frodovdr/raspap-webgui
1
0
Fork 0
mirror of https://github.com/billz/raspap-webgui.git synced 2023-10-10 13:37:24 +02:00
Code Issues Releases Wiki Activity

Updated HTTPS support (markdown)

Bill Zimmerman 2019-07-29 14:52:21 -07:00
parent 0afdebe2ff
commit 6fefefd8d4
1 changed files with 9 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
HTTPS--support.md

@ -2,16 +2,16 @@
HTTPS prevents network attackers from observing or injecting page contents. Clearly, this is a _good thing_ for RaspAP — given its function for creating and managing wireless networks. But HTTPS needs TLS certificates, and while deploying public websites is largely a solved issue thanks to the ACME protocol and Let's Encrypt, local web servers still mostly use HTTP because no one can get a universally valid certificate for localhost.
### Locally trusted certificates
Managing your own CA is the best solution, but this usually involves arcane commands and manual steps. An excellent solution for local websites is [mkcert](https://github.com/FiloSottile/mkcert). This is a zero-config tool for making locally-trusted certificates with any names you like. mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. It also works perfectly well with RaspAP. This allows you to generate a trusted certificate for a hostname (eg., raspap.local) or IP address, including localhost, because it only works for you.
Managing your own CA is the best solution, but this usually involves arcane commands and manual steps. An excellent solution for local websites is [mkcert](https://github.com/FiloSottile/mkcert). This is a zero-config tool for making locally-trusted certificates with any names you like. mkcert automatically creates and installs a local CA in the system root store, and generates locally-trusted certificates. It also works perfectly well with RaspAP. This allows you to generate a trusted certificate for a hostname (eg., raspap.local) or IP address because it only works for you.
![mkcert](https://blog.filippo.io/content/images/2019/01/sticker-transparent.png)
![raspap.local](https://i.imgur.com/kQoeh0S.png)
Here's the twist: it doesn't generate self-signed certificates, but certificates signed by your own private CA, which your machine is automatically configured to trust when you run `mkcert -install`. So when your browser loads a certificate generated by your instance of mkcert, it will show up with a green lock. mkcert does not automatically configure servers to use the certificates, though, that's up to you (see the steps below).
**mkcert** also works on mobile clients with a couple of manual steps. Read more about mkcert [here](https://blog.filippo.io/mkcert-valid-https-certificates-for-localhost/) and [follow the project on GitHub](https://github.com/FiloSottile/mkcert).
### How-To
Follow the steps below to generate and install a locally-trusted certificate for RaspAP. The local domain `raspap.local` is used in the examples below. You may substitute this with localhost or your own hostname.
Follow the steps below to generate and install a locally-trusted certificate for RaspAP. The local domain `raspap.local` is used in the examples below. You may substitute this with the default `raspberrypi.local` or your own hostname.
Start by installing the pre-built binary for linux-arm on your Raspberry Pi:
```
@ -46,20 +46,20 @@ Next, combine the private key and certificate:
cd /home/pi
cat raspap.local+2-key.pem raspap.local+2.pem > raspap.local.pem
```
Create a directory for the combined .pem file in lighttpd:
Create a directory for the combined `.pem` file in lighttpd:
```
sudo mkdir /etc/lighttpd/ssl
```
Set permissions and move the .pem file:
Set permissions and move the `.pem` file:
```
chmod 400 /home/pi/raspap.local.pem
sudo mv home/pi/raspap.local.pem /etc/lighttpd/ssl
```
Configure lighttpd for SSL:
Edit the lighttpd configuration:
```
sudo nano /etc/lighttpd/lighttpd.conf
```
...by adding the following block:
... and add the following block to enable SSL with your new certificate:
```
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
@ -73,7 +73,7 @@ Restart the lighttpd service:
```
sudo systemctl restart lighttpd
```
...and verify that lighttpd has restarted without errors:
... and verify that lighttpd has restarted without errors:
```
sudo systemctl status lighttpd
```
@ -108,7 +108,7 @@ Be sure to set this certificate to "Always trust" to avoid browser warnings.
Enjoy an encrypted SSL connection to RaspAP 😎
### Mobile devices
For the certificates to be trusted on mobile devices, you will have to install the root CA. You can use the method above to distribute the root CA via the web server. Alternatively, on iOS, you can either use AirDrop or email the CA to yourself. After installing it, you must enable full trust.
For the certificates to be trusted on mobile devices and remote clients, you will have to install the root CA using the method described above. Alternatively, on iOS, you can either use AirDrop or email the CA to yourself. After installing it, be sure to enable full trust.
For Android, you will have to install the CA and then enable user roots. See [this StackOverflow answer](https://stackoverflow.com/a/22040887/749014).