Genvid Forum

Did the websocket server support SSL?


#1

The answer is both yes and no. Our leafd process is able to use a SSL certificate and the wss protocol, but we currently lack proper support for managing the certificates of the servers. You still can achieve this by following those instructions:

Basically, leafd only need to have two environment variables set to enable SSL instead of SSL:

  • GENVID_LEAF_CERT_FILE, which points to an encrypted certificate file
  • GENVID_LEAF_KEY_FILE, which points to the private key file for the certificate

Generating the certificate and private key depends on your deployment process, but both terraform and vault have a way of doing it. We can get on a call to figure out a method that best fit your needs.

Exposing the certificate to the leaf is one place where we don’t have currently a good solution available (at least not without a lot of customization). One way for doing this is to use our secrets API by modifying the config/game.hcl configuration:

secrets {
  leaf {
    GENVID_LEAF_CERT = <<CERT
{{file “leaf.cert”}}
<<CERT
    GENVID_PRIVATE_KEY_PEM = <<KEY
{{file “leaf.key”}}
<<KEY
  }
}

This will add the file content to the vault server of the cluster.
You can then modify the services job by adding some template and env stanzas to the leaf task in the SDK cloud-services/templates/cloud/services.nomad.tmpl file, like this:

job "services" {
  …
  group "leaf" {
      …
      task "leaf" {
         …
         // This part need to be added.
         # {{with secret `secret/leaf` }}
         template {
            data = "{{ .Data.GENVID_LEAF_CERT }}"
            destination = "local/leaf.crt"
         }
         template {
            data = "{{ .Data.GENVID_PRIVATE_KEY_PEM }}"
            destination = "local/leaf.key"
         }
         # {{end}}
 
         env {
           GENVID_LEAF_KEY_FILE = "local/leaf.key"
           GENVID_LEAF_CERT_FILE = "local/leaf.crt"
         }
         …
     }
     …
}

Note that you don’t need to modify the file in the SDK directly, you can simply create a local copy and add it as your own jobs. If the job has the same name (services in this case), it will override the one coming from the SDK.

This method is not totally secured and supposed the server is able to protect access to those certificates. We are currently working on a more permanent solution to handle this, with real certificate management.


Getting SSL to work for data feed in Twitch extension