mirror of
https://github.com/billz/raspap-webgui.git
synced 2023-10-10 13:37:24 +02:00
Updated HTTPS SSL support (markdown)
parent
f57cc40945
commit
0afdebe2ff
@ -1,14 +1,14 @@
|
|||||||
### Preamble
|
### Preamble
|
||||||
HTTPS prevents network attackers from observing or injecting page contents. Clearly, this would be a _good thing_ for RaspAP — given its function for creating and managing wireless networks. But HTTPS needs TLS certificates, and while deploying public websites is largely a solved issue thanks to the ACME protocol and Let's Encrypt, local websites still mostly use HTTP because no one can get a universally valid certificate for localhost.
|
HTTPS prevents network attackers from observing or injecting page contents. Clearly, this is a _good thing_ for RaspAP — given its function for creating and managing wireless networks. But HTTPS needs TLS certificates, and while deploying public websites is largely a solved issue thanks to the ACME protocol and Let's Encrypt, local web servers still mostly use HTTP because no one can get a universally valid certificate for localhost.
|
||||||
|
|
||||||
### Locally trusted certificates
|
### Locally trusted certificates
|
||||||
An excellent solution for local website development is [mkcert](https://github.com/FiloSottile/mkcert). This is a zero-config tool for making locally-trusted certificates with any names you like. It also works perfectly well with RaspAP. You can generate a trusted certificate for a hostname (eg., raspap.local) or IP address, including localhost, because it only works for you.
|
Managing your own CA is the best solution, but this usually involves arcane commands and manual steps. An excellent solution for local websites is [mkcert](https://github.com/FiloSottile/mkcert). This is a zero-config tool for making locally-trusted certificates with any names you like. mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. It also works perfectly well with RaspAP. This allows you to generate a trusted certificate for a hostname (eg., raspap.local) or IP address, including localhost, because it only works for you.
|
||||||
|
|
||||||
![mkcert](https://blog.filippo.io/content/images/2019/01/sticker-transparent.png)
|
![mkcert](https://blog.filippo.io/content/images/2019/01/sticker-transparent.png)
|
||||||
|
|
||||||
Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA, which your machine is automatically configured to trust when you run `mkcert -install`. So when your browser loads a certificate generated by your instance of mkcert, it will show up with a green lock!
|
Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA, which your machine is automatically configured to trust when you run `mkcert -install`. So when your browser loads a certificate generated by your instance of mkcert, it will show up with a green lock. mkcert does not automatically configure servers to use the certificates, though, that's up to you (see the steps below).
|
||||||
|
|
||||||
**mkcert** supports macOS, Linux, and Windows, and Firefox, Chrome and Java. It even works on mobile devices with a couple manual steps. Read more about mkcert [here](https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/) and [follow the project on GitHub](https://github.com/FiloSottile/mkcert).
|
**mkcert** also works on mobile clients with a couple of manual steps. Read more about mkcert [here](https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/) and [follow the project on GitHub](https://github.com/FiloSottile/mkcert).
|
||||||
|
|
||||||
### How-To
|
### How-To
|
||||||
Follow the steps below to generate and install a locally-trusted certificate for RaspAP. The local domain `raspap.local` is used in the examples below. You may substitute this with localhost or your own hostname.
|
Follow the steps below to generate and install a locally-trusted certificate for RaspAP. The local domain `raspap.local` is used in the examples below. You may substitute this with localhost or your own hostname.
|
||||||
@ -46,7 +46,7 @@ Next, combine the private key and certificate:
|
|||||||
cd /home/pi
|
cd /home/pi
|
||||||
cat raspap.local+2-key.pem raspap.local+2.pem > raspap.local.pem
|
cat raspap.local+2-key.pem raspap.local+2.pem > raspap.local.pem
|
||||||
```
|
```
|
||||||
Create directory for combined .pem file in lighttpd:
|
Create a directory for the combined .pem file in lighttpd:
|
||||||
```
|
```
|
||||||
sudo mkdir /etc/lighttpd/ssl
|
sudo mkdir /etc/lighttpd/ssl
|
||||||
```
|
```
|
||||||
@ -55,7 +55,7 @@ Set permissions and move the .pem file:
|
|||||||
chmod 400 /home/pi/raspap.local.pem
|
chmod 400 /home/pi/raspap.local.pem
|
||||||
sudo mv home/pi/raspap.local.pem /etc/lighttpd/ssl
|
sudo mv home/pi/raspap.local.pem /etc/lighttpd/ssl
|
||||||
```
|
```
|
||||||
Configure lighttpd for SSL with the new certificate:
|
Configure lighttpd for SSL:
|
||||||
```
|
```
|
||||||
sudo nano /etc/lighttpd/lighttpd.conf
|
sudo nano /etc/lighttpd/lighttpd.conf
|
||||||
```
|
```
|
||||||
@ -95,7 +95,22 @@ You should see a response like the following:
|
|||||||
Jul 01 11:56:15 raspap lighttpd[1433]: Syntax OK
|
Jul 01 11:56:15 raspap lighttpd[1433]: Syntax OK
|
||||||
Jul 01 11:56:15 raspap systemd[1]: Started Lighttpd Daemon.
|
Jul 01 11:56:15 raspap systemd[1]: Started Lighttpd Daemon.
|
||||||
```
|
```
|
||||||
Now, copy `rootCA.pem` to your lighttpd web root (important: do *NOT* share `rootCA-key.pem`):
|
Now, copy `rootCA.pem` to your lighttpd web root (**important:** do *NOT* share `rootCA-key.pem`):
|
||||||
```
|
```
|
||||||
sudo cp /home/pi/.local/share/mkcert/rootCA.pem /var/www/html
|
sudo cp /home/pi/.local/share/mkcert/rootCA.pem /var/www/html
|
||||||
```
|
```
|
||||||
|
Open a browser and enter the address: https://raspap.local/rootCA.pem. Accept the unsafe warning in the browser and download the root certificate to your client. Add the root certificate to your system keychain.
|
||||||
|
|
||||||
|
![](https://i.imgur.com/RCJJPYL.png)
|
||||||
|
|
||||||
|
Be sure to set this certificate to "Always trust" to avoid browser warnings.
|
||||||
|
|
||||||
|
Enjoy an encrypted SSL connection to RaspAP 😎
|
||||||
|
|
||||||
|
### Mobile devices
|
||||||
|
For the certificates to be trusted on mobile devices, you will have to install the root CA. You can use the method above to distribute the root CA via the web server. Alternatively, on iOS, you can either use AirDrop or email the CA to yourself. After installing it, you must enable full trust.
|
||||||
|
|
||||||
|
For Android, you will have to install the CA and then enable user roots. See [this StackOverflow answer](https://stackoverflow.com/a/22040887/749014).
|
||||||
|
|
||||||
|
More advanced topics are [covered at mkcert](https://github.com/FiloSottile/mkcert#advanced-topics).
|
||||||
|
|
Loading…
Reference in New Issue
Block a user