Https support

[guillaumeboehm]

Hi, I'm trying to use comfyUI through Automatic1111. My a1111 is setup to work through https, but not comfyUI, and I believe that is what is preventing me to use it. The a1111 tab for comfyUI is just empty. Is there a way to setup comfyUI's server to use https ?

[Gerschel]

This doesn't fully address the concern, as I feel it has potential to break at times as the main project will get updates first.
I feel the same concern, because I have written some apps for vr, and the base code for android, that allows working through the api or comfyui directly, wanted to share my apps for testing. I assume, from research, that when others want to connect via a phone app, they wanted to do it outside of their home network, such as from work or while on the bus.

I have seen others implement things such as using ngrok, ssh tunneling, reverse proxy, creating their own vpn for direct communication, etc.
I think a lot of those options are great ideas, and work. But that would mean for my client side apps to work, I would have to code for every variable.

So I went down a rabbit hole.

I attempted to enable https support for comfyui.

In my initial attempt, I directly modified the files that came with comfyui, such as main.py, server.py. Then I added a self signed certificate generator script.

It worked.

The issue with that was two fold.

First, from my experience back when I created several extensions for a1111 that had heavy modification and trickiness, just about every update a1111 got, it meant I had to also write an update, which meant several times a day at times. But then, if others updated at different frequencies, I needed to make it backwards compatible. Which really complicated things. It meant I was having to write for different versions of a1111 on different devices when a1111 had no versioning to be able to read.

So every update I made, had to consider the state of things prior with no knowledge of who decided to update what in which order.

The second issue I currently have, the self signed certificate gives a "Not signed by Central Authority" warning. So some browser engines, or their implementation, will deny it without giving a chance to check and accept it.

With all this said.

I made a thing, it's not ideal. It works on my computer and for my apps, but I still have to address some things, but traffic is 100% encrypted between server and client.

This is how I did it.

Taking my changes I made to main.py and server.py, I decided I wanted to make an alternate entry point that calls alternate files during launch, that have my changes.

But I needed/wanted, my files to have minimal changes, and only change what was necesarry to make it work. So the idea became, import it all, and override what is necessary, the least likely methods/functions to get regular updates.

This way the frequency of updates, whatever it is, is the least likely to break things. It will just work through 90%+ of the updates.

So the design decision means I have to import, override the important things that need to be changed, read from original file (so it works if it updates), change the urls from http:// to https:// and ws:// to wss://, then execute as if it was part of the same file.

This allows changes to main.py and server.py to be used in my alternate main_https.py and override_server.py, where the only real methods defined in my scipts are the ones that enable tls (htttps and websocket secure).

I believe this format allows the most compatiblity with update ability and least chances of breaking.

Now, this means, there is still potential for it to break, and not work for every browser type, on every machine type.

Here is how it works, I setup a .bat file as my launch point. This idea/process can work for mac/linux, just changed accrodingly.

For the file, I read a flag, if "--http" is used, it calls the original main.py and everything runs as designed by comfyui. If no "--http" flag is used, it launches the main_https.py.

The main_https.py imports from main first, this is needed before importing my override_server.py, because main.py relies on the default server.py, and also, if I don't do it first, there's some weird bug where it doesn't take in cli-args.

Technically when main.py is imported, it then imports server.py.

Then in my main_https.py, I import my override_server.py as server, so any mentions of the non-secure server is overwritten by mine (in memory), in my override_server.py, I import the server.py, so it's in it's local scope, then read the file as a file, not script, modify all references of http, to https, and from ws://, to wss://, then "exec" it into the scope, then I redefine the PromptServer.start method to use the SSL Context.

Back in the main_https.py, when it does the import of this process, this means that what it knew of server.py is now changed to an https/wss version.

But then there's another potential problem, some tools like ImageRefiner try to import server.py to create their own custom server.
Fortunately, they don't rewrite it, but extend it to include their routes.
But if they import server.py instead of override_server.py, they will get the https version and not the https version.

To address this, I delcare:
sys.modules['server'] = my override
So know, if others import server.py while main_https version is active, they import the one that has https enabled.

Then I create an override for the "run" function that reads a certificate created by generate_certificate.py, assign it to the SSL_Context, and pass it to the server with all the overrides and rewrites that are now in scope.

Read directly from main.py file for the launch (design decision notes: Initially I copy and paste it in, but since my modifications did not modify the startup scripts, to avoid issues of updates, I read it in, replace http with https, do it for ws:// to wss:// (but none exist at the moment, it' just in case it happens when I'm not looking)), then execute.

Boom.

Https/wss enabled comfyui that encrypts traffic both ways according to generate_certificate.

At the moment generate_certificate is minimal boiler plate until I can decide on a direction (create a central authority, leave as is and let others modify, incorporate a way to automate a Certificate Signing Request with LetEncrypt, I don't know yet, there's a lot to consider.)

I'm sure, that if the issue of self-signed certificates, potential of man in the middle attacks could look similar to your cerificate BUT IF you add your own CA signature and add to your browser, then it can't happen (but I have to try to consider that some people don't know certain caveats, so they need it to work out of the box). So if I can resolve that issue. Then we are likely to see the option added to comfyui by default.

https://github.com/Gerschel/comfyui-enable-tls

[nanamicat]

use nginx