The Database Connector is now 100x easier to set-up by automatically issuing SSL certificates for you.
Some background:
- This application runs a webserver. on localhost. The plotly chart creator makes requests to this local webserver directly from the web browser.
- These requests happen entirely locally, it's just local web browser to local application, so no data is sent over the network. This makes queries wicked fast (no data is sent over the wire) and secure (you don't need to open up your database to any other IP ranges, just the ones on your local computer).
- However, since the chart creator runs on HTTPS, the browser automatically rejects any requests that happen over HTTP. If it didn't, malicious websites could trick you into thinking that all your data is encrypted, when really some requests aren't. This is bad news for localhost web severs because they run on HTTP by default. And even though data isn't sent over the network when connecting to a localhost webserver (therefore HTTPS-level encryption is not needed), the requests still get blocked.
- So previously, we required users to either block this setting in their web browser (an annoying process that you need to do every single time you want to connect) or create self-signed certs (an extremely annoying process to set up).
- But what are we to do? We can't just ask users to buy an expensive SSL certificate for their desktop applications... And besides, these applications are just running on localhost! To create an SSL certificate you need to have a registered domain name and a public facing website. We're just running this app on localhost, there is no domain name (it's just
localhost!) and your desktop app is not open up to the world-wide-web (nor should it be!) - Let's Encrypt to the rescue! Let's Encrypt is service for offering free SSL certificates. What we've done is created a server which generates a unique subdomain and a unique Let's Encrypt SSL certificates for that subdomain. We then re-route that subdomain's DNS to
localhost:9495. The original proposal of this architecture was discussed in the Let's Encrypt forums. We've open sourced this certificate issuing server, too - For example, when you start up your app, your app will make a request to this certificate and domain issuing server. After about six minutes, you'll have a unique subdomain and a unique server. Your application will spin up a server with those certificates and the plotly chart creator web application will be able to make requests to your server, no problem!
- For example, this is what the application UI looks like when the certificate has been generated:
In this example, the domain https://plotly--ab29698f-1b35-420c-881d-6.plotly-connector.com has a unique certificate associated to it. And remember, this domain just re-routes tolocalhost:9495on the global DNS network. It's still just loading content from your localhost server - data is not traveling over the network! - These certificates are saved locally on your machine in the
~/.plotly/connectorfolder. They expire every 90 days and the application should automatically generate a new one for you.
There are a lot of moving parts here, so please create an issue if you run into any issues.
And finally, big thanks to the team at Let's Encrypt for building the infrastructure that makes this type of architecture possible. 🍻