frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00
Code Issues Releases Wiki Activity

Updated HTTPS SSL support (markdown)

Bill Zimmerman 2019-07-29 11:54:59 -07:00
parent f57cc40945
commit 0afdebe2ff
1 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
HTTPS---SSL-support.md → HTTPS--support.md

@ -1,14 +1,14 @@
### Preamble
HTTPS prevents network attackers from observing or injecting page contents. Clearly, this would be a _good thing_ for RaspAP — given its function for creating and managing wireless networks. But HTTPS needs TLS certificates, and while deploying public websites is largely a solved issue thanks to the ACME protocol and Let's Encrypt, local websites still mostly use HTTP because no one can get a universally valid certificate for localhost.
HTTPS prevents network attackers from observing or injecting page contents. Clearly, this is a _good thing_ for RaspAP — given its function for creating and managing wireless networks. But HTTPS needs TLS certificates, and while deploying public websites is largely a solved issue thanks to the ACME protocol and Let's Encrypt, local web servers still mostly use HTTP because no one can get a universally valid certificate for localhost.
### Locally trusted certificates
An excellent solution for local website development is [mkcert](https://github.com/FiloSottile/mkcert). This is a zero-config tool for making locally-trusted certificates with any names you like. It also works perfectly well with RaspAP. You can generate a trusted certificate for a hostname (eg., raspap.local) or IP address, including localhost, because it only works for you.
Managing your own CA is the best solution, but this usually involves arcane commands and manual steps. An excellent solution for local websites is [mkcert](https://github.com/FiloSottile/mkcert). This is a zero-config tool for making locally-trusted certificates with any names you like. mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. It also works perfectly well with RaspAP. This allows you to generate a trusted certificate for a hostname (eg., raspap.local) or IP address, including localhost, because it only works for you.
![mkcert](https://blog.filippo.io/content/images/2019/01/sticker-transparent.png)
Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA, which your machine is automatically configured to trust when you run `mkcert -install`. So when your browser loads a certificate generated by your instance of mkcert, it will show up with a green lock!
Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA, which your machine is automatically configured to trust when you run `mkcert -install`. So when your browser loads a certificate generated by your instance of mkcert, it will show up with a green lock. mkcert does not automatically configure servers to use the certificates, though, that's up to you (see the steps below).
**mkcert** supports macOS, Linux, and Windows, and Firefox, Chrome and Java. It even works on mobile devices with a couple manual steps. Read more about mkcert [here](https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/) and [follow the project on GitHub](https://github.com/FiloSottile/mkcert).
**mkcert** also works on mobile clients with a couple of manual steps. Read more about mkcert [here](https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/) and [follow the project on GitHub](https://github.com/FiloSottile/mkcert).
### How-To
Follow the steps below to generate and install a locally-trusted certificate for RaspAP. The local domain `raspap.local` is used in the examples below. You may substitute this with localhost or your own hostname.
@ -46,7 +46,7 @@ Next, combine the private key and certificate:
cd /home/pi
cat raspap.local+2-key.pem raspap.local+2.pem > raspap.local.pem
```
Create directory for combined .pem file in lighttpd:
Create a directory for the combined .pem file in lighttpd:
```
sudo mkdir /etc/lighttpd/ssl
```
@ -55,7 +55,7 @@ Set permissions and move the .pem file:
chmod 400 /home/pi/raspap.local.pem
sudo mv home/pi/raspap.local.pem /etc/lighttpd/ssl
```
Configure lighttpd for SSL with the new certificate:
Configure lighttpd for SSL:
```
sudo nano /etc/lighttpd/lighttpd.conf
```
@ -95,7 +95,22 @@ You should see a response like the following:
Jul 01 11:56:15 raspap lighttpd[1433]: Syntax OK
Jul 01 11:56:15 raspap systemd[1]: Started Lighttpd Daemon.
```
Now, copy `rootCA.pem` to your lighttpd web root (important: do *NOT* share `rootCA-key.pem`):
Now, copy `rootCA.pem` to your lighttpd web root (**important:** do *NOT* share `rootCA-key.pem`):
```
sudo cp /home/pi/.local/share/mkcert/rootCA.pem /var/www/html
```
```
Open a browser and enter the address: https://raspap.local/rootCA.pem. Accept the unsafe warning in the browser and download the root certificate to your client. Add the root certificate to your system keychain.
![](https://i.imgur.com/RCJJPYL.png)
Be sure to set this certificate to "Always trust" to avoid browser warnings.
Enjoy an encrypted SSL connection to RaspAP 😎
### Mobile devices
For the certificates to be trusted on mobile devices, you will have to install the root CA. You can use the method above to distribute the root CA via the web server. Alternatively, on iOS, you can either use AirDrop or email the CA to yourself. After installing it, you must enable full trust.
For Android, you will have to install the CA and then enable user roots. See [this StackOverflow answer](https://stackoverflow.com/a/22040887/749014).
More advanced topics are [covered at mkcert](https://github.com/FiloSottile/mkcert#advanced-topics).