You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Danny Ayers <da...@gmail.com> on 2021/10/02 17:27:45 UTC
Re: Fuseki security : ACL, https etc.
On Mon, 27 Sept 2021 at 21:05, Martynas Jusevičius <ma...@atomgraph.com>
wrote:
> Danny,
>
> Have you checked
> https://jena.apache.org/documentation/fuseki2/fuseki-security.html
Yes, thanks, but so far only really looked at wide open...
>
>
> Re. the first part, your Fuseki runs on http:// but your links lead to
> https://. If you fix the links to be http://, the data from Fuseki
> will still not load because the browser will not load insecure content
> for a secure page.
>
> So yes you need to put Fuseki on https:// and you need a certificate
> for it.
Right. Oddly there does seem to be a loophole (bug) somewhere with Chrome,
my minimal bookmarking app was doing updates to the store without running
into the insecure-inside-secure browser thing. I haven't been able to
isolate why those scripts work and others don't - some fluke.
> You can get them free using LetsEncrypt:
> https://letsencrypt.org/
That is very useful information!
Kind-of ironically, I'd set up hyperdata.it with a pay-for cert from the
DNS co. I use, gandi.net. It looked ok as https in the browser.
I was trying to get an old server-side Java app running, an RSS aggregator.
Some obscure problems, so cut the list down to just my blog, allegedly
https://hyperdata.it/blog. Got an error from Java complaining of an
incomplete cert chain.
Spent *ages* trying to figure out the right combo of cert files in Apache,
no joy.
So tried letsencrypt.org via certbot.
Initial silliness thanks to XAMPP dir layout (needed sudo certbot
--apache-ctl /opt/lampp/bin/apachectl), but then it Just Worked.
So I've still a little fiddling to do, but solution seems in sight: I think
I'll put a cert on fuseki.hyperdata.it, tweak DNS & have Apache do a rev
proxy to :3030.
>
>
> If you want to consider AWS, we are currently working on pre-packaged
> Fuseki that takes one click to install, with HTTPS and all.
> https://twitter.com/namedgraph/status/1442497225444126722
That will be a very pleasing thing!
Many thanks.
btw, atomgraph.com appears to be timing out.
Cheers,
Danny.
>
> Martynas
> atomgraph.com
>
> On Mon, Sep 27, 2021 at 8:52 PM Danny Ayers <da...@gmail.com> wrote:
> >
> > Hiya,
> >
> > For the first time in ages I've got a host, want Fuseki as my main
> backend
> > but am struggling with aspects related to security. Some specific issues,
> > but broader problems, seems likely other folks have dealt with them
> > already. (I have no idea of current best practices, even less on security
> > in general). Mostly not Fuseki-specific...
> >
> > I've got Fuseki running happily on the server - behind a reverse proxy on
> > Apache, a XAMPP* install on Ubuntu. I would like to leave the endpoints
> > open for read, restricted write.
> > Right now may be totally visible at http://hyperdata.it:3030, creds:
> admin
> > sasha.
> >
> > The twistiest issue:
> > I'm serving a page, https://hyperdata.it/newsmonitor/river.html which
> > includes an Ajax query to a SPARQL endpoint on Fuseki.
> > I have an SSL certificate on the server. Browser balks. Straight http
> > called inside page served over https not liked. Something like 'mixed
> > messages'.
> > Do I really have to pay for another certificate to cover port 3030?
> > Workaround?
> >
> > More general question is how to manage sitewide access control. Ideally
> I'd
> > like something that behaves like common sites, with read-only for
> anonymous
> > and some writing available for registered users. Hooks into OAuth2 or
> > whatever would be nice, sign in via Google or whatever...
> >
> > Has anyone used (bits of) Solid as a manager for these things?
> >
> > Yeah, I want it to be magic.
> >
> > Cheers,
> > Danny.
> >
> > * Although I found the XAMPP install very easy for setting up a Wordpress
> > blog, the Apache setup is not like the standard Ubuntu version. Very
> > confusing when I wanted to go beyond that, seemingly arbitrary config
> > files included in unfamiliar places.
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> > ----
> >
> > http://hyperdata.it <http://hyperdata.it/danja>
>
--
----
http://hyperdata.it <http://hyperdata.it/danja>
Re: Fuseki security : ACL, https etc.
Posted by Martynas Jusevičius <ma...@atomgraph.com>.
Thanks Danny. atomgraph.com should be back up now.
BTW this is probably a better link in hindsight:
https://jena.apache.org/documentation/fuseki2/fuseki-data-access-control.html
It seems to overlap with the shiro functionality, but has more features.
On Sat, Oct 2, 2021 at 7:27 PM Danny Ayers <da...@gmail.com> wrote:
>
> On Mon, 27 Sept 2021 at 21:05, Martynas Jusevičius <ma...@atomgraph.com>
> wrote:
>
> > Danny,
> >
> > Have you checked
> > https://jena.apache.org/documentation/fuseki2/fuseki-security.html
>
>
> Yes, thanks, but so far only really looked at wide open...
>
>
> >
> >
> > Re. the first part, your Fuseki runs on http:// but your links lead to
> > https://. If you fix the links to be http://, the data from Fuseki
> > will still not load because the browser will not load insecure content
> > for a secure page.
> >
> > So yes you need to put Fuseki on https:// and you need a certificate
> > for it.
>
>
> Right. Oddly there does seem to be a loophole (bug) somewhere with Chrome,
> my minimal bookmarking app was doing updates to the store without running
> into the insecure-inside-secure browser thing. I haven't been able to
> isolate why those scripts work and others don't - some fluke.
>
>
>
> > You can get them free using LetsEncrypt:
> > https://letsencrypt.org/
>
>
>
> That is very useful information!
>
> Kind-of ironically, I'd set up hyperdata.it with a pay-for cert from the
> DNS co. I use, gandi.net. It looked ok as https in the browser.
> I was trying to get an old server-side Java app running, an RSS aggregator.
> Some obscure problems, so cut the list down to just my blog, allegedly
> https://hyperdata.it/blog. Got an error from Java complaining of an
> incomplete cert chain.
> Spent *ages* trying to figure out the right combo of cert files in Apache,
> no joy.
> So tried letsencrypt.org via certbot.
> Initial silliness thanks to XAMPP dir layout (needed sudo certbot
> --apache-ctl /opt/lampp/bin/apachectl), but then it Just Worked.
>
> So I've still a little fiddling to do, but solution seems in sight: I think
> I'll put a cert on fuseki.hyperdata.it, tweak DNS & have Apache do a rev
> proxy to :3030.
>
>
> >
> >
> > If you want to consider AWS, we are currently working on pre-packaged
> > Fuseki that takes one click to install, with HTTPS and all.
> > https://twitter.com/namedgraph/status/1442497225444126722
>
>
> That will be a very pleasing thing!
>
> Many thanks.
>
> btw, atomgraph.com appears to be timing out.
>
> Cheers,
> Danny.
>
>
> >
> > Martynas
> > atomgraph.com
> >
> > On Mon, Sep 27, 2021 at 8:52 PM Danny Ayers <da...@gmail.com> wrote:
> > >
> > > Hiya,
> > >
> > > For the first time in ages I've got a host, want Fuseki as my main
> > backend
> > > but am struggling with aspects related to security. Some specific issues,
> > > but broader problems, seems likely other folks have dealt with them
> > > already. (I have no idea of current best practices, even less on security
> > > in general). Mostly not Fuseki-specific...
> > >
> > > I've got Fuseki running happily on the server - behind a reverse proxy on
> > > Apache, a XAMPP* install on Ubuntu. I would like to leave the endpoints
> > > open for read, restricted write.
> > > Right now may be totally visible at http://hyperdata.it:3030, creds:
> > admin
> > > sasha.
> > >
> > > The twistiest issue:
> > > I'm serving a page, https://hyperdata.it/newsmonitor/river.html which
> > > includes an Ajax query to a SPARQL endpoint on Fuseki.
> > > I have an SSL certificate on the server. Browser balks. Straight http
> > > called inside page served over https not liked. Something like 'mixed
> > > messages'.
> > > Do I really have to pay for another certificate to cover port 3030?
> > > Workaround?
> > >
> > > More general question is how to manage sitewide access control. Ideally
> > I'd
> > > like something that behaves like common sites, with read-only for
> > anonymous
> > > and some writing available for registered users. Hooks into OAuth2 or
> > > whatever would be nice, sign in via Google or whatever...
> > >
> > > Has anyone used (bits of) Solid as a manager for these things?
> > >
> > > Yeah, I want it to be magic.
> > >
> > > Cheers,
> > > Danny.
> > >
> > > * Although I found the XAMPP install very easy for setting up a Wordpress
> > > blog, the Apache setup is not like the standard Ubuntu version. Very
> > > confusing when I wanted to go beyond that, seemingly arbitrary config
> > > files included in unfamiliar places.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > ----
> > >
> > > http://hyperdata.it <http://hyperdata.it/danja>
> >
>
>
> --
> ----
>
> http://hyperdata.it <http://hyperdata.it/danja>
Re: Fuseki security : ACL, https etc.
Posted by Martynas Jusevičius <ma...@atomgraph.com>.
Hi Danny,
As promised, pre-packaged Fuseki for AWS:
https://aws.amazon.com/marketplace/pp/prodview-vlw4v7stfhqsu
On Sat, Oct 2, 2021 at 7:27 PM Danny Ayers <da...@gmail.com> wrote:
>
> On Mon, 27 Sept 2021 at 21:05, Martynas Jusevičius <ma...@atomgraph.com>
> wrote:
>
> > Danny,
> >
> > Have you checked
> > https://jena.apache.org/documentation/fuseki2/fuseki-security.html
>
>
> Yes, thanks, but so far only really looked at wide open...
>
>
> >
> >
> > Re. the first part, your Fuseki runs on http:// but your links lead to
> > https://. If you fix the links to be http://, the data from Fuseki
> > will still not load because the browser will not load insecure content
> > for a secure page.
> >
> > So yes you need to put Fuseki on https:// and you need a certificate
> > for it.
>
>
> Right. Oddly there does seem to be a loophole (bug) somewhere with Chrome,
> my minimal bookmarking app was doing updates to the store without running
> into the insecure-inside-secure browser thing. I haven't been able to
> isolate why those scripts work and others don't - some fluke.
>
>
>
> > You can get them free using LetsEncrypt:
> > https://letsencrypt.org/
>
>
>
> That is very useful information!
>
> Kind-of ironically, I'd set up hyperdata.it with a pay-for cert from the
> DNS co. I use, gandi.net. It looked ok as https in the browser.
> I was trying to get an old server-side Java app running, an RSS aggregator.
> Some obscure problems, so cut the list down to just my blog, allegedly
> https://hyperdata.it/blog. Got an error from Java complaining of an
> incomplete cert chain.
> Spent *ages* trying to figure out the right combo of cert files in Apache,
> no joy.
> So tried letsencrypt.org via certbot.
> Initial silliness thanks to XAMPP dir layout (needed sudo certbot
> --apache-ctl /opt/lampp/bin/apachectl), but then it Just Worked.
>
> So I've still a little fiddling to do, but solution seems in sight: I think
> I'll put a cert on fuseki.hyperdata.it, tweak DNS & have Apache do a rev
> proxy to :3030.
>
>
> >
> >
> > If you want to consider AWS, we are currently working on pre-packaged
> > Fuseki that takes one click to install, with HTTPS and all.
> > https://twitter.com/namedgraph/status/1442497225444126722
>
>
> That will be a very pleasing thing!
>
> Many thanks.
>
> btw, atomgraph.com appears to be timing out.
>
> Cheers,
> Danny.
>
>
> >
> > Martynas
> > atomgraph.com
> >
> > On Mon, Sep 27, 2021 at 8:52 PM Danny Ayers <da...@gmail.com> wrote:
> > >
> > > Hiya,
> > >
> > > For the first time in ages I've got a host, want Fuseki as my main
> > backend
> > > but am struggling with aspects related to security. Some specific issues,
> > > but broader problems, seems likely other folks have dealt with them
> > > already. (I have no idea of current best practices, even less on security
> > > in general). Mostly not Fuseki-specific...
> > >
> > > I've got Fuseki running happily on the server - behind a reverse proxy on
> > > Apache, a XAMPP* install on Ubuntu. I would like to leave the endpoints
> > > open for read, restricted write.
> > > Right now may be totally visible at http://hyperdata.it:3030, creds:
> > admin
> > > sasha.
> > >
> > > The twistiest issue:
> > > I'm serving a page, https://hyperdata.it/newsmonitor/river.html which
> > > includes an Ajax query to a SPARQL endpoint on Fuseki.
> > > I have an SSL certificate on the server. Browser balks. Straight http
> > > called inside page served over https not liked. Something like 'mixed
> > > messages'.
> > > Do I really have to pay for another certificate to cover port 3030?
> > > Workaround?
> > >
> > > More general question is how to manage sitewide access control. Ideally
> > I'd
> > > like something that behaves like common sites, with read-only for
> > anonymous
> > > and some writing available for registered users. Hooks into OAuth2 or
> > > whatever would be nice, sign in via Google or whatever...
> > >
> > > Has anyone used (bits of) Solid as a manager for these things?
> > >
> > > Yeah, I want it to be magic.
> > >
> > > Cheers,
> > > Danny.
> > >
> > > * Although I found the XAMPP install very easy for setting up a Wordpress
> > > blog, the Apache setup is not like the standard Ubuntu version. Very
> > > confusing when I wanted to go beyond that, seemingly arbitrary config
> > > files included in unfamiliar places.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > --
> > > ----
> > >
> > > http://hyperdata.it <http://hyperdata.it/danja>
> >
>
>
> --
> ----
>
> http://hyperdata.it <http://hyperdata.it/danja>