Search the Knowledge Base Report a bug
Post new topic   Reply to topic   printer-friendly view   .    ArchiCAD-Talk Forum Index >>> Teamwork / BIM Server >>> BIMcloud, BIM Server and encryption
View previous topic :: View next topic
Author Message
BIMadmin80
New member
New member

Joined: 04 Nov 2015
Posts: 16
Location: Finland

PostPosted: Thu Feb 11, 2016 11:44 am    Post subject: BIMcloud, BIM Server and encryption Reply with quote

From "BIMcloud and BIM Server network requirements":

Quote:
To encrypt the network traffic, the following alternatives are available:

Use HTTPS to secure the communication. For this you will need a Reverse Proxy on the server side that will perform the SSL encryption between ARCHICAD and the Reverse Proxy
Use VPN, which will encrypt the communication


Seems odd that in 2016 this isn't built-in to the product, these days SSL encryption is the norm in almost all network services using the internet and BIMcloud is marketed as a product for the public internet. Will this be built-in in the future? As I understand, communication between BIMcloud servers is at least signed if not encrypted.

Will ArchiCAD work out-of-the-box with a reverse proxy or is additional configuration required on the client side? If I just use something like https://bim.server.address:19000 as the server address, will ArchiCAD know how to handle the connection? And if ArchiCAD can handle it, why isn't it built-in to BIMcloud/BIM Server?
Back to top
View user's profile Send private message    
filipp
New member
New member

Joined: 13 Feb 2014
Posts: 34
Location: Helsinki

PostPosted: Fri Jan 05, 2018 8:11 am    Post subject: Re: BIMcloud, BIM Server and encryption Reply with quote

Totally agree that this should be built-in, not bolted-on. And Graphisoft hasn't even published instructions on how to build the proxy.

We recently "upgraded" to BIMcloud and even that doesn't have SSL support built-in (even though I remember some marketing material claiming otherwise).

I've made some progress setting up nginx as a reverse SSL proxy from our DMZ to provide external access to team projects, but it doesn't really work since the BIMcloud manager insists on reporting the internal server address to the client (we have 2 servers paired with BIMcloud) which suggests I publish *all* our internal teamwork server addresses with corresponding firewall rules etc.

BIMcloud/server is just a Node.js web service. Usually these are put behind HTTP load balancers that also take care of encryption. It's beyond me how Graphisoft didn't consider that most architecture offices are not that experienced with setting up web services. Sad

_________________
Sysadmin @ JKMM Architects
Back to top
View user's profile Send private message Visit poster's website    
Marton Kiss
Graphisoft

Joined: 26 Oct 2009
Posts: 272
Location: Budapest, Hungary

PostPosted: Mon Jan 08, 2018 12:19 pm    Post subject: Re: BIMcloud, BIM Server and encryption Reply with quote

Hi Filipp,

this is an extremely important topic, so allow me to summarise our take on it.

First and foremost having encryption on any Internet traffic is a must. We strongly recommend this for all of our users running BIMclouds and BIM Server with public access.

This can either be done:
- by relying on VPN - which is typically a good solution for businesses that already have a VPN solution in use, or
- by establishing HTTPS connection via a 3rd party solution

Back with version 18 we switched to HTTP based communication that enabled our solution to be compatible with most HTTP based infrastructure solutions.

We considered building in HTTPS support straight to our server applications, but as there are plenty of proven solutions out there with millions of users we rather focused our resources on developments unique for our users base.

For nginx and most popular solutions (Apache Reverse Proxy, Amazon/Google Load balancers) we have detailed guides, please PM your email address and I'll have our local team send you the corresponding documents.

Regards,

_________________
Marton Kiss
Team Leader, BIMcloud Implementation
GRAPHISOFT
Follow us on Twitter
GRAPHISOFT HelpCenter - the ARCHICAD knowledge base
Back to top
View user's profile Send private message    
BIMadmin80
New member
New member

Joined: 04 Nov 2015
Posts: 16
Location: Finland

PostPosted: Mon Jan 08, 2018 12:54 pm    Post subject: Re: BIMcloud, BIM Server and encryption Reply with quote

filipp wrote:
Totally agree that this should be built-in, not bolted-on. And Graphisoft hasn't even published instructions on how to build the proxy.

We recently "upgraded" to BIMcloud and even that doesn't have SSL support built-in (even though I remember some marketing material claiming otherwise).

I've made some progress setting up nginx as a reverse SSL proxy from our DMZ to provide external access to team projects, but it doesn't really work since the BIMcloud manager insists on reporting the internal server address to the client (we have 2 servers paired with BIMcloud) which suggests I publish *all* our internal teamwork server addresses with corresponding firewall rules etc.

BIMcloud/server is just a Node.js web service. Usually these are put behind HTTP load balancers that also take care of encryption. It's beyond me how Graphisoft didn't consider that most architecture offices are not that experienced with setting up web services. Sad


I got a guide from Graphisoft a while back for setting up Apache proxy in front of BIMcloud. At that time at least, it required some modifications to make it work. It has been working quite well with AC19 and 20 and I haven't had to touch it much in recent times

In BIMcloud Manager, the encrypted address should be made the primary server address. After this the unencrypted Manager page is redirected to the encrypted one. So during testing it's possible to get into a loop where you can't access the Manager page if the proxy isn't working correctly. After shutting down the proxy the unencrypted page can usually be accessed again.

Apache on Windows doesn't have log rotation by default so that has to be configured manually. The logging level could require some tuning too as Apache will produce huge amounts of logs in its default state. I've installed Apache on the same Windows server as BIMcloud, but it would probably be easier to work with a separate Linux installation for the proxy. By the way, when is Graphisoft releasing a Linux version of BIMcloud/BIM Server? The Mac version already is a *nix version, so porting it to Linux shouldn't be very hard.

The whole thing sure feels like a bit fragile afterthought. I wouldn't image it to be that much work to build it in, since there are standard SSL libraries that the whole world is using.
Back to top
View user's profile Send private message    
filipp
New member
New member

Joined: 13 Feb 2014
Posts: 34
Location: Helsinki

PostPosted: Tue Jan 09, 2018 9:56 am    Post subject: Re: BIMcloud, BIM Server and encryption Reply with quote

I asked our ArchiCAD reseller for SSL proxy instructions, but didn't get any so I assumed they don't even exist. Secret documentation is silly - just put that stuff in your knowledge base.

We've been doing secure remote BIMserver over VPN for over a decade, but VPN only really works when you have full control over the endpoint (ie it's a company computer), not so much for subcontractors.

FWIW, I threw together a little writeup of how I set this up for us: http://unflyingobject.com/blog/stories/archicad-bimcloud-ssl-proxy-howto/

_________________
Sysadmin @ JKMM Architects
Back to top
View user's profile Send private message Visit poster's website    
Display posts from previous:   
View previous topic :: View next topic
Post new topic   Reply to topic   printer-friendly view       ArchiCAD-Talk Forum Index >>> Teamwork / BIM Server >>> BIMcloud, BIM Server and encryption All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2001, 2005 phpBB Group
Copyright 2012 - Graphisoft SE. All rights reserved worldwide. Terms of Use | Privacy Policy