site, I would definitely recommend looking into it :)

14 comments:

Anonymous said...

Great post. I didn't know about letsencrypt. I'll definitely check it out.

Tim... said...

The chances are you are going to front your production application with a reverse proxy or load balancer (which provides reverse proxy functionality). When I say "reverse proxy" in the following sentences, I mean "reverse proxy or load balancer". In both cases, these can provide your SSL termination, so this gives you a couple of options.

1) Don't bother encrypting APEX. Interaction between the client and reverse proxy is encrypted, but internal communication between your reverse proxy and APEX is not encrypted. The reverse proxy is providing your SSL termination.

2) Encrypt APEX. Still do your main SSL termination at the reverse proxy, then re-encrypt so the internal comms between the reverse proxy and APEX is encrypted.

By choice, I would never make an app server publicly accessible. Your typical load balancer can cope with massive throughput of traffic. They usually have full proxy capabilities. What's more, they can help protect against attacks (including DDoS) in a number of ways. Exposing something like WebLogic, Tomcat to the world is a disaster waiting to happen. :)

Cheers

Tim...

Dimitri Gielis said...

Hi Tim,

Thanks for the comment and addition.

Maybe the title of the post is confusing; what I meant is make sure you do HTTPS regardless where you configure SSL when exposing your APEX apps. I didn't go into the architectural part and as you describe, you have choices there.
In fact my architecture for the sites I listed in the post all are fronted with an Apache Reverse proxy and some even with another load balancer. So it's Load Balancer (optional) - Apache Reverse Proxy - Tomcat/ORDS - DB :)
(see also http://dgielis.blogspot.be/2015/01/preparing-architecture-for-apex-50.html)

Thanks again,
Dimitri

Apex Work said...

This is an APEX based public website with green HTTPS bar.
famproperties.com

Jeffrey Kemp said...

Great article.

A couple years ago I bought an SSL cert to protect my domain, and in order to use it I had to change all my subdomains (e.g. app1.jk64.com) into paths underneath the main domain (e.g. jk64.com/app1).

With LetsEncrypt, I can now serve all my clients on whatever domain they want - whether app1.jk64.com or app1.clientsdomain.org or whatever.

Karen said...

Great post - thank you. Off to investigate LetsEncrypt...

Anonymous said...

Hi but it is working with the apex listener ?
I have apex 5 on 12g with a apex lister
regards Steffen

Tolis I. said...

Hello,
I was wondering how can someone add a service worker in an APEX application. I tried to implement them by uploading the service worker .js file in Static Workspace Files and adding the service worker registration code by referencing the .js file with #WORKSPACE_IMAGES#service-worker.js and set the scope at './#WORKSPACE_IMAGES#' but it didn't work. I get a 404 error saying that the resource file couldn't be found. How can we implement the service worker in APEX?

Thanks a lot!

Tolis I. said...

Hello,

I was wondering how can we implement the service worker in an APEX application. Where should we upload the service-worker.js file and what scope should we give in the JavaScript function at the registration of the worker.

Thanks a lot!

Regards,
Tolis.

Dimitri Gielis said...

Hi Tolis,

You would need to put the file on your webserver.
And then in your page you reference the file on the webserver.

Hope that helps,
Dimitri

Driven property said...

Great post - thank you.

thanhtu88 said...

Hi Dimittri,

How do we config ords for multiple-domain with letsencrypt?

Roger Adams said...

Very interesting article.

Fahd said...

I am using APEX 5.1.4, ORDS and TOMCAT, still i don't understand how to get HTTPS ?