forum.pistar.uk

It would be nice to have SSL support for the GUI that could either support Letsencrypt, self signed certificate, or an uploaded crt/key file. This would be great if it could be configured through the GUI!

For Letsencrypt, there are tools available for PHP:

https://letsencrypt.org/docs/client-options/

i second this!!

excellent idea!

I totally agree - one of the reasons I have not done any work on this in the 3.x release is due to the huge load the dashboard currently creates, adding SSL to that is not going to lead anywhere nice; However, the new dashboard in 4.x uses so little load that SSL will be back on the table.

We may (or may not) make this a dashboard config option initially (or I may install a self signed cert on first boot etc) not sure exactly how I will play that yet, but SSL support really will be a reality in the 4.x chain.

Looking forward to the new feeling brought by the 4.x version

Bubbling this up to the top of the list. It made it WAY too far down the list and I’m shocked there haven’t been more votes for this!

I’m a security engineer by trade and I’m constantly evangelizing the need for encryption everywhere! It’s ironic that Pi-Star supports SSH for encrypted command-line access but no encryption for the browser. The browser is used far more relative to command-line access. Why should it be any different?

Encryption everywhere...please!!!

I’d be more than happy to help implement it. Just say the word!

While possible to install OpenSSL, install self-signed certificates and reconfigure the web server to support HTTPS, IMHO Pi-Star should support it out of the box.

Even LetsEncrypt makes the process of installing real certificates is relatively simple to implement at this point. No need for self-signed certificates and browser warning messages.

There should be more focus on security for systems - ESPECIALLY when they’re primarily being used on Wi-Fi networks.

I cringe at the fact that people even contemplate port forwarding the web interface out to the Internet without HTTPS!!! I urge people to not do this! It’s just bad practice.

/me off soapbox

Thank you!

+1 on including Let's Encrypt in the build. Let's Encrypt is a free and simple way to manage SSL certificates.

+1 Pi-Star is just about the only thing I run unencrypted, and that makes me a bit nervous.

Did this ever get sorted?? SSL with the ever increasing pi-star dashboards on the Internet including repeaters, this would be a very good idea!

Nope. If you want to set up SSL support, you have to do it yourself.

You can pretty much use any documentation on enabling SSL on Nginx as Nginx is the web server running on Pi-Star. You may want to just use OpenSSL to generate a self-signed certificate if you go through the process. LetsEncrypt is a free SSL certificate authority but in order to use their automated provisioning, you have to have the web server open to the Internet and you need to have your own domain names as well as the ability to add DNS records.

It would be really nice if Pi-Star defaulted to using SSL with a self signed certificate and also did an HTTP 302 redirect from HTTP to HTTPS so anyone that forgets to type HTTPS in their browser would still get to the web server.

This is a great article on how to set up SSL with Nginx on Debian 10. Pi-Star is based on Raspbian which is effectively Debian. Just know that it’s entirely possible that a future update to Pi-Star may break your SSL configuration so BUYER BEWARE!

https://www.digitalocean.com/community/ ... -debian-10

FYI - that article I shared in my last post talks about making changes to the firewall to open 443/tcp for HTTPS. The firewall on Debian is ufw. Pi-Star uses iptables - not ufw.

There’s an article on the Pi-Star wiki that covers how to add custom firewall rules:

http://wiki.pistar.uk/Adding_custom_fir ... to_Pi-Star

Make sure that, instead of adding a rule for a UDP service as is covered in that article, you add a rule for TCP port 443. Or, if you’re crazy like me and like to run non-standard ports (aka security through obscurity), adjust the rule for the port of your choosing.

Always wear your safety goggles! Backup early, backup often!

...and if any of this sounds challenging to you...don’t even try it! You will break things horribly and without a backup, you’ll be reimaging your hotspot.