FHIR Chat · SSL · clinFHIR

Stream: clinFHIR

Topic: SSL

view this post on Zulip David Hay (Jul 15 2021 at 19:11):

Have just converted clinFHIR to use SSL (long overdue :) ). You shouldn't notice any changes as HTTP calls will be re-directed, but reach out here if you do have any issues...

view this post on Zulip David Hay (Jul 15 2021 at 23:24):

Alas - I had to roll this back (for now). Because is an SPA it calls FHIR servers from the web page - and many of them are insecure, so lots of stuff broke.

Not sure the best approach - I could allow both http & https (but an ordinary user wouldn't know which to choose). The other approach could be to proxy calls through the node server - but that could be a fair bit to update.

If anyone knows how to safely allow a page served over ssl to access an http site I would be very interested!

view this post on Zulip Brian Postlethwaite (Jul 18 2021 at 03:26):

That would need a proxy for sure. CORS prevents that in the browsers.

view this post on Zulip David Hay (Jul 18 2021 at 06:52):

Yeah - that was my thought. It's not a difficult thing to do - just need to go through all the places where I'm calling external servers and proxy the call through the CF server...

view this post on Zulip Josh Mandel (Jul 18 2021 at 22:54):

Seriously though all FHIR servers ought to support tls. Which are the servers you need to integrate with that don't?

view this post on Zulip David Hay (Jul 20 2021 at 00:57):

The hapi test server was the main one (and, I must admit my own instances of hapi are not yet ssl compliant)...

Looking at the servers for the last connectathon 10/57 were http...

view this post on Zulip Josh Mandel (Jul 20 2021 at 01:21):

You have 57 servers being used with clinfhir? Or you're just saying these are connectathon servers across all tracks? I'd suggest moving to TLS and encouraging folks to ue TLS-protected servers. You can also host a copy at "http" to account for the use case where people really want that (but it's good to have some kind of explicit opt-in, so they don't get there by accident / by default).

view this post on Zulip David Hay (Jul 20 2021 at 01:59):

That were the number of servers registered with conMan for the May connectathon - 57 in total, 10 were not SSL....

I did think of the explicit HTTP - but it requires the user to know in advance whether the server they wish is using SSL - which is not really a go-er I think. I will go down the proxy route I think - just need to find the time to do it!

view this post on Zulip Josh Mandel (Jul 20 2021 at 02:03):

Wait,why is explicit http a no-go? You can always suggest it and send people to the non tls endpoint the first time they try to configure a connection to a non TLS server. (I mean, proxying stuff is okay too, but it's a whole different ball of wax and there's something nice about developers being able to see the direct interactions in their network tab.)

view this post on Zulip David Hay (Jul 20 2021 at 02:20):

It just requires users (many of who are not technical) to choose which 'version' of CF to use. Doesn't sound user friendly to me...

The advantage of the proxy (I'll just route it through the CF server) is that it will work with any FHIR server - and users will still be able to look at the requests in the network tab.

Lesser of 2 evils really...

view this post on Zulip Josh Mandel (Jul 20 2021 at 02:29):

Fair enough ;-)

Last updated: Apr 12 2022 at 19:14 UTC


An HL7 Website -