0

I have a website served over HTTPS. I need this site to be like this as it is configured to work with service workers.

This website needs to request some information from a local service running in the organization, but the problem is that this local service has a self-signed certificate and so chrome denies the connection.

The idea of this website is that if you get into it from an organization, it should show some information and if you get into it from an other organization you should see another information. It depends from where you get into the site.

The problem is that each organization has its own network and so in one organization this service might be running at 192.168.1.106 and in an other organization this service could be at 10.0.1.9.

The question is: Is there a way to run this service over HTTPS? I dont want the user to install the certificate on his system.

Thank you!

Federico De Marines
  • 1
  • 1
    So, the page, rather than the host server, is making a request to a service at an IP, presumably something like an AJAX request? In that case, would it not be possible to mask the IP with a domain/host name and stick a valid certificate in there? You could even use one domain and 1 subdomain per client, and automate it all with Lets Encrypt. – Joe Brailsford Jun 26 '17 at 13:30
  • Thank you for replying. The problem is that the IP in the local network is not static and it may be changed, so the DNS would point to an invalid IP if this changes. – Federico De Marines Jun 26 '17 at 17:52
  • It is *possible* to get an SSL cert registered for an IP address, but that could be costly. Essentially, you have three options, get a valid SSL cert, get the user to register a cert (have a popup or something to explain it and guide them through it) or use plain HTTP. What you're seeing is security in action, I'm sure you can circumvent it - but it's there for a reason, and so is the word "compliance" - unfortunately, we all have to comply. – Joe Brailsford Jun 26 '17 at 21:24

1 Answers1

0

My apologies, don't have enough reputation to just comment.

  1. I believe, setup in this question is close to what you need. Idea is just to add a self-signed backend certificate to a local CA store on nginx server and then configure nginx to act as a reverse proxy instead of directly allowing clients to connect to a backend. This still will require some manual setup, though.

  2. Set nginx to act as a reverse proxy, but instead of adding backend CA to the local cert store you can just disable backend ssl verification, like described here. Not a very good idea, but it should work.

J''
  • 91
  • 1
  • 6