Skip to content

Support HTTPS/WSS for the deployed stack (nginx TLS termination) #64

Description

@johardi

Background

The deployed stack currently serves everything on plain HTTP via nginx on port 80. Until recently, docker-compose.yml configured the frontend to open a TLS WebSocket:

webprotege.websocketUrl: wss://${SERVER_HOST}/wsapps

but no TLS listener exists (nginx is bound only to 80/tcp, no certificate is configured, and the image doesn't listen on 443). The browser's wss:// handshake failed silently, so no events reached the frontend — stale hierarchy trees after create-subclass / create-property, etc.

As a short-term fix, webprotege.websocketUrl has been changed to ws://${SERVER_HOST}/wsapps, matching the rest of the stack which is all http://. Events flow again.

Why follow-up matters

Plain ws:// / http:// is fine for local Docker Compose development, but not for any shared or production-style deployment:

  • Keycloak is already configured with KC_PROXY: edge, meaning it expects TLS to be terminated at the edge proxy (nginx). Serving it behind http:// is a misalignment waiting to bite.
  • Any real browser context (non-localhost) will treat ws:// + sensitive tokens as insecure; some environments will actively block it.
  • Mixed-content warnings / cookie Secure flag behavior differ between HTTP and HTTPS, and we don't want to discover those differences in production.

Scope

  • webprotege-deploy/nginx/nginx.conf: add a server { listen 443 ssl; ... } block mirroring the current :80 server; reference ssl_certificate + ssl_certificate_key from a mountable path; optionally add a 301 redirect from :80 to :443.
  • webprotege-deploy/docker-compose.yml:
    • nginx service — expose 443:443, mount cert files read-only into /etc/nginx/certs/.
    • Flip the http:// URLs in the webprotege-gwt-ui-server, webprotege-gwt-api-gateway, webprotege-authorization-service, and webprotege-user-management-service envs to https:// where they reference ${SERVER_HOST} (Keycloak issuer URIs, logout URLs, file upload URL, allowed origin).
    • Flip webprotege.websocketUrl back to wss://${SERVER_HOST}/wsapps.
  • README.md: mkcert-based instructions for generating a locally-trusted cert for ${SERVER_HOST} so developers don't see browser warnings.

Acceptance criteria

  • docker compose up brings the stack up on https://${SERVER_HOST} with a valid (local-dev) cert.
  • Browser DevTools → Network → WS shows 101 Switching Protocols on wss://${SERVER_HOST}/wsapps.
  • Creating a subclass updates the class-hierarchy tree immediately (no manual refresh).
  • Creating a new object/data/annotation property updates the property-hierarchy tree immediately.
  • No mixed-content warnings in the browser console.
  • Keycloak login + logout round-trip works end-to-end.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions