Clever Geek Handbook

How to enable encryption in JetBrains Projector

Projector is a way to run IntelliJ IDEA on a remote server. I recently wrote an article about this , but I kept silent about an important thing for any paranoid - encrypting data on a web socket.



Generating and setting keys is a rather dreary piece of work. Here you will have to get acquainted with the features of Docker and cryptography in Java. Unfortunately, you can't get away from this, because this is Java, and the guys at JetBrains are not at all to blame.



In the original article, this text was covered with a spoiler, but then I felt that it was impossible to read such a wall of text and gave birth to this text. Sorry in advance. By opening this article, you agree that you will not like what you see.



Generating keys



First, we need to generate a set of keys. To do this, you need to install OpenJDK and use the keytool tool.



Generating keys is a bunch of steps. I wrote a script for myself , and I urge you to use it.



mkdir ~/keystore
cd ~/keystore

curl https://raw.githubusercontent.com/projectile-ide/projectile-keymaker/master/projectile-keymaker --output ./keymaker

chmod 755 ./keymaker
./projectile-keymaker projector idea true IP 192.168.1.1 mypassword


, . , : ca.crt server.jks.



  • ca.crt — Certificate Authority, . .
  • server.jks — IDEA.




- , . .



Certificate Authority (CA), .



keytool -genkeypair -v \
  -alias ca \
  -dname "CN=myCA, OU=Development, O=myCA, L=SPB, S=SPB, C=RU" \
  -keystore ca.jks \
  -keypass:env PW \
  -storepass:env PW \
  -keyalg RSA \
  -keysize 4096 \
  -ext KeyUsage:critical="keyCertSign" \
  -ext BasicConstraints:critical="ca:true" \
  -validity 9999




: -keypass:env PW. , ( bash history), .



export PW=mypassword , bash history. .



, :



export PW=`pwgen -Bs 10 1`
echo $PW > password


:



export PW=`cat password`


, ? , , . , — . , , PW.



...



CA , - JKS, . , crt:



keytool -export -v \
  -alias ca \
  -file ca.crt \
  -keypass:env PW \
  -storepass:env PW \
  -keystore ca.jks \
  -rfc


(, ):



keytool -genkeypair -v \
  -alias server \
  -dname "CN=myServer, OU=Development, O=myServer, L=SPB, S=SPB, C=RU" \
  -keystore server.jks \
  -keypass:env PW \
  -storepass:env PW \
  -keyalg RSA \
  -keysize 2048 \
  -validity 385


, . , :



keytool -certreq -v \
  -alias server \
  -keypass:env PW \
  -storepass:env PW \
  -keystore server.jks \
  -file server.csr


CA, :



keytool -gencert -v \
  -alias ca \
  -keypass:env PW \
  -storepass:env PW \
  -keystore ca.jks \
  -infile server.csr \
  -outfile server.crt \
  -ext KeyUsage:critical="digitalSignature,keyEncipherment" \
  -ext EKU="serverAuth" \
  -ext SAN="IP:192.168.1.1" \
  -rfc


, SAN : "DNS:website.com", . "IP:192.168.1.1", . IP, , , .



, , JKS CA ( ):



keytool -import -v \
  -alias ca \
  -file ca.crt \
  -keystore server.jks \
  -storetype JKS \
  -storepass:env PW << EOF
yes
EOF


JKS:



keytool -import -v \
  -alias server \
  -file server.crt \
  -keystore server.jks \
  -storetype JKS \
  -storepass:env PW


, :



keytool -list -v \
  -keystore server.jks \
  -storepass:env PW


, . .





/home/olegchir/keystore/ssl.properties :



STORE_TYPE=JKS
FILE_PATH=/tmp/server.jks
STORE_PASSWORD=mypassword
KEY_PASSWORD=mypassword


, , , .



(/home/olegchir) , - . , , . olegchir, .



/tmp/server.jks, /home/olegchir/keystore/server.jks? , , . .



Projector, . docker run, .



, run-container.sh :



docker run --rm -p 8080:8080 -p 8887:8887 -it "$containerName" bash -c "nginx && ./run.sh"


:



  • ORG_JETBRAINS_PROJECTOR_SERVER_SSL_PROPERTIES_PATH ;
  • ORG_JETBRAINS_PROJECTOR_SERVER_HANDSHAKE_TOKEN , URL, ;
  • ( ) /tmp.


docker run --rm \
    -v /home/olegchir/keystore/ssl.properties:/tmp/ssl.properties \
    -v /home/olegchir/keystore/server.jks:/tmp/server.jks \
    --env ORG_JETBRAINS_PROJECTOR_SERVER_SSL_PROPERTIES_PATH=/tmp/ssl.properties \
    --env ORG_JETBRAINS_PROJECTOR_SERVER_HANDSHAKE_TOKEN=mypassword \
    -p 8080:8080 -p 8887:8887 -it "$containerName" bash -c "nginx && ./run.sh"


!



./run-container.sh


- . :



[INFO] :: ProjectorServer :: WebSocket SSL is enabled: /tmp/ssl.properties
[INFO] :: ProjectorServer :: Server started




ca.crt , . .



-. , .



Firefox:



  2. Privacy & Security
  3. — View Certificates
  4. Authorities
  5. Import...
  7. , .
  8. .




Chrome Windows:



  2. Privacy and security
  3. Securty
  4. Manage certificates
  5. Trusted Root Certification Authorities
  6. Import...
  7. , , Trusted Root Certification Authorities.
  8. Chrome. Windows . Chrome, , Chrome. Delete.
  9. Chrome .




Chrome Linux:



  2. Privacy and security
  3. Securty
  4. Manage certificates
  5. Authorities
  6. Import...
  7. ca.crt,
  8. , .
  9. .


Chrome Fully Kiosk Browser Android:



Android . Huawei MediaPad M5 Solid Explorer .



:



  1. Settings
  2. Security & privacy
  3. More Settings
  4. Encription and credentials
  5. Install from storage
  6. ca.crt
  7. .


, Android- , "Install from storage" , . .





: https://localhost:8080/projector/?wss&token=mypassword



: https://hostname:8080/projector/?wss&host=hostname&port=8887&token=mypassword





, https://hostname:8887 , . , " " - . , .





Setting up a secure connection is long and frustrating. You need to type a lot of commands in the console that cannot be memorized by heart, rummage through dockerfiles, transfer files to a mobile device. If you made a mistake somewhere in at least one letter, then nothing works.



On the other hand, I did it once - and live in peace.



More articles:


All Articles