SSL Support

Suggest new features here
VA2ZAC
Posts: 15
Joined: Wed Apr 11, 2018 8:49 pm

SSL Support

Post by VA2ZAC »

It would be nice to have SSL support for the GUI that could either support Letsencrypt, self signed certificate, or an uploaded crt/key file. This would be great if it could be configured through the GUI!

For Letsencrypt, there are tools available for PHP:

https://letsencrypt.org/docs/client-options/
W5CAA
Posts: 9
Joined: Wed Apr 11, 2018 8:37 pm
Location: San Antonio, TX
Contact:

Re: SSL Support

Post by W5CAA »

i second this!!

excellent idea!
w5caa.com
San Antonio's newest radio club: sadigitalradio.com
DMR ID: 1148825
User avatar
MW0MWZ
Site Admin
Posts: 1350
Joined: Wed Apr 04, 2018 9:15 pm
Location: Wales, UK
Contact:

Re: SSL Support

Post by MW0MWZ »

I totally agree - one of the reasons I have not done any work on this in the 3.x release is due to the huge load the dashboard currently creates, adding SSL to that is not going to lead anywhere nice; However, the new dashboard in 4.x uses so little load that SSL will be back on the table.

We may (or may not) make this a dashboard config option initially (or I may install a self signed cert on first boot etc) not sure exactly how I will play that yet, but SSL support really will be a reality in the 4.x chain.
Andy

73 de MW0MWZ
http://pistar.uk
BH8SXD
Posts: 6
Joined: Thu Apr 12, 2018 6:46 am
Location: OL14jv
Contact:

Re: SSL Support

Post by BH8SXD »

Looking forward to the new feeling brought by the 4.x version
Happy every day! ! !
W4JEW
Posts: 58
Joined: Sun Aug 12, 2018 12:53 am
Location: Atlanta, GA, United States
Contact:

Re: SSL Support

Post by W4JEW »

Bubbling this up to the top of the list. It made it WAY too far down the list and I’m shocked there haven’t been more votes for this!

I’m a security engineer by trade and I’m constantly evangelizing the need for encryption everywhere! It’s ironic that Pi-Star supports SSH for encrypted command-line access but no encryption for the browser. The browser is used far more relative to command-line access. Why should it be any different?

Encryption everywhere...please!!!

I’d be more than happy to help implement it. Just say the word!

While possible to install OpenSSL, install self-signed certificates and reconfigure the web server to support HTTPS, IMHO Pi-Star should support it out of the box.

Even LetsEncrypt makes the process of installing real certificates is relatively simple to implement at this point. No need for self-signed certificates and browser warning messages.

There should be more focus on security for systems - ESPECIALLY when they’re primarily being used on Wi-Fi networks.

I cringe at the fact that people even contemplate port forwarding the web interface out to the Internet without HTTPS!!! I urge people to not do this! It’s just bad practice.

/me off soapbox

Thank you!
Check out GeorgiaDMR.net - https://www.georgiadmr.net
And on Groups.io - https://groups.io/g/GeorgiaDMR

Jeff Hochberg
W4JEW
Atlanta, GA
K2IE
Posts: 120
Joined: Mon Aug 20, 2018 5:24 pm
Contact:

Re: SSL Support

Post by K2IE »

+1 on including Let's Encrypt in the build. Let's Encrypt is a free and simple way to manage SSL certificates.
User avatar
KE0FHS
Posts: 1122
Joined: Wed Apr 11, 2018 8:40 pm
Location: Colorado, USA
Contact:

Re: SSL Support

Post by KE0FHS »

+1 Pi-Star is just about the only thing I run unencrypted, and that makes me a bit nervous.
73, Toshen, KE0FHS
Playing with Pi-Star (unofficial notes about setting up and using Pi-Star):
https://amateurradionotes.com/pi-star.htm
gb7nr
Posts: 1
Joined: Tue Jun 02, 2020 10:48 pm

Re: SSL Support

Post by gb7nr »

Did this ever get sorted?? SSL with the ever increasing pi-star dashboards on the Internet including repeaters, this would be a very good idea!
W4JEW
Posts: 58
Joined: Sun Aug 12, 2018 12:53 am
Location: Atlanta, GA, United States
Contact:

Re: SSL Support

Post by W4JEW »

Nope. If you want to set up SSL support, you have to do it yourself.

You can pretty much use any documentation on enabling SSL on Nginx as Nginx is the web server running on Pi-Star. You may want to just use OpenSSL to generate a self-signed certificate if you go through the process. LetsEncrypt is a free SSL certificate authority but in order to use their automated provisioning, you have to have the web server open to the Internet and you need to have your own domain names as well as the ability to add DNS records.

It would be really nice if Pi-Star defaulted to using SSL with a self signed certificate and also did an HTTP 302 redirect from HTTP to HTTPS so anyone that forgets to type HTTPS in their browser would still get to the web server.

This is a great article on how to set up SSL with Nginx on Debian 10. Pi-Star is based on Raspbian which is effectively Debian. Just know that it’s entirely possible that a future update to Pi-Star may break your SSL configuration so BUYER BEWARE!

https://www.digitalocean.com/community/ ... -debian-10
Check out GeorgiaDMR.net - https://www.georgiadmr.net
And on Groups.io - https://groups.io/g/GeorgiaDMR

Jeff Hochberg
W4JEW
Atlanta, GA
W4JEW
Posts: 58
Joined: Sun Aug 12, 2018 12:53 am
Location: Atlanta, GA, United States
Contact:

Re: SSL Support

Post by W4JEW »

FYI - that article I shared in my last post talks about making changes to the firewall to open 443/tcp for HTTPS. The firewall on Debian is ufw. Pi-Star uses iptables - not ufw.

There’s an article on the Pi-Star wiki that covers how to add custom firewall rules:

http://wiki.pistar.uk/Adding_custom_fir ... to_Pi-Star

Make sure that, instead of adding a rule for a UDP service as is covered in that article, you add a rule for TCP port 443. Or, if you’re crazy like me and like to run non-standard ports (aka security through obscurity), adjust the rule for the port of your choosing.

Always wear your safety goggles! Backup early, backup often!

...and if any of this sounds challenging to you...don’t even try it! You will break things horribly and without a backup, you’ll be reimaging your hotspot.
Check out GeorgiaDMR.net - https://www.georgiadmr.net
And on Groups.io - https://groups.io/g/GeorgiaDMR

Jeff Hochberg
W4JEW
Atlanta, GA
Post Reply