I've just been looking at the various, albeit confusing pull-requests &
tickets for the inclusion of SSL/TLS in Play 2.0 and have managed to get
the following understanding from it all, but would appreciate clarification
of my summary:
Firstly thanks for Henry Story for getting the ball-rolling:
The pull-requests I found that are associated:
- You can specify https.port in application.conf or as a environment
variable for dev mode e.g. run -Dhttps.port=8443
What is missing:
- Client certificate support (moved to 2.2 release, see pull request 475)
- Documentation (aside from that attached to the issues/pull-requests) for
getting SSL to work in 2.1.
- SSL support for Websockets (wss://)
I know that most people will setup lighttpd or nginx for their production
environments (or have to, seeing as this is only for dev mode), terminating
the SSL at that point.
A couple of questions then:
- What were the reasons to only allow TLS connections in dev mode?
- How can you verify that a request is secure? i.e. make a filter that
redirects certain requests to the https scheme and port - should this be
done at the reverse proxy with redirect rules? I think there used to be a
secure attribute on the Request object in Play 1, allowing you to do this.
- Has anyone planned to enable SSL support for Websockets during dev mode,
or has it been left by the wayside?
- Has anyone setup a reverse proxy (nginx maybe) that supports secure
Websockets? I would appreciate any information here before I go and do some
Thanks for your comments!