00:05 <Draft_FR> Hi everyone, we have this project with https://communecter.org to create a free (like free software) project management tool inside of the platform.

00:07 <Draft_FR> So anyone who creates a group or a project in the platform can have access to different management tools to improve his way of communicating in intern and in extern.

00:07 <Draft_FR> The goal is to be able pretty easily to open his project so anyone can contribute

00:08 <Draft_FR> It seems quite like the same project than yours, but it seems like totally different too.

00:08 <Draft_FR> Do you think we could work together ?

00:21 <simpson> Draft_FR: How do you feel about the security goals of Sandstorm?

00:26 <Draft_FR> @simpson : What do you mean ?

00:29 <simpson> Draft_FR: I mean that a large portion of the Sandstorm idea is to improve the security of Web apps by altering the structure of the underlying platform.

00:31 <Draft_FR> What's the purpose of improving security of apps ? (I'm not a computer scientist)

00:36 <simpson> Better security is its own reward IMO.

00:37 <Draft_FR> What's the objective behind a better security ? What's the utility of it ? I mean when you talk about open management tool. Maybe it's for robot not to spam your loomio's group for example ?

00:39 <simpson> For me personally, the objective is *herd immunity*. It's the rationale behind e.g. trying to coat the Web with TLS.

00:50 <Draft_FR> Well, I really don't know about it, but it seems nice :)

00:51 <Draft_FR> But it doesn't answer my question ;)

00:52 <simpson> I can't speak to your original question. I'm on the sidelines as far as Sandstorm; I'm just here to learn.

00:52 <Draft_FR> Uh XD

00:52 <Draft_FR> Fair enouh ;)

00:53 <Draft_FR> Well, I'm going to bed right now, see u !

07:43 <solly> hello

07:44 <JonTheNiceGuy> Hey!

09:49 <Aliekezhi> hi, I'm trying to set up https for sandstorm. My sandstorm is accessible via http://myurl.com:6080 ; if I add HTTPS_PORT=443 to sandtorm.conf, my sandstorm server is not accessible at all both in http and https...

09:50 <Aliekezhi> should I change then BASE_URL and WILDCARD_HOST to 443 port ?

09:50 <Aliekezhi> or any other idea ?

11:52 <Aliekezhi> in which directory of /opt/sandstorm is the root directory for the apache access ?

12:58 <JonTheNiceGuy> Hey Aliekezhi: Sandstorm doesn't really run like that....

12:59 <JonTheNiceGuy> Do you have a reverse proxy (like Apache) in front of it?

13:00 <JonTheNiceGuy> Or, are you going to just run Sandstorm on that machine?

13:22 <terravires> hi all, I've got sandstorm installed with apache reverse proxy, and have a wildcard dns for *.sandstorm.lan that resolves to 127.0.0.1. I cannot install or use any apps though, it just gets stuck on isntalling

13:28 <JonTheNiceGuy> So, here's how I have it working at home: https://gist.github.com/JonTheNiceGuy/aaecbfa50605ddd3399b74b933ba7760

13:28 <JonTheNiceGuy> Note, I bind Nginx to the "real" IP (192.168.1.100) ONLY not 0.0.0.0

13:29 <JonTheNiceGuy> That then means I can bind sandstorm to 127.0.0.1:443 and 127.0.0.1:6080 which means I can use sandcats.io

13:30 <Aliekezhi> JonTheNiceGuy, I'm using a self-signed certificate, using apache not nginx

13:31 <terravires> not sure if that was to me, but I'm using a lets encrypt cert with SNI and virtual hosts. That all works, sandstorm doesn't seem to be working and logs give no errors

13:32 <JonTheNiceGuy> Aliekezhi: so, it's a pointer to how you might want to make it work, I understand it's not tailored to your situation. I think there are some docs on the sandstorm site which might help you out further, but I'm not sure (I'm not a Sandstorm dev, just a user)

13:33 <JonTheNiceGuy> terravires: Sorry, your timing was just perfect ;) I seem to recall that it might be due to it not forwarding the WebSockets stuff that might cause those issues... again, not a dev, just a user.

13:33 <terravires> JonTheNiceGuy, might be, I setup forward and reverse proxy for apache, and had to include headers (off by default)

13:34 <terravires> JonTheNiceGuy, any url or info you can give me for the websocket setup?

13:35 <Aliekezhi> JonTheNiceGuy, well actually I followed the docs without a working result....

13:35 <Aliekezhi> JonTheNiceGuy, I mean I have to disable https on sandstorm config for it to work...(in http, that shouldn't be allowed !)

13:37 <Aliekezhi> JonTheNiceGuy, there shouldn't be any problem with apache itself, as another software is working using https on the same server (OTRS)

13:38 <JonTheNiceGuy> terravires: https://github.com/sandstorm-io/sandstorm/blob/master/docs/administering/sample-config/apache-virtualhost.conf

13:38 <JonTheNiceGuy> Aliekezhi: Try runing systemctl status sandstorm and see whether when you enable the HTTPS port that it actually start again.

13:39 <JonTheNiceGuy> I suspect you have an IP collision, which means it's preventing it from starting the service up - hence no access on 6080 AND 443

13:39 <JonTheNiceGuy> Right, back to work for me. If I can make any further suggestions between stuff, I will. Hope it works out for you both!

13:41 <JonTheNiceGuy> Also, it might be worth asking on the mailing list mentioned in the topic - someone there might pick it up in a different timezone and help out. At worst case, Kenton (the project lead) tends to reply to stuff at the weekends, so while it might not be an immediate response, you will get something eventually

13:41 <terravires> JonTheNiceGuy, Ah, cheers. While that didn't fix it, I now finally have an error in apache about missing protocol handler for websockets

13:42 <JonTheNiceGuy> TADA! terravires awesome (well, ish) news!

13:51 <Aliekezhi> JonTheNiceGuy, no error in sandstorm status

13:52 <JonTheNiceGuy> If you `netstat -antp` as root do you see Sandstorm appearing there for both ports?

13:53 <Aliekezhi> JonTheNiceGuy, here is the config I'm using : https://bpaste.net/show/50a72b540d9b

13:54 <Aliekezhi> JonTheNiceGuy, weird, sandstorm is listening only to 30025 and 6080

13:54 <terravires> hum... I think I see the problem. And looks like I won't be able to use sandstorm if it's true. :(

13:55 <Aliekezhi> JonTheNiceGuy, maybe because apache is already listening to 443 ?

13:55 <terravires> so the wildcard "sandboxes" that it creates and getting passed to the client. And it wants to acces <randomstring>.sandbox.lan. My expectation was that using reverse proxy would mean apps just accessed localhost and results were sent via apache 443.

13:56 <JonTheNiceGuy> Aliekezhi: Ahhh, so you can force Apache to bind to 192.168.1.1 instead of 0.0.0.0 with (offhand) /etc/apache2/ports.conf then restart apache. Or, use a different port for Sandstorm.

13:57 <JonTheNiceGuy> terravires: Apologies - yes, it needs the wildcard DNS and TLS to work.

13:57 <terravires> JonTheNiceGuy, I have wildcard setup, but it's for internal use by the server.

13:58 <terravires> JonTheNiceGuy, SSL cert (letsencrypt) does not issue wildcards so I can't use it for public facing side. Why I tried to use reverse proxy route

13:58 <Aliekezhi> JonTheNiceGuy, the magic with new apache (httpd) is that config file doesn't existe anymore ^^ yeah I'll try to use another port

13:59 <JonTheNiceGuy> terravires: so, I have both on my machine - letsencrypt for my "home machine", and also jontheniceguy.sandcats.io for Sandstorm - both are using Nginx (but Apache would work too)

13:59 <JonTheNiceGuy> Your best bet in that case is to take a look at the git repo I mentioned in that gist above to extract the sandcats.io certificate and use it within Apache's config.

14:01 <Aliekezhi> JonTheNiceGuy, hum, maybe I should configure httpd to redirect to sandstorm, but any idea how ? I have no idea where in /opt/sandstorm...

14:01 <Aliekezhi> (instead of default /var/www)

14:02 <Aliekezhi> I didn't find any index.cgi or index.html page :/

14:02 <JonTheNiceGuy> Aliekezhi: It's not a website like that. It's a whole sandboxing service. It spawns it's own virtual machines and proxies those as a web service.

14:03 <JonTheNiceGuy> Your only option is to forward HTTP/HTTPS requests to the Sandstorm bound ports.

14:04 <Aliekezhi> Well I tried using 6082 as https port, sandstorm is listening there but still no access...

14:05 <Aliekezhi> nothing is working but not error log...

14:06 <JonTheNiceGuy> Right, I must carry on working - I hope you guys get it sorted out. I think you're probably best off working together as you're both (basically) trying to do the same thing.

14:06 <JonTheNiceGuy> Check that the service is listening, that it responds to an HTTPS request against the bound service, and if so, making sure that request is being passed to that service when you try to pass it through Apache.

14:07 <JonTheNiceGuy> I really hope it works for you, and if I get a chance later to check back in, I'll see what I can do to help further.

14:07 <Aliekezhi> JonTheNiceGuy, ok thanks

14:10 <terravires> seems the wildcard requirement is an issue for a good many people. Sadly, won't meet my requirements I'm afraid.

14:12 <JonTheNiceGuy> terravires: It's work-around-able... I previously had a *.sprig.gs (my DNS name) wildcard certificate for my machine, and pointed *.sandstorm.sprig.gs to it. Likewise, I have moved over to using jontheniceguy.sandcats.io for my Sandstorm instance and both worked fine for me. But, I work in Network Security, so I'm pretty comfortable making changes with stuff like that.

14:14 <JonTheNiceGuy> If anything, it's the exact reason they started running sandcats.io - was to make that part of the process easier for people

14:15 <terravires> JonTheNiceGuy, I've got several reasons why it's a problem (vpn being one) but as I said, seems to be an issue for people.

14:17 <terravires> just going to have to locate a more suitable solution. Looks like a great package if you can use it in your environment.

14:17 <JonTheNiceGuy> OK, well, 'tis a shame, but... hopefully there comes a time when it is something you can use. Until then, you can always use oasis.sandstorm.io for stuff you don't mind Sandstorm Inc. (if I remember rightly) having access to it...

14:17 <JonTheNiceGuy> terravires: is it for corporate use?

14:17 <terravires> Mixed, yes.

14:18 <JonTheNiceGuy> Why not put it on a VM on that machine, with a bridged NIC? You can set up a wildcard DNS and TLS cert for that VM that doesn't interfere with anything else on that machine then.

14:19 <JonTheNiceGuy> Are you terminating the VPN on that host too?

14:21 <terravires> Yes, I actually have a mix of VPNs and domains pointed and a rather complex setup (hence the SNI) so I'm kind of limited in what I can change without breaking other things.

14:22 <terravires> I was just hoping I could host internally on DMZ host and then proxy in the clients. Doesn't look like that works at this point.

14:24 <JonTheNiceGuy> Ah, understand.

14:25 <JonTheNiceGuy> If it's something you want to go through at more length in a less public forum, please feel free to email me jon@sprig.gs and I'll reply at more length, if you need any help, but if you're happy to park it there, that's fine too. I think Sandstorm is awesome, and I'd love to see more people using it... especially in a professional setting.

14:28 <terravires> JonTheNiceGuy, cheers for the kind offer. Though as I said I'm rather limited what I can do without breaking existing setup. Sandstorm does look very nice. Just that requirement ends up making it deal breaker for my setup.

14:29 <JonTheNiceGuy> NP

15:18 <georgeowell> Just curious, are there any plans to tackle the fact that a lot of the apps on the app store are really out of date?

15:19 <georgeowell> RocketChat, Wordpress etc

15:24 <JonTheNiceGuy> georgeowell: there's a bounty board which has been set up to fund people who can bring them up to date, and more to encourage upstream authors to include the sandstorm changes to their builds. Let me dig out the URL for that

15:25 <JonTheNiceGuy> georgeowell: http://sandsheep.com/bb

15:29 <georgeowell> JonTheNiceGuy: sounds like a good stratergy :)

15:30 <JonTheNiceGuy> To be fair, Ethercalc hosts it's own package on it's own branch (according to the notes over there), and they'll pay 40USD per app port and 10USD per app major upgrade.

15:30 <JonTheNiceGuy> Sorry, the BB pays out $40 and $10

15:31 <georgeowell> It just seems a shame considering the security focussed design of Sandstorm.

15:53 <isd> Hrm, rocket.chat actually has the sandstorm support in the upstream repo; has someone actually tried building it and failed, or have we just not pushed new binaries?

15:54 <isd> We really ought to at least have a point-person for the stuff we're shipping with the platform proper.

15:56 <isd> Latest release is 0.56, app market has 0.53

15:56 <isd> (there are rcs for 0.57)

15:57 <isd> I'm going to see what happens if I try to build this.

15:59 <georgeowell> afaik there's also been some security fixed since 0.53

16:00 <georgeowell> I wonder if some of the blog platforms are low hanging fruit also

16:00 <georgeowell> Wordpress and Ghost.

16:14 <isd> How did javascript builds get slower than 90% of languages that actually *have compilers*?

16:31 <isd> blech, yeah there's an actual build failure

16:32 <isd> So that's going to need the attention of someone who can dig into a meteor app

16:36 <isd> I think probably some of the same issues that were discussed on the mailing list recently re: meteor

21:27 <georgeowell> That's a shame. Perhaps some folks from RocketChat project could help.