From 7ad23326aca0937e444df4b43aedeeae47e8f635 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Tue, 1 Nov 2016 10:02:19 +0100 Subject: [PATCH 1/4] Improve docs --- index.html | 56 +++++++++++++++++++++++++----------------------------- 1 file changed, 26 insertions(+), 30 deletions(-) diff --git a/index.html b/index.html index a249c6b..e59a045 100644 --- a/index.html +++ b/index.html @@ -131,16 +131,10 @@
-

Configuring the relay

-
To start using glowing bear, please enable the relay plugin in your WeeChat client: -
-/set relay.network.password yourpassword
-/relay add weechat {{ settings.port || 9001 }}
-
- WeeChat version 0.4.2 or higher is required.
- The communication goes directly between your browser and your WeeChat relay in plain text. Check the instructions below for help on setting up encrypted communication. - Connection settings, including your password, are saved locally in your own browser between sessions. -
+

Setup

+

WeeChat version 0.4.2 or higher is required—we recommend at least 1.0.

+

To start using Glowing Bear, follow the instructions below to set up an encrypted relay.

+ The communication goes directly between your browser and your WeeChat relay and is fully encrypted. We never see any of your data or your password, and you don't need to trust a "cloud". All settings, including your password, are saved locally in your own browser between sessions.

Shortcuts

Glowing Bear has a few shortcuts:
    @@ -166,8 +160,6 @@

    Helpful trigger to automatically repin a buffer (in this instance, irc.freenode.#weechat): 

    /trigger add autopin signal "buffer_opened" "${buffer[${tg_signal_data}].full_name} =~ irc.freenode.#weechat" "" "/command -buffer ${buffer[${tg_signal_data}].full_name} * /buffer set localvar_set_pinned true"

    - -
@@ -175,26 +167,26 @@

- Encryption instructions + Getting Started

-

If you check the encryption box, the communication between browser and WeeChat will be encrypted with TLS.

-

Note: If you are using a self-signed certificate, you have to visit https://{{ settings.host || 'weechathost' }}:{{ settings.port || 'relayport' }}/weechat in your browser first to add a security exception. You can close that tab once you confirmed the certificate, no content will appear. The necessity of this process is a bug in Firefox and other browsers.

-

Setup: If you want to use an encrypted session you first have to set up the relay to use TLS. You basically have two options: a self-signed certificate is easier to set up, but requires manual security exceptions. Using a certificate that is trusted by your browser requires more setup, but offers greater convenience later on and does not require security exceptions. You can find a guide to set up WeeChat with a free trusted certificate from StartSSL here. Should you wish to use a self-signed certificate instead, execute the following commands in a shell on the same host and as the user running WeeChat:

+

By default, all communication between your browser and WeeChat will be encrypted with TLS. This means that you have to set up a certificate. While it's possible to use a self-signed cert, we recommend against it, because it's handled poorly in browsers, and may not work at all on mobile devices. If you don't already have a certificate for your domain (or you don't have a domain), we strongly encourage you to get a certificate from Let's Encrypt—it's free and easy. We'll walk you through it.

+

If you don't have a domain you can get a free subdomain from providers such as afraid. You'll want to set up an 'A' record to your server's IP address, and quite possibly an AAAA record to its IPv6 address. These might take a few hours to propagate, if the steps below don't work right away, try again in a few hours.

+

Getting a certificate is easy. You'll need certbot—just follow the encryptions at https://certbot.eff.org. If you're not serving webpages on the same server or are unsure, select "none of the above" (if you are, you can probably use that webserver to proxy your relay, and skip this—check out the instructions in our Wiki). Next, get the certificate with certbot certonly --standalone -d {{ settings.host || your.domain.com }} and follow the instructions.

+

Nearly done! Now you just need to copy the files into place. To do that, use the following commands, replacing the username placeholder with your actual username:

+ 
mkdir -p ~username/.weechat/ssl
+cat /etc/letsencrypt/live/{{ settings.host || your.domain.com }}/{fullchain,privkey}.pem > ~username/.weechat/ssl/relay.pem
+chown -R username:username ~username/.weechat/ssl/
+

Once you've got the certificate and moved it in place, you can set up an encrypted relay on port {{ settings.port || 9001 }} with these WeeChat commands:

-$ mkdir -p ~/.weechat/ssl
-$ cd ~/.weechat/ssl
-$ openssl req -nodes -newkey rsa:4096 -keyout relay.pem -x509 -days 365 -out relay.pem -sha256 -subj "/CN={{settings.host || 'your weechat host'}}/"
-
-

If WeeChat is already running, you can reload the certificate and private key and set up an encrypted relay on port {{ settings.port || 9001 }} with these WeeChat commands:

-
-/set relay.network.password yourpassword
+/set relay.network.password y0ur_StRonG-pa$sw0rd:of*choice
 /relay sslcertkey
 /relay add ssl.weechat {{ settings.port || 9001 }}
+

Your certificate needs to be renewed every couple of months. Either follow the instructions for automatic renewal at https://certbot.eff.org, or run certbot renew manually when renewal is due. Important: You'll need to follow the instructions for copying the certificate to the right place again, and re-run /relay sslcertkey in WeeChat.

@@ -208,14 +200,18 @@ $ openssl req -nodes -newkey rsa:4096 -keyout relay.pem -x509 -days 365 -out rel
-

You don't need to install anything to use this app, it should work with any modern browser. Start using it right now! However, there are a few ways to improve integration with your operating system.

+

You don't need to install anything to use Glowing Bear, it works with any modern browser. Start using it right now at the top of the page! However, there are a few ways to improve integration with your operating system.

Mobile Applications

-

If you're running Android 4.4 or later, you can install our app from the Google Play Store! We also provide an optimized application for Firefox OS devices. If you're using the Firefox browser, keep on reading below -- the Firefox OS app won't work for you

-

Android app on Google Play Firefox OS app in the Firefox Marketplace

+

If you're running Android 4.4 or later, you can install our app from the Google Play Store! We can't distribute on iOS unfortunately, but if you're a developer, you can follow the sideloading instructions.

+

Android app on Google Play

+

Electron

+

Glowing Bear supports the electron shell. You'll have to build it yourself, though. Run the following commands, choosing your platform from the list in the last command: 

git clone https://github.com/glowing-bear/glowing-bear
+cd glowing-bear
+npm install
+npm install electron-packager
+npm run build-electron-{windows, darwin, linux}

Firefox Browser

-

If you have a recent version of Firefox you can install Glowing Bear as a Firefox app. Click the button to install.

-

-

Note for self-signed certificates: Firefox does not share a certificate storage with Firefox apps, so accepting self-signed certificates is a bit tricky.

+

Firefox used to support apps, but this was removed from Firefox. There's nothing we can do about it. Sorry!

Chrome

To install Glowing Bear as an app in Chrome for Android, select Menu - Add to home screen. In the desktop version of Chrome, click Menu - More tools - Create application shortcuts.

@@ -232,7 +228,7 @@ $ openssl req -nodes -newkey rsa:4096 -keyout relay.pem -x509 -days 365 -out rel

Glowing bear is built by a small group of developers in their free time. As we're always trying to improve it, we would love getting your feedback and help. If that sounds like something you might enjoy, check out our project page on GitHub!

-

If you're interested in contributing or simply want to say hello, head over to #glowing-bear on freenode! We won't bite, promise (-ish).

+

If you're interested in contributing or simply want to say hello, head over to #glowing-bear on freenode! We won't bite, promise :)

From 01ee7a0fcb520d8c71767579267e0540c05618bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Tue, 1 Nov 2016 10:31:17 +0100 Subject: [PATCH 2/4] More docs improvements --- index.html | 66 +++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/index.html b/index.html index e59a045..5646f98 100644 --- a/index.html +++ b/index.html @@ -58,6 +58,7 @@ Glowing Bear WeeChat web frontend +
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest development version. If your relay is on your local network, that is unfortunately impossible, but be aware of the implications.
Connection error The client was unable to connect to the WeeChat relay
@@ -112,7 +113,7 @@
@@ -125,17 +126,43 @@

- Usage instructions + Getting Started

-

Setup

WeeChat version 0.4.2 or higher is required—we recommend at least 1.0.

-

To start using Glowing Bear, follow the instructions below to set up an encrypted relay.

- The communication goes directly between your browser and your WeeChat relay and is fully encrypted. We never see any of your data or your password, and you don't need to trust a "cloud". All settings, including your password, are saved locally in your own browser between sessions.

-

Shortcuts

+

To start using Glowing Bear, follow the instructions below to set up an encrypted relay. All communication goes directly between your browser and your WeeChat relay! This means that your server must be accessible. We never see any of your data or your password, and you don't need to trust a "cloud". All settings, including your password, are saved locally in your own browser between sessions.

+
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest and greatest development version. You can still follow the instructions below to set up an encrypted relay, though.
+

When using encryption, all communication between your browser and WeeChat will be securely encrypted with TLS. This means that you have to set up a certificate. While it's possible to use a self-signed cert, we recommend against it, because it's handled poorly in browsers, and may not work at all on mobile devices. If you don't already have a certificate for your domain (or you don't have a domain), we strongly encourage you to get a certificate from Let's Encrypt—it's free and easy. We'll walk you through it.

+

If you don't have a domain you can get a free subdomain from providers such as afraid. You'll want to set up an 'A' record to your server's IP address, and quite possibly an AAAA record to its IPv6 address. These might take a few hours to propagate, if the steps below don't work right away, try again in a few hours.

+

Getting a certificate is easy. You'll need certbot—just follow the encryptions at https://certbot.eff.org. If you're not serving webpages on the same server or are unsure, select "none of the above" (if you are, you can probably use that webserver to proxy your relay, and skip this—check out the instructions in our Wiki). Next, get the certificate with certbot certonly --standalone -d {{ settings.host || your.domain.com }} and follow the instructions.

+

Nearly done! Now you just need to copy the files into place. To do that, use the following commands, replacing the username placeholder with your actual username:

+ 
mkdir -p ~username/.weechat/ssl
+cat /etc/letsencrypt/live/{{ settings.host || your.domain.com }}/{fullchain,privkey}.pem > ~username/.weechat/ssl/relay.pem
+chown -R username:username ~username/.weechat/ssl/
+

Once you've got the certificate and moved it in place, you can set up an encrypted relay on port {{ settings.port || 9001 }} with these WeeChat commands:

+
+/set relay.network.password y0ur_StRonG-pa$sw0rd:of*choice
+/relay sslcertkey
+/relay add ssl.weechat {{ settings.port || 9001 }}
+
+

Your certificate needs to be renewed every couple of months. Either follow the instructions for automatic renewal at https://certbot.eff.org, or run certbot renew manually when renewal is due. Important: You'll need to follow the instructions for copying the certificate to the right place again, and re-run /relay sslcertkey in WeeChat.

+
+
+ +
+
+

+ + Usage instructions + +

+
+
+
+

Shortcuts

Glowing Bear has a few shortcuts:
  • ALT-n: Toggle nicklist
    • @@ -163,33 +190,6 @@
-
-
-

- - Getting Started - -

-
-
-
-

By default, all communication between your browser and WeeChat will be encrypted with TLS. This means that you have to set up a certificate. While it's possible to use a self-signed cert, we recommend against it, because it's handled poorly in browsers, and may not work at all on mobile devices. If you don't already have a certificate for your domain (or you don't have a domain), we strongly encourage you to get a certificate from Let's Encrypt—it's free and easy. We'll walk you through it.

-

If you don't have a domain you can get a free subdomain from providers such as afraid. You'll want to set up an 'A' record to your server's IP address, and quite possibly an AAAA record to its IPv6 address. These might take a few hours to propagate, if the steps below don't work right away, try again in a few hours.

-

Getting a certificate is easy. You'll need certbot—just follow the encryptions at https://certbot.eff.org. If you're not serving webpages on the same server or are unsure, select "none of the above" (if you are, you can probably use that webserver to proxy your relay, and skip this—check out the instructions in our Wiki). Next, get the certificate with certbot certonly --standalone -d {{ settings.host || your.domain.com }} and follow the instructions.

-

Nearly done! Now you just need to copy the files into place. To do that, use the following commands, replacing the username placeholder with your actual username:

- 
mkdir -p ~username/.weechat/ssl
-cat /etc/letsencrypt/live/{{ settings.host || your.domain.com }}/{fullchain,privkey}.pem > ~username/.weechat/ssl/relay.pem
-chown -R username:username ~username/.weechat/ssl/
-

Once you've got the certificate and moved it in place, you can set up an encrypted relay on port {{ settings.port || 9001 }} with these WeeChat commands:

-
-/set relay.network.password y0ur_StRonG-pa$sw0rd:of*choice
-/relay sslcertkey
-/relay add ssl.weechat {{ settings.port || 9001 }}
-
-

Your certificate needs to be renewed every couple of months. Either follow the instructions for automatic renewal at https://certbot.eff.org, or run certbot renew manually when renewal is due. Important: You'll need to follow the instructions for copying the certificate to the right place again, and re-run /relay sslcertkey in WeeChat.

-
-
-

From 15e41999696d3b587fa0c018eecfa42ee5a8f574 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Thu, 10 Nov 2016 09:16:17 +0100 Subject: [PATCH 3/4] Try ng-show, maybe that works? --- index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 5646f98..cee8f53 100644 --- a/index.html +++ b/index.html @@ -58,7 +58,7 @@ Glowing Bear WeeChat web frontend

-
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest development version. If your relay is on your local network, that is unfortunately impossible, but be aware of the implications.
+
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest development version. If your relay is on your local network, that is unfortunately impossible, but be aware of the implications.
Connection error The client was unable to connect to the WeeChat relay
@@ -134,7 +134,7 @@

WeeChat version 0.4.2 or higher is required—we recommend at least 1.0.

To start using Glowing Bear, follow the instructions below to set up an encrypted relay. All communication goes directly between your browser and your WeeChat relay! This means that your server must be accessible. We never see any of your data or your password, and you don't need to trust a "cloud". All settings, including your password, are saved locally in your own browser between sessions.

-
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest and greatest development version. You can still follow the instructions below to set up an encrypted relay, though.
+
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest and greatest development version. You can still follow the instructions below to set up an encrypted relay, though.

When using encryption, all communication between your browser and WeeChat will be securely encrypted with TLS. This means that you have to set up a certificate. While it's possible to use a self-signed cert, we recommend against it, because it's handled poorly in browsers, and may not work at all on mobile devices. If you don't already have a certificate for your domain (or you don't have a domain), we strongly encourage you to get a certificate from Let's Encrypt—it's free and easy. We'll walk you through it.

If you don't have a domain you can get a free subdomain from providers such as afraid. You'll want to set up an 'A' record to your server's IP address, and quite possibly an AAAA record to its IPv6 address. These might take a few hours to propagate, if the steps below don't work right away, try again in a few hours.

Getting a certificate is easy. You'll need certbot—just follow the encryptions at https://certbot.eff.org. If you're not serving webpages on the same server or are unsure, select "none of the above" (if you are, you can probably use that webserver to proxy your relay, and skip this—check out the instructions in our Wiki). Next, get the certificate with certbot certonly --standalone -d {{ settings.host || your.domain.com }} and follow the instructions.

From aeef7c4668c17647e6393771ba0c3a4161e1669b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lorenz=20H=C3=BCbschle-Schneider?= Date: Fri, 11 Nov 2016 13:09:55 +0100 Subject: [PATCH 4/4] Improve TLS warning detection --- index.html | 4 ++-- js/glowingbear.js | 6 ++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index cee8f53..20a0eb0 100644 --- a/index.html +++ b/index.html @@ -58,7 +58,7 @@ Glowing Bear WeeChat web frontend -
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest development version. If your relay is on your local network, that is unfortunately impossible, but be aware of the implications.
+
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest development version. If your relay is on your local network, that is unfortunately impossible, but be aware of the implications.
Connection error The client was unable to connect to the WeeChat relay
@@ -134,7 +134,7 @@

WeeChat version 0.4.2 or higher is required—we recommend at least 1.0.

To start using Glowing Bear, follow the instructions below to set up an encrypted relay. All communication goes directly between your browser and your WeeChat relay! This means that your server must be accessible. We never see any of your data or your password, and you don't need to trust a "cloud". All settings, including your password, are saved locally in your own browser between sessions.

-
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest and greatest development version. You can still follow the instructions below to set up an encrypted relay, though.
+
You're using Glowing Bear over an unencrypted connection (http://). This is not recommended! We recommend using our secure hosted version at https://www.glowing-bear.org/, or https://latest.glowing-bear.org for the latest and greatest development version. You can still follow the instructions below to set up an encrypted relay, though.

When using encryption, all communication between your browser and WeeChat will be securely encrypted with TLS. This means that you have to set up a certificate. While it's possible to use a self-signed cert, we recommend against it, because it's handled poorly in browsers, and may not work at all on mobile devices. If you don't already have a certificate for your domain (or you don't have a domain), we strongly encourage you to get a certificate from Let's Encrypt—it's free and easy. We'll walk you through it.

If you don't have a domain you can get a free subdomain from providers such as afraid. You'll want to set up an 'A' record to your server's IP address, and quite possibly an AAAA record to its IPv6 address. These might take a few hours to propagate, if the steps below don't work right away, try again in a few hours.

Getting a certificate is easy. You'll need certbot—just follow the encryptions at https://certbot.eff.org. If you're not serving webpages on the same server or are unsure, select "none of the above" (if you are, you can probably use that webserver to proxy your relay, and skip this—check out the instructions in our Wiki). Next, get the certificate with certbot certonly --standalone -d {{ settings.host || your.domain.com }} and follow the instructions.

diff --git a/js/glowingbear.js b/js/glowingbear.js index 753085d..d8c42dd 100644 --- a/js/glowingbear.js +++ b/js/glowingbear.js @@ -103,6 +103,12 @@ weechat.controller('WeechatCtrl', ['$rootScope', '$scope', '$store', '$timeout', } })(); + // Show a TLS warning if GB was loaded over an unencrypted connection, + // except for local instances (testing or electron) + $scope.show_tls_warning = (window.location.protocol !== "https:") && + (["localhost", "127.0.0.1", "::1"].indexOf(window.location.hostname) === -1) && + !window.is_electron; + if (window.is_electron) { // Use packaged emojione sprite in the electron app emojione.imageType = 'svg';