Add LetsEncrypt to Nginx #686
Comments
|
Hey! See previous discussion on this topic: #190. |
|
Yeah, I understand that using SSL on the local network doesn't make sense. I'm talking about letting the user configure a custom domain name routed to the node via HTTPS and using LetsEncrypt to sign the CRT. I'm guessing you could also use this to make the Tor endpoint run over HTTPS as well, although I know little about Tor. |
|
There is not need to use HTTPS over Tor, as Tor already protects the connections. What I would suggest you is to close your clearnet ports and use only Tor to access your Umbrel. |
|
Yeah, already have done that. Still think it would be nice to assign a custom domain to the node. Happy to contribute elsewhere though, anything docker, infra, automation related. Those are my specialties. |
|
What did you use to close your ports (if you're running on a VPS)? And thanks! |
|
I already have a reverse proxy on my home server lab and I point a subdomain to the mempool instance running on umbrel. I make it a point not to allow access from outside to any services that have access to money. For that, I VPN to my home server lab, and access from there. |
|
aka. perhaps a vpn server would be better... might need to package some ddns or something |
|
Umbrel supports and runs Tailscale. It is easy to point a domain at the Tailscale IP for the umbrel. The issue comes when you try to run "certbot --nginx -v" or "certbot certonly --standalone -v" with Umbrel stopped. Can anyone help with adding the right nginx.conf lines or whatever seems to be hanging this up? I keep getting IP6/AAAA record error but I have correct IP6 dns and I don't even use IP6. |
This is absolutely false. The lack of HTTPS support going to prevent adoption in the long-run. |
|
HTTP is being deprecated in every browser and HTTPS is increasingly a requirement in many web apps. The lack of SSL support also makes it impossible to run Nextcloud correctly, as it disables a bunch of features such as WebAuthn Two Factor and end-to-end encryption. These features in Nextcloud and probably other features in Nextcloud and perhaps other umbrel apps won't run if running over HTTP. The only alternative I can think of is using a Tor local proxy, and configuring native clients (like Nextcloud) to run over the proxy. However, they will still detect that the connection is not HTTPS and will refuse to enable certain functions. Refusing to work over HTTP is bad behavior of these apps, because they assume their users are not smart enough to be running over a VPN or Tor. But this assumption is actually the correct assumption from a security point-of-view. Users are rarely technical enough to configure a VPN or a Tor proxy. In summary, I would argue that even though HTTPS on a .local domain doesn't make sense, it should still be offered at least as an optional app, so that other apps that demand HTTPS can be mollified. |
|
why not implement Traefik in umbrel ? See : #546 (comment) |
To support HTTPS the Nginx container should use LetsEncrypt to provision SSL CRT and keep them updated. I'm happy to look into implementing this unless there is a flaw in the idea or someone else has a better plan. Let me know of any concerns or issues regarding using LetsEncrypt for SSL.
Thanks, great work so far!
The text was updated successfully, but these errors were encountered: