kentonv changed the topic of #sandstorm to: Welcome to #sandstorm: home of all things sandstorm.io. Say hi! | Have a question but no one is here? Try asking in the discussion group: https://groups.google.com/group/sandstorm-dev | Public logs at https://botbot.me/freenode/sandstorm/
Draft_FR has joined #sandstorm
<Draft_FR> Hi everyone, we have this project with https://communecter.org to create a free (like free software) project management tool inside of the platform.
<Draft_FR> So anyone who creates a group or a project in the platform can have access to different management tools to improve his way of communicating in intern and in extern.
<Draft_FR> The goal is to be able pretty easily to open his project so anyone can contribute
<Draft_FR> It seems quite like the same project than yours, but it seems like totally different too.
<Draft_FR> Do you think we could work together ?
<simpson> Draft_FR: How do you feel about the security goals of Sandstorm?
harish has quit [Remote host closed the connection]
<Draft_FR> @simpson : What do you mean ?
harish has joined #sandstorm
<simpson> Draft_FR: I mean that a large portion of the Sandstorm idea is to improve the security of Web apps by altering the structure of the underlying platform.
<Draft_FR> What's the purpose of improving security of apps ? (I'm not a computer scientist)
<simpson> Better security is its own reward IMO.
<Draft_FR> What's the objective behind a better security ? What's the utility of it ? I mean when you talk about open management tool. Maybe it's for robot not to spam your loomio's group for example ?
<simpson> For me personally, the objective is *herd immunity*. It's the rationale behind e.g. trying to coat the Web with TLS.
harish has quit [Ping timeout: 240 seconds]
<Draft_FR> Well, I really don't know about it, but it seems nice :)
<Draft_FR> But it doesn't answer my question ;)
<simpson> I can't speak to your original question. I'm on the sidelines as far as Sandstorm; I'm just here to learn.
<Draft_FR> Uh XD
<Draft_FR> Fair enouh ;)
<Draft_FR> Well, I'm going to bed right now, see u !
Draft_FR has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
ogres has quit [Quit: Connection closed for inactivity]
isd has quit [Ping timeout: 255 seconds]
ogres has joined #sandstorm
harish has joined #sandstorm
demonimin_ has joined #sandstorm
demonimin has quit [Ping timeout: 268 seconds]
_whitelogger has joined #sandstorm
aggelos_ has quit [Ping timeout: 240 seconds]
aggelos_ has joined #sandstorm
tobald has joined #sandstorm
xet7 has joined #sandstorm
ogres has quit [Quit: Connection closed for inactivity]
harish has quit [Ping timeout: 240 seconds]
DanC has quit [Ping timeout: 240 seconds]
solly has joined #sandstorm
<solly> hello
<JonTheNiceGuy> Hey!
solly has quit [Quit: http://www.kiwiirc.com/ - A hand crafted IRC client]
afuentes has joined #sandstorm
idlemoor has joined #sandstorm
Aliekezhi has joined #sandstorm
<Aliekezhi> hi, I'm trying to set up https for sandstorm. My sandstorm is accessible via http://myurl.com:6080 ; if I add HTTPS_PORT=443 to sandtorm.conf, my sandstorm server is not accessible at all both in http and https...
<Aliekezhi> should I change then BASE_URL and WILDCARD_HOST to 443 port ?
<Aliekezhi> or any other idea ?
harish has joined #sandstorm
<Aliekezhi> in which directory of /opt/sandstorm is the root directory for the apache access ?
ogres has joined #sandstorm
tobald has quit [Ping timeout: 268 seconds]
tobald has joined #sandstorm
<JonTheNiceGuy> Hey Aliekezhi: Sandstorm doesn't really run like that....
DanC has joined #sandstorm
<JonTheNiceGuy> Do you have a reverse proxy (like Apache) in front of it?
<JonTheNiceGuy> Or, are you going to just run Sandstorm on that machine?
bodisiw has joined #sandstorm
terravires has joined #sandstorm
<terravires> hi all, I've got sandstorm installed with apache reverse proxy, and have a wildcard dns for *.sandstorm.lan that resolves to 127.0.0.1. I cannot install or use any apps though, it just gets stuck on isntalling
<JonTheNiceGuy> So, here's how I have it working at home: https://gist.github.com/JonTheNiceGuy/aaecbfa50605ddd3399b74b933ba7760
<JonTheNiceGuy> Note, I bind Nginx to the "real" IP (192.168.1.100) ONLY not 0.0.0.0
<JonTheNiceGuy> That then means I can bind sandstorm to 127.0.0.1:443 and 127.0.0.1:6080 which means I can use sandcats.io
<Aliekezhi> JonTheNiceGuy, I'm using a self-signed certificate, using apache not nginx
<terravires> not sure if that was to me, but I'm using a lets encrypt cert with SNI and virtual hosts. That all works, sandstorm doesn't seem to be working and logs give no errors
<JonTheNiceGuy> Aliekezhi: so, it's a pointer to how you might want to make it work, I understand it's not tailored to your situation. I think there are some docs on the sandstorm site which might help you out further, but I'm not sure (I'm not a Sandstorm dev, just a user)
<JonTheNiceGuy> terravires: Sorry, your timing was just perfect ;) I seem to recall that it might be due to it not forwarding the WebSockets stuff that might cause those issues... again, not a dev, just a user.
<terravires> JonTheNiceGuy, might be, I setup forward and reverse proxy for apache, and had to include headers (off by default)
<terravires> JonTheNiceGuy, any url or info you can give me for the websocket setup?
<Aliekezhi> JonTheNiceGuy, well actually I followed the docs without a working result....
<Aliekezhi> JonTheNiceGuy, I mean I have to disable https on sandstorm config for it to work...(in http, that shouldn't be allowed !)
<Aliekezhi> JonTheNiceGuy, there shouldn't be any problem with apache itself, as another software is working using https on the same server (OTRS)
<JonTheNiceGuy> Aliekezhi: Try runing systemctl status sandstorm and see whether when you enable the HTTPS port that it actually start again.
<JonTheNiceGuy> I suspect you have an IP collision, which means it's preventing it from starting the service up - hence no access on 6080 AND 443
<JonTheNiceGuy> Right, back to work for me. If I can make any further suggestions between stuff, I will. Hope it works out for you both!
<JonTheNiceGuy> Also, it might be worth asking on the mailing list mentioned in the topic - someone there might pick it up in a different timezone and help out. At worst case, Kenton (the project lead) tends to reply to stuff at the weekends, so while it might not be an immediate response, you will get something eventually
<terravires> JonTheNiceGuy, Ah, cheers. While that didn't fix it, I now finally have an error in apache about missing protocol handler for websockets
<JonTheNiceGuy> TADA! terravires awesome (well, ish) news!
tobald has quit [Ping timeout: 268 seconds]
<Aliekezhi> JonTheNiceGuy, no error in sandstorm status
<JonTheNiceGuy> If you `netstat -antp` as root do you see Sandstorm appearing there for both ports?
<Aliekezhi> JonTheNiceGuy, here is the config I'm using : https://bpaste.net/show/50a72b540d9b
<Aliekezhi> JonTheNiceGuy, weird, sandstorm is listening only to 30025 and 6080
<terravires> hum... I think I see the problem. And looks like I won't be able to use sandstorm if it's true. :(
xet7 has quit [Quit: Leaving]
<Aliekezhi> JonTheNiceGuy, maybe because apache is already listening to 443 ?
xet7 has joined #sandstorm
<terravires> so the wildcard "sandboxes" that it creates and getting passed to the client. And it wants to acces <randomstring>.sandbox.lan. My expectation was that using reverse proxy would mean apps just accessed localhost and results were sent via apache 443.
xet7 has quit [Client Quit]
<JonTheNiceGuy> Aliekezhi: Ahhh, so you can force Apache to bind to 192.168.1.1 instead of 0.0.0.0 with (offhand) /etc/apache2/ports.conf then restart apache. Or, use a different port for Sandstorm.
<JonTheNiceGuy> terravires: Apologies - yes, it needs the wildcard DNS and TLS to work.
<terravires> JonTheNiceGuy, I have wildcard setup, but it's for internal use by the server.
<terravires> JonTheNiceGuy, SSL cert (letsencrypt) does not issue wildcards so I can't use it for public facing side. Why I tried to use reverse proxy route
<Aliekezhi> JonTheNiceGuy, the magic with new apache (httpd) is that config file doesn't existe anymore ^^ yeah I'll try to use another port
<JonTheNiceGuy> terravires: so, I have both on my machine - letsencrypt for my "home machine", and also jontheniceguy.sandcats.io for Sandstorm - both are using Nginx (but Apache would work too)
<JonTheNiceGuy> Your best bet in that case is to take a look at the git repo I mentioned in that gist above to extract the sandcats.io certificate and use it within Apache's config.
<Aliekezhi> JonTheNiceGuy, hum, maybe I should configure httpd to redirect to sandstorm, but any idea how ? I have no idea where in /opt/sandstorm...
<Aliekezhi> (instead of default /var/www)
<Aliekezhi> I didn't find any index.cgi or index.html page :/
<JonTheNiceGuy> Aliekezhi: It's not a website like that. It's a whole sandboxing service. It spawns it's own virtual machines and proxies those as a web service.
<JonTheNiceGuy> Your only option is to forward HTTP/HTTPS requests to the Sandstorm bound ports.
<Aliekezhi> Well I tried using 6082 as https port, sandstorm is listening there but still no access...
<Aliekezhi> nothing is working but not error log...
<JonTheNiceGuy> Right, I must carry on working - I hope you guys get it sorted out. I think you're probably best off working together as you're both (basically) trying to do the same thing.
<JonTheNiceGuy> Check that the service is listening, that it responds to an HTTPS request against the bound service, and if so, making sure that request is being passed to that service when you try to pass it through Apache.
<JonTheNiceGuy> I really hope it works for you, and if I get a chance later to check back in, I'll see what I can do to help further.
<Aliekezhi> JonTheNiceGuy, ok thanks
<terravires> seems the wildcard requirement is an issue for a good many people. Sadly, won't meet my requirements I'm afraid.
<JonTheNiceGuy> terravires: It's work-around-able... I previously had a *.sprig.gs (my DNS name) wildcard certificate for my machine, and pointed *.sandstorm.sprig.gs to it. Likewise, I have moved over to using jontheniceguy.sandcats.io for my Sandstorm instance and both worked fine for me. But, I work in Network Security, so I'm pretty comfortable making changes with stuff like that.
<JonTheNiceGuy> If anything, it's the exact reason they started running sandcats.io - was to make that part of the process easier for people
<terravires> JonTheNiceGuy, I've got several reasons why it's a problem (vpn being one) but as I said, seems to be an issue for people.
<terravires> just going to have to locate a more suitable solution. Looks like a great package if you can use it in your environment.
<JonTheNiceGuy> OK, well, 'tis a shame, but... hopefully there comes a time when it is something you can use. Until then, you can always use oasis.sandstorm.io for stuff you don't mind Sandstorm Inc. (if I remember rightly) having access to it...
<JonTheNiceGuy> terravires: is it for corporate use?
<terravires> Mixed, yes.
<JonTheNiceGuy> Why not put it on a VM on that machine, with a bridged NIC? You can set up a wildcard DNS and TLS cert for that VM that doesn't interfere with anything else on that machine then.
<JonTheNiceGuy> Are you terminating the VPN on that host too?
<terravires> Yes, I actually have a mix of VPNs and domains pointed and a rather complex setup (hence the SNI) so I'm kind of limited in what I can change without breaking other things.
<terravires> I was just hoping I could host internally on DMZ host and then proxy in the clients. Doesn't look like that works at this point.
<JonTheNiceGuy> Ah, understand.
<JonTheNiceGuy> If it's something you want to go through at more length in a less public forum, please feel free to email me jon@sprig.gs and I'll reply at more length, if you need any help, but if you're happy to park it there, that's fine too. I think Sandstorm is awesome, and I'd love to see more people using it... especially in a professional setting.
<terravires> JonTheNiceGuy, cheers for the kind offer. Though as I said I'm rather limited what I can do without breaking existing setup. Sandstorm does look very nice. Just that requirement ends up making it deal breaker for my setup.
<JonTheNiceGuy> NP
ill_logic has quit [Quit: ill_logic]
isd has joined #sandstorm
Aliekezhi has quit [Quit: Leaving]
georgeowell has joined #sandstorm
ill_logic has joined #sandstorm
<georgeowell> Just curious, are there any plans to tackle the fact that a lot of the apps on the app store are really out of date?
<georgeowell> RocketChat, Wordpress etc
<JonTheNiceGuy> georgeowell: there's a bounty board which has been set up to fund people who can bring them up to date, and more to encourage upstream authors to include the sandstorm changes to their builds. Let me dig out the URL for that
<JonTheNiceGuy> georgeowell: http://sandsheep.com/bb
tobald has joined #sandstorm
<georgeowell> JonTheNiceGuy: sounds like a good stratergy :)
<JonTheNiceGuy> To be fair, Ethercalc hosts it's own package on it's own branch (according to the notes over there), and they'll pay 40USD per app port and 10USD per app major upgrade.
<JonTheNiceGuy> Sorry, the BB pays out $40 and $10
<georgeowell> It just seems a shame considering the security focussed design of Sandstorm.
<isd> Hrm, rocket.chat actually has the sandstorm support in the upstream repo; has someone actually tried building it and failed, or have we just not pushed new binaries?
<isd> We really ought to at least have a point-person for the stuff we're shipping with the platform proper.
<isd> Latest release is 0.56, app market has 0.53
<isd> (there are rcs for 0.57)
<isd> I'm going to see what happens if I try to build this.
<georgeowell> afaik there's also been some security fixed since 0.53
<georgeowell> I wonder if some of the blog platforms are low hanging fruit also
<georgeowell> Wordpress and Ghost.
* isd is running vagrant-spk vm up in the rocket.chat source tree
terravires has quit [Quit: Leaving]
* isd runs vagrant-spk dev
* isd grumbles about how slow npm is
<isd> How did javascript builds get slower than 90% of languages that actually *have compilers*?
* isd stops grubling
<isd> blech, yeah there's an actual build failure
<isd> So that's going to need the attention of someone who can dig into a meteor app
<isd> I think probably some of the same issues that were discussed on the mailing list recently re: meteor
isd has quit [Quit: Leaving.]
rolig has quit [Quit: Quit]
Zarutian has joined #sandstorm
Telesight has joined #sandstorm
rolig has joined #sandstorm
isd has joined #sandstorm
bodisiw has quit [Quit: Leaving]
derf- has joined #sandstorm
Telesight has quit [Remote host closed the connection]
isd has quit [Read error: Connection reset by peer]
isd has joined #sandstorm
isd has quit [Quit: Leaving.]
tobald has quit [Ping timeout: 240 seconds]
<georgeowell> That's a shame. Perhaps some folks from RocketChat project could help.
ogres has quit [Quit: Connection closed for inactivity]
jemc has joined #sandstorm
afuentes has quit [Ping timeout: 260 seconds]
jemc has quit [Ping timeout: 240 seconds]