Finding a glitch projects ssl key for secure websockets

I’m trying to have a client to server websocket connection through python and javascript from a desktop and the site but due to glitch being loaded over https a secure websocket connection needs to be made. To have the python websocket server started over a secure websocket server I need the ssl token of my glitch project. Is there a way to find it, or is there a way to use an external service like clouflare to add one?

Do you use the socket.io or the normal websockets?

Normal websockets for js and websocket_server for python.

In this case, you could normally use just an URL prefixed with https:// for interact securely with your server. Check this for more details.

The problem is that when the page is loaded over https, I can’t send a websocket send through ws because the page doesn’t allow unsecure requests and I can’t send over wss because I can’t open an ssl enabled websocket server without the ssl cert and key of the website.

I’m not really sure I understand the situation.

There’s some unofficial doc for the Glitch API.

A persistent token can be retrieved in the browser console of opened project web pages with:

JSON.parse(localStorage.cachedUser).persistentToken

Is it what you’re looking for ?

Can you clarify why you need to open an insecure WebSocket connection ? What’s the architecture of your project ?

Glitch does the TLS termination, including for HTTPS and wss protocols, outside of your project container. Connections as they reach your app inside the project container are presented as unencrypted HTTP and ws.

So that is to say: listen on $PORT as HTTP and accept upgrades to websocket, without setting up a TLS key at all.

There’s also the possibility of using http-proxy-middleware as illustrated here:

const proxy = require('http-proxy-middleware');

module.exports = function(app) {
  app.use(proxy('/api', { target: 'http://myserver' }));
  app.use(proxy('/ws', { target: 'ws://myserver', ws: true }));
};

And yes, no need to worry about TLS, it’s handled by Glitch.

1 Like

The websocket connection currently is being opened insecurely since I don’t have access to the page ssl key/cert, so I am unable to serve the websocket from python as a secure websocket.

The frontend of the page is in js and is what is connecting to the python websocket. The backend for the website is in go which handles the database, page serving, etc, but there’s a seperate app that is coded in nodejs through electron. This app acts as an interface to the python script that gets ran by it when opened. The python script is what serves the websocket and is what needs to be opened as a secure websocket.

It seems that you don’t understandwhat it means for Glitch to handle the SSL. You’re probably used to running servers as a single program, perhaps on your own computer. In that secenario, what you say here is true:

That is, if you want to connect ‘securely,’ i.e., over wss, you must run a program to serve it as wss, and for that, you must have a TLS key.

However, the architecture of Glitch apps is different. Accepting a TLS connection (I’ve elsewhere referred to this as “TLS termination”) is done separately from the application logic in your program. A component of Glitch accepts these TLS connections, looks at the HTTP and websocket content inside, finds the project container that the request/socket is meant for, and forwards it to that container as unencrypted HTTP or ws.

So this rule you had learned before no longer holds. You can write a program that only serves HTTP and ws, yet you can still connect to your project on Glitch from outside securely, over HTTPS and wss.

I don’t think I 100% understand what you are saying. So if I start serving a websocket from a python script, for example:

from websocket_server import WebsocketServer

WebsocketServer(host = "localhost", port = 8080).run_forever();

and I connect to that websocket from a glitch project such as:

new WebSocket("wss://localhost:8080");

Sending something from the python script would really be handled by glitch itself and then sent to the glitch project as unencrypted data?
But in practice, even just connecting to this websocket causes an error:

UnicodeDecodeError: 'utf-8' codec can't decode byte 0xfc in position 8: invalid start byte

Here’s the inconsistency with that experiment:

Glitch’s TLS cert would be one that authenticates the server as (your project domain).glitch.me, but in the experiment, you’re connecting to localhost. it would result in a security error even if you had Glitch’s TLS key.

Try doing this instead to see Glitch’s TLS key in action:

edit: broken code removed, see later posts

How would I send something from an external script, to that domain, for example python in my case. I tried just setting the host to the project_domain but would get an error saying the websocket connection could not be made because the host isn’t open.

1 Like

oops, I forgot to remove that :8080 part. the port also gets fixed up when you request from outside

oh and I forgot the .glitch.me :woman_facepalming:

new WebSocket(`wss://${process.env.PROJECT_DOMAIN}.glitch.me`);

This works great on the page side with no errors, but when trying to connect to the domain on the python side, I get a 502 bad gateway error. I have tried debugging it but I couldn’t find a reason that the server wouldn’t be sending a handshake response.

let client = new WebSocket("wss://testclient.glitch.me"); // Tried just using the domain name directly

client.onmessage = function(event) {
  console.log(event.data);  
}
from websocket import create_connection

client = create_connection("wss://testclient.glitch.me");
client.send("Test");
client.close();
1 Like

If you’re connecting from something other than a browser, you’ll often have to set a User-Agent request header manually.

This is one of the weird hidden things about Glitch, where they don’t allow any requests that don’t have that header.

1 Like

Even after setting the User-Agent header, I still get the 502 gateway error.

client = create_connection("wss://testclient.glitch.me", header={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"});

That one I haven’t seen before. Could you ask on the support email about this and let us know if they have a solution for it?

1 Like

Hi @nekumelon I asked my colleagues to review this forum thread and see what additional help we could provide.

Our team agrees with @wh0 's advice

So this rule you had learned before no longer holds. You can write a program that only serves HTTP and ws, yet you can still connect to your project on Glitch from outside securely, over HTTPS and wss.

We would suggest that you try that with a remix of your project.

2 Likes