Coronium setup and iOS App Transport Security policy

I have Coronium 1.92 running on Digital Ocean and I’m using mod_coronium v1.92.5 in my Corona app.

I set everything up from the tutorial a few months ago and was testing on iOS 7 & 8 and Android 4 & 5 where it all seemed to work well. Then when I got an iOS 9 test device I came to learn about the ipv6 transition and Apple’s new App Transport Security policy.

I get the following error in iOS9 where XXX.XXX.XX.X is my Coronium instance IP :

ERROR: network request failed: http://XXX.XXX.XX.X/1/code/createUser [-1022: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.]

I tried adding NSExceptionDomains table to  NSAppTransportSecurity in build.settings , but being an IP address that obviously didn’t work. The only thing that seemed to work was adding  NSAllowsArbitraryLoads = true , which I’m reluctant to use as it’s likely to result in apple rejection.

I also tried using http://xip.io/ to provide wildcard DNS for my Coronium instance IP, which works but I’m guessing this is a dirty solution?

Is there a best practice for resolving this? Is it something I need to change on my Digital Ocean Droplet setup? It’s a bit over my head right now if I’m honest. Please help. 

Apple probably won’t reject for using NSAllowsArbittraryLoads = true. There are just too many web sites and API’s living in http: still. But where you’re likely going to get rejected is their June 1 deadline to be IPv6. You cannot use IPv4 IP addresses any longer. You have to use DNS names that will resolve to IPv6 addresses.

I have to confess IPv6 ignorance. It’s been years since I’ve done system admin and I’ve not kept up with the technology.

Rob

@Rob. So would you recommend using http://xip.io/?
And what exactly does the June 1st deadline mean in terms of other network.request calls? Can I still do :

NSAppTransportSecurity = { NSExceptionDomains = { ["mydomain.com"] = { NSIncludesSubdomains = true, NSExceptionRequiresForwardSecrecy = false, NSExceptionAllowsInsecureHTTPLoads = true, } }, },

I don’t now much about xip.io, but their blurb screen didn’t seem to talk much about IPv6 addresses. If you’re on Digital Ocean, they should have a DNS server to route traffic to your server and they should support IPv6. Again, I’m stepping out of my comfort zone here. I’ve never spun up a server on DO so I don’t know what all options they offer.

network.request() should already be IPv6 friendly as long as you’re using a DNS name that resolves to an IPv6 address. The socket IO library was updated in yesterday’s daily build (2883) and it should work with both IPv4 and IPv6 addresses.  But Apple has a good documented that explains this:

https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/UnderstandingandPreparingfortheIPv6Transition/UnderstandingandPreparingfortheIPv6Transition.html#//apple_ref/doc/uid/TP40010220-CH213-SW1

If you’re doing socket level work, some of the calls like: gethostbyname, gethostbyname2 are problematic as they may not be IPv6 compatible. @develephant would know best how Coronium is using the various networking features. I suspect it’s all network.request() if so it should be good.

Rob

@Rob. Yea. Sorry I’m confusing two things here…
NSExceptionDomains with ipv4 addresses; and the imminent IPv6 transition.

It’s not something I know anything about really but as far as I’m concerned I initialise Coronium with the IPv4 address associated with my instance on Digital Ocean.

coronium:init( { appId = 'XXX.XXX.X.X', apiKey = coroniumApiKey } )

So the problem for now can be overcome with  NSAllowsArbitraryLoads = true  or by adding a key value pair with [‘xxx.xxx.xx.x.xip.io’] in  NSExceptionDomains  and initialising that:

coronium:init( { appId = 'XXX.XXX.XX.X.xip.io', apiKey = coroniumApiKey } )

But additionally as I’ll most likely be submitting my app after June 1st I’ll need to solve the IPv6 transition problem with Digital Ocean too. Have I got all that right?

Hopefully @develephant can chime in with what he’s doing with those strings.

Rob

I’ve been working with the Coronium code a lot lately. All the routing is handled through Nginx/openresty with assets being piped through apache. So you should be able to solve your issue by searching within those technologies. However, from looking at the error you received, I think your issue here is related to not using SSL.

 

“ERROR: network request failed: http://XXX.XXX.XX.X/1/code/createUser [-1022: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.]”

You may want to look into getting an SSL cert and installing it on your DO instance. Instructions to do so are in this link. Afterwards you should have the mod_coronium client use HTTPS/SSL to connect. 

The nice part is even if this doesn’t solve this particular issue it is something you should be doing to secure the information going over the wire. 

Apple probably won’t reject for using NSAllowsArbittraryLoads = true. There are just too many web sites and API’s living in http: still. But where you’re likely going to get rejected is their June 1 deadline to be IPv6. You cannot use IPv4 IP addresses any longer. You have to use DNS names that will resolve to IPv6 addresses.

I have to confess IPv6 ignorance. It’s been years since I’ve done system admin and I’ve not kept up with the technology.

Rob

@Rob. So would you recommend using http://xip.io/?
And what exactly does the June 1st deadline mean in terms of other network.request calls? Can I still do :

NSAppTransportSecurity = { NSExceptionDomains = { ["mydomain.com"] = { NSIncludesSubdomains = true, NSExceptionRequiresForwardSecrecy = false, NSExceptionAllowsInsecureHTTPLoads = true, } }, },

I don’t now much about xip.io, but their blurb screen didn’t seem to talk much about IPv6 addresses. If you’re on Digital Ocean, they should have a DNS server to route traffic to your server and they should support IPv6. Again, I’m stepping out of my comfort zone here. I’ve never spun up a server on DO so I don’t know what all options they offer.

network.request() should already be IPv6 friendly as long as you’re using a DNS name that resolves to an IPv6 address. The socket IO library was updated in yesterday’s daily build (2883) and it should work with both IPv4 and IPv6 addresses.  But Apple has a good documented that explains this:

https://developer.apple.com/library/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/UnderstandingandPreparingfortheIPv6Transition/UnderstandingandPreparingfortheIPv6Transition.html#//apple_ref/doc/uid/TP40010220-CH213-SW1

If you’re doing socket level work, some of the calls like: gethostbyname, gethostbyname2 are problematic as they may not be IPv6 compatible. @develephant would know best how Coronium is using the various networking features. I suspect it’s all network.request() if so it should be good.

Rob

@Rob. Yea. Sorry I’m confusing two things here…
NSExceptionDomains with ipv4 addresses; and the imminent IPv6 transition.

It’s not something I know anything about really but as far as I’m concerned I initialise Coronium with the IPv4 address associated with my instance on Digital Ocean.

coronium:init( { appId = 'XXX.XXX.X.X', apiKey = coroniumApiKey } )

So the problem for now can be overcome with  NSAllowsArbitraryLoads = true  or by adding a key value pair with [‘xxx.xxx.xx.x.xip.io’] in  NSExceptionDomains  and initialising that:

coronium:init( { appId = 'XXX.XXX.XX.X.xip.io', apiKey = coroniumApiKey } )

But additionally as I’ll most likely be submitting my app after June 1st I’ll need to solve the IPv6 transition problem with Digital Ocean too. Have I got all that right?

Hopefully @develephant can chime in with what he’s doing with those strings.

Rob

I’ve been working with the Coronium code a lot lately. All the routing is handled through Nginx/openresty with assets being piped through apache. So you should be able to solve your issue by searching within those technologies. However, from looking at the error you received, I think your issue here is related to not using SSL.

 

“ERROR: network request failed: http://XXX.XXX.XX.X/1/code/createUser [-1022: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.]”

You may want to look into getting an SSL cert and installing it on your DO instance. Instructions to do so are in this link. Afterwards you should have the mod_coronium client use HTTPS/SSL to connect. 

The nice part is even if this doesn’t solve this particular issue it is something you should be doing to secure the information going over the wire.