Force SSL by default

[ywecur]

Currently there is no way to force clients to connect via SSL, making communication insecure by default.

I'm not sure how this would be implemented, though I know of this meteor package that forces SSL, which might help.

And as @geekgonecrazy has pointed out to me: A toggle might be useful during the initial setup.

[geekgonecrazy]

Also as discussed maybe if the site url has https:// in it then we could force ssl by default. But for sure we need a toggle

[ywecur]

@geekgonecrazy Maybe add the contrib: easy lable?

[geekgonecrazy]

Going to tack on intermediate. Because I assume easy, but it might throw a curve ball :)

[engelgabriel]

Meteor won't handle the SSL directly, the NGINX or other reverse proxy will do that. I think it makes more sense to configure the redirect there (like we do on the demo server) rather than on the app level. It's far more effective/secure and much faster.

[Megatronic79]

@engelgabriel agree with you there, the reverse proxy should handle the SSL connection termination and can force all http to https easily. (as well as secure numerous other web security issues.)

[ywecur]

@Megatronic79 Will this also apply to the mobile apps?

[engelgabriel]

It will apply to ALL connections.

[Megatronic79]

The mobile apps connect to the same endpoint as the web services, if the reverse proxy is set to force all http to https then all traffic will be encrypted.

[ywecur]

Nevertheless, this is something that should be apparent in the tutorial. I found no mention of this before I deployed my instance to Heroku. Not forcing SSL is a big privacy and security risk IMO.

[vargasbo]

Agree. Maybe you can document this and issue the PR.

[ywecur]

@vargasbo How would one document this? I'd prefer a script that does this automatically, if this is possible to achieve that is.

[vargasbo]

You can add create a new wiki page (how to force SSL) add your 2 cents, and then link to the existing wiki page.

[Megatronic79]

SSL and reverse proxy is already part of the wiki here:

https://github.com/RocketChat/Rocket.Chat/wiki/Run-Rocket.Chat-behind-a-SSL-Reverse-Proxy

I guess a step on the Heroku page needs to point to this with a security note.