Enable End-to-End TLS (HTTPS to Container) in Temporal Web

I’ll preface my comment with, I’ve read this post which includes my exact error. However, I suspect that my error is that I am misunderstanding the purpose of these ENV vars:

My initial thought was that these env vars are what the nodejs web app would use to support HTTPS usage in the browser. However, after some investigation, it appears that these env vars are for mutual authentication to the frontend services (i.e. client certs for access to the frontend service). The certificates I’m providing in these env vars are not being added to the frontend services as valid client certs as they are used to enable HTTPS for the temporal web ingress. I think this is the reason for the ssl errors I’m seeing the temporal web app logs.

I have a requirement to support end-to-end TLS encryption for EKS-based applications (SSL to the container) but after looking at the temporal web source, I’m wondering if it’s even possible. It looks like the temporal web is based on Koa and based on the koa docs regarding enabling HTTPS, I’m thinking that the current temporal web code does not currently support running the koa app as an https server, and thus does not support end-to-end encryption.

Can someone confirm my finding?

Yes, you are correct in your understanding

Th current web doesn’t support out of the box HTTPS. The TLS certs are used to establish connection to a secured Temporal service

As an option you can use nginx or envoy etc to enable HTTPS

In the next generation of UI we will be adding HTTPS out of the box. Repos:

I like that the new UI is go-based. Any idea when it’ll be officially released?

Using the Koa docs, I was able to get HTTPS working locally using a slightly customized version of server.js.

const app = require('./server/index'),
  port = Number(process.env.TEMPORAL_WEB_PORT) || 8088,
  production = process.env.NODE_ENV === 'production',
  sslEnabled = process.env.TEMPORAL_WEB_USE_HTTPS || false;

if (sslEnabled) {
  const https = require('https');
  const fs = require('fs');
  const options = {
    key: fs.readFileSync(process.env.TEMPORAL_WEB_TLS_KEY_PATH),
    cert: fs.readFileSync(process.env.TEMPORAL_WEB_TLS_CERT_PATH),
  };

  https.createServer(options, app.init().callback()).listen(port);
} else {
  app.init().listen(port);
}

console.log('temporal-web up and listening on port ' + port);

if (!production) {
  console.log('webpack is compiling...');
}

I added 3 new ENV vars to control SSL for temporal web’s UI.

  • TEMPORAL_WEB_USE_HTTPS - boolean flag to control whether https is enabled or not
  • TEMPORAL_WEB_TLS_KEY_PATH - path to temporal web’s cert private key
  • TEMPORAL_WEB_TLS_CERT_PATH - path to temporal web’s cert

Now if I could only get the docker build working so I can publish this version of temporal web to my container registry.

1 Like

if you are having issues with building docker lmk happy to help

1 Like

@Ruslan, I was able to get the docker build working. I am behind a corporate proxy which causes issues when I tried to run the make command, so I manually downloaded the proto files, which seemed to work. Then I had issues running the npm install and run commands inside a docker container, again due to the proxy. Outside the docker container, I was able to run the commands just fine as I’ve already accounted for the proxy in my local npm cli. So I ran these commands locally from the root of the repo

npm install --production
npm run build-production

Then I deleted the grpc module as it had a platform-specific binary. Then to get the node_modules copied into the docker image, I first had to comment out the node_modules line in the .dockerignore file.

#node_modules
npm-debug.log

Then add a few lines to the dockerFile to make sure the cache was clean and then to copy the node_modules directory into the image before running any npm commands.

# Install app dependencies
COPY package*.json ./
RUN npm cache clean --force
COPY ./node_modules ./node_modules
RUN npm install --production

I was able to build and run the docker image locally after these changes. I am pushing it to ECR now and will test it.

So, slight modification to the server.js file was required after some testing.

const app = require('./server/index'),
  port = Number(process.env.TEMPORAL_WEB_PORT) || 8088,
  production = process.env.NODE_ENV === 'production',
  sslEnabled = process.env.TEMPORAL_WEB_USE_HTTPS || false;

if (sslEnabled === "true") {
  const https = require('https');
  const fs = require('fs');

  console.log('temporal-web ssl enabled');
  https
    .createServer(
      {
        key: fs.readFileSync(process.env.TEMPORAL_WEB_TLS_KEY_PATH, 'utf-8'),
        cert: fs.readFileSync(process.env.TEMPORAL_WEB_TLS_CERT_PATH, 'utf-8'),
      },
      app.init().callback()
    )
    .listen(port);
} else {
  console.log('temporal-web ssl not enabled');
  app.init().listen(port);
}

console.log('temporal-web up and listening on port ' + port);

if (!production) {
  console.log('webpack is compiling...');
}
1 Like

no promises for the release timeline. Can say the new UI is one of the top priorities

Would it be possible to incorporate my changes into the current node-based web code in the short term?

yes the changes look good, feel free to send a PR

1 Like

Do I need to open an issue for this PR?

It’s good without opening

PR Submitted

1 Like