On Mon, 27 Sept 2021 at 21:05, Martynas Jusevičius <marty...@atomgraph.com> wrote:
> Danny, > > Have you checked > https://jena.apache.org/documentation/fuseki2/fuseki-security.html Yes, thanks, but so far only really looked at wide open... > > > Re. the first part, your Fuseki runs on http:// but your links lead to > https://. If you fix the links to be http://, the data from Fuseki > will still not load because the browser will not load insecure content > for a secure page. > > So yes you need to put Fuseki on https:// and you need a certificate > for it. Right. Oddly there does seem to be a loophole (bug) somewhere with Chrome, my minimal bookmarking app was doing updates to the store without running into the insecure-inside-secure browser thing. I haven't been able to isolate why those scripts work and others don't - some fluke. > You can get them free using LetsEncrypt: > https://letsencrypt.org/ That is very useful information! Kind-of ironically, I'd set up hyperdata.it with a pay-for cert from the DNS co. I use, gandi.net. It looked ok as https in the browser. I was trying to get an old server-side Java app running, an RSS aggregator. Some obscure problems, so cut the list down to just my blog, allegedly https://hyperdata.it/blog. Got an error from Java complaining of an incomplete cert chain. Spent *ages* trying to figure out the right combo of cert files in Apache, no joy. So tried letsencrypt.org via certbot. Initial silliness thanks to XAMPP dir layout (needed sudo certbot --apache-ctl /opt/lampp/bin/apachectl), but then it Just Worked. So I've still a little fiddling to do, but solution seems in sight: I think I'll put a cert on fuseki.hyperdata.it, tweak DNS & have Apache do a rev proxy to :3030. > > > If you want to consider AWS, we are currently working on pre-packaged > Fuseki that takes one click to install, with HTTPS and all. > https://twitter.com/namedgraph/status/1442497225444126722 That will be a very pleasing thing! Many thanks. btw, atomgraph.com appears to be timing out. Cheers, Danny. > > Martynas > atomgraph.com > > On Mon, Sep 27, 2021 at 8:52 PM Danny Ayers <danny.ay...@gmail.com> wrote: > > > > Hiya, > > > > For the first time in ages I've got a host, want Fuseki as my main > backend > > but am struggling with aspects related to security. Some specific issues, > > but broader problems, seems likely other folks have dealt with them > > already. (I have no idea of current best practices, even less on security > > in general). Mostly not Fuseki-specific... > > > > I've got Fuseki running happily on the server - behind a reverse proxy on > > Apache, a XAMPP* install on Ubuntu. I would like to leave the endpoints > > open for read, restricted write. > > Right now may be totally visible at http://hyperdata.it:3030, creds: > admin > > sasha. > > > > The twistiest issue: > > I'm serving a page, https://hyperdata.it/newsmonitor/river.html which > > includes an Ajax query to a SPARQL endpoint on Fuseki. > > I have an SSL certificate on the server. Browser balks. Straight http > > called inside page served over https not liked. Something like 'mixed > > messages'. > > Do I really have to pay for another certificate to cover port 3030? > > Workaround? > > > > More general question is how to manage sitewide access control. Ideally > I'd > > like something that behaves like common sites, with read-only for > anonymous > > and some writing available for registered users. Hooks into OAuth2 or > > whatever would be nice, sign in via Google or whatever... > > > > Has anyone used (bits of) Solid as a manager for these things? > > > > Yeah, I want it to be magic. > > > > Cheers, > > Danny. > > > > * Although I found the XAMPP install very easy for setting up a Wordpress > > blog, the Apache setup is not like the standard Ubuntu version. Very > > confusing when I wanted to go beyond that, seemingly arbitrary config > > files included in unfamiliar places. > > > > > > > > > > > > > > > > > > > > > > > > -- > > ---- > > > > http://hyperdata.it <http://hyperdata.it/danja> > -- ---- http://hyperdata.it <http://hyperdata.it/danja>