TLS
TLS encryption (SSL/https) is recommended only when either (a) you use the Webdash module for web-based dashboarding, or (b) in a networked environment where data flows between workstations/servers. This page explains the considerations, and the options available for configuring AWTS to be served over a TLS secured connection.
TLS encryption is optional, and may be unnecessary in single-server environments (e.g. running AWTS on your own workstation) where no web-based view is being used; all AWTS modules can listen for requests over plaintext http or encrypted TLS (https) connections. Enabling TLS has only a small performance impact - approx 3-4% streaming throughput hit in internal benchmarking.
::tip The easiest way to see whether you require TLS, and to apply the relevant configuration, is to use the online Configurator. ::
Configuration
TLS can be configured using the tls config variable, or AW_TLS environment variable:
none- plaintext, no encryptioncert- encrypted, using either a provided or self-signed server certificate
For tls=cert, you can specify a certificate and key file with the tls_key_file and tls_cert_file configuration variables (or AW_TLS_KEY_FILE and AW_TLS_CERT_FILE env vars respectively). Each should be set to the absolute path to where the module can find the key/cert file. If set, the http server will use this server certificate.
If you do not specify valid key/cert files, the module will automatically generate and use a self-signed certificate.
If key/cert files are specified, they will be used. If the files are subsequently updated (e.g. at cert renewal), AWTS will detect that the files have changed and start using the new cert immediately; no downtime/restart required.
Why TLS is recommended for Webdash (and other browser-based usage)
The Webdash GUI streams data from mux and/or multiple AWTS services, and can stream many data sources concurrently depending on how many widgets you configure on your dashboard pages.
Standard web browsers limit the number of concurrent http requests to the same web server host. The maximum is 6 concurrent connections. This can cause network stalls, resulting in blank or non-loading dashboard content.
This restriction does not apply over HTTP/2 where multiple requests/streams are multiplexed over a single connection. Browsers only enable HTTP/2 over encrypted TLS connections; hence TLS encryption (https connections) is required for webdash to perform correctly.
Web browsers, TLS and certificates
Standard browsers will also refuse to connect to a TLS-enabled server if the server does not have a trustable certificate - i.e. one signed by a trusted CA.
Therefore, for Webdash - or any other browser-based access to AWTS modules - you must take some measures to configure your environment such that your browser will successfully connect. This typically means one of the following:
Run on localhost and allow insecure connections
Some browsers, including Chrome, can be configured to allow insecure (i.e. encrypted but without a signed certificate) to localhost. This is typically to facilitate web developers' work.
To enable this in Chrome, visit chrome://flags/ and enable the "Allow invalid certificates for resources loaded from localhost" flag. Note you may also need to enable the "Temporarily unexpire M118 flags" option in order to access this.
Buy an SSL certificate
You can buy (i.e. pay a CA to sign) a web server certificate and configure AWTS to use it using the tls_key_file and
tls_cert_file options above. This will allow your browser to see the AWTS service as a genuinely secure web site.