Conversation
|
@nucleogenic This is neat, thanks for putting together this POC! I haven't tested it yet, but you're saying that connections to http are still going to be accepted, right? One thing to test once I get around to it, is what Nginx will use by default when you don't specify the protocol. The usecase would be for vintage browsers, if you hit the IP address without the protocol, will you get the certificate error, or will it load the page over http. |
|
In the revised Nginx config, the It is the browser's discretion on how to treat bare hosts/IPs entered in to the address bar, but we are not using any HTTP header or redirect techniques to coerce the browser to connect via HTTPS. As far as my own (limited) testing goes, I am always served the HTTP version when accessing the RaSCSI via its IP address in the address bar. Tested (no redirects, page loaded via HTTP):
|
|
Thanks for explaining. I should have realized this by looking at the port number there. |
Enables HTTPS for Nginx and generates a self-signed certificate via
easyinstall.sh.The configuration is intended for browsers which support modern encryption. See https://caniuse.com/tls1-3 for specifics.
Users accessing the web UI from legacy devices/browsers can continue to use the HTTP service.
To my knowledge, a self-signed certificate is the simplest option for local network usage. There are a couple of approaches to getting a CA issued certificate, but setup is non-trivial for the average user. In any case, advanced users can install their own certificate in
/etc/ssl/certsand the upgrade process will not overwrite them.The configuration parameters are based on Mozilla's SSL Configuration Generator tool.
This PR addresses issue #489.
Raising as draft to allow for early feedback and additional testing.