Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 9 of 9 total
Thread Let's encrypt/SSL and nginx/ewb web server..
Wed, Sep 13 2017 8:46 PMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi All,

Has anyone tried to implement ssl/nginx/let's encrypt and ewb server, or
is it currently only stunnel that can be used for the ssl?

What's the suggested path for imlementing ssl on current 2.04 ewb server?

Thanks in advance,

Hüseyin
Thu, Sep 14 2017 2:54 AMPermanent Link

Uli Becker

Please read Tim's post "September Update on EWB 2.07".
Maybe you'll want to wait for that.

Uli
Thu, Sep 14 2017 3:00 AMPermanent Link

Uli Becker

Please read Tim's post "September Update on EWB 2.07".
Maybe you'll want to wait for that.

Uli
Thu, Sep 14 2017 4:37 AMPermanent Link

Matthew Jones

Hüseyin Aliz wrote:

> Has anyone tried to implement ssl/nginx/let's encrypt and ewb server, or is it currently only stunnel that can be used for the ssl?

As Uli says, the instant solution is on the way, and will be far easier than anything else. But if you want to go mad, you can do it. I am using a reverse proxy made from the ICS internet components, and a modified Let's Encrypt tool from the internet (see https://github.com/mj2015/acme.net for my variant), and a Delphi thread that operates the tool to get certificates automatically. The revers proxy is basically open source, but it is quite complicated, and I asked Angus who developed it for a project I needed it for when it was going to be available and he said it is available, but not openly as the support will be big, and he can't offer it. I have to agree, it is not at all easy. I mean, it's sort of dead simple, but with about a hundred moving parts.

If you are interested, I'd be happy to answer questions around this, but really it will take you until 2.07 is out to get it sorted. I'd offer to set up a system for a chunky fee, but I don't think you would get something particularly sensible for long term use. The system is live on a few servers out there on the internet, but configuring takes a deep understanding.


--

Matthew Jones
Thu, Sep 14 2017 4:38 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi Uli,

Thanks, yes i did read about it, but this (ssl) needs to be done asap
and what i can see v2.07 is weeks ahead. Excellent feature that's built
in when it's ready Smile

Regards,

Hüseyin



Den 14-09-2017 kl. 09:00 skrev Uli Becker:
> Please read Tim's post "September Update on EWB 2.07".
> Maybe you'll want to wait for that.
>
> Uli
Thu, Sep 14 2017 5:03 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi Matthew,

Thanks for your input. After reading your post, i think i've asked the
wrong question. What I want is to run https instead of http on the
clients, certificate handling etc should be done manually (by me). What
you have offered is an automated solution to request/run certificate etc
and maybe more.. Am i wrong?

Regards,

Hüseyin


Den 14-09-2017 kl. 10:37 skrev Matthew Jones:
> Hüseyin Aliz wrote:
>
>> Has anyone tried to implement ssl/nginx/let's encrypt and ewb server, or is it currently only stunnel that can be used for the ssl?
> As Uli says, the instant solution is on the way, and will be far easier than anything else. But if you want to go mad, you can do it. I am using a reverse proxy made from the ICS internet components, and a modified Let's Encrypt tool from the internet (see https://github.com/mj2015/acme.net for my variant), and a Delphi thread that operates the tool to get certificates automatically. The revers proxy is basically open source, but it is quite complicated, and I asked Angus who developed it for a project I needed it for when it was going to be available and he said it is available, but not openly as the support will be big, and he can't offer it. I have to agree, it is not at all easy. I mean, it's sort of dead simple, but with about a hundred moving parts.
>
> If you are interested, I'd be happy to answer questions around this, but really it will take you until 2.07 is out to get it sorted. I'd offer to set up a system for a chunky fee, but I don't think you would get something particularly sensible for long term use. The system is live on a few servers out there on the internet, but configuring takes a deep understanding.
>
>
Thu, Sep 14 2017 5:33 AMPermanent Link

Matthew Jones

Hüseyin Aliz wrote:

> What I want is to run https instead of http on the clients, certificate handling etc should be done manually (by me).

Well, you mentioned Let's Encrypt, and you need to automate that. It doesn't make sense to manually do it, and it is a better solution to automate.

But perhaps worth going through some terms.

First, you have your client, the browser. It connects over the internet (or LAN) to your server. The EWB today only accepts http (insecure), but in a month will support https (TLS, formerly SSL).

When the server supports https, then the client changes nothing, as it is independent of the channel you are using. All this is easy.

So, assuming you must have TLS support today, you have to run a "reverse proxy" which accepts the TLS connection, and forwards it, perhaps with modifications, to the internal port for the server (which should probably not be publicly accessible, or it defeats the security).
As you suggested, nginx is a popular reverse proxy, but it has some specific config and learning to do. But that is all out there, and easily available.

Any TLS server will need a certificate, and you can buy these, or self-sign them (much less friendly), or you can get them free from Let's Encrypt, which is designed to be automated as they only last three months. But once you have them working, they just keep on working. My process has then renew after two months. I get emails when it works or doesn't, and if it doesn't it retrys some hours later. The longest it failed was about 8 hours, and then it worked. Been a year probably since I've had servers working this way. My system was to modify someone else's solution to change the way it did the authentication and put the required data in a specific directory (which my http server is publishing), and then go ahead, so no IIS or manual step. Also note that the easy way is putting a file in an http server directory, but that might conflict with your https server, so it is a small complication (I use a little http server written in Delphi that redirects any request to https, except those in the .well-known directory). But there are other solutions, so up to anyone to choose the option that suits.

Note that you typically need to restart the service to apply the new certificate.

Stunnel is another way to do this reverse proxy of course. I've not played with it - it didn't fit my needs (which are aimed at custom load balancing). The certificate is still needed in some way.

--

Matthew Jones
Thu, Sep 14 2017 6:04 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Matthew,

Thanks for the explanation, very nice info indeed. I will try and see=20
how far i can get Smile

I found following site, i hope it's useful for others as well..

https://www.sslforfree.com/

Regards,

H=C3=BCseyin



Den 14-09-2017 kl. 11:33 skrev Matthew Jones:
> H=C3=BCseyin Aliz wrote:
>
>> What I want is to run https instead of http on the clients, certificat=
e handling etc should be done manually (by me).
> Well, you mentioned Let's Encrypt, and you need to automate that. It do=
esn't make sense to manually do it, and it is a better solution to automa=
te.
>
> But perhaps worth going through some terms.
>
> First, you have your client, the browser. It connects over the internet=
(or LAN) to your server. The EWB today only accepts http (insecure), but=
in a month will support https (TLS, formerly SSL).
>
> When the server supports https, then the client changes nothing, as it =
is independent of the channel you are using. All this is easy.
>
> So, assuming you must have TLS support today, you have to run a "revers=
e proxy" which accepts the TLS connection, and forwards it, perhaps with =
modifications, to the internal port for the server (which should probably=
not be publicly accessible, or it defeats the security).
> As you suggested, nginx is a popular reverse proxy, but it has some spe=
cific config and learning to do. But that is all out there, and easily av=
ailable.
>
> Any TLS server will need a certificate, and you can buy these, or self-=
sign them (much less friendly), or you can get them free from Let's Encry=
pt, which is designed to be automated as they only last three months. But=
once you have them working, they just keep on working. My process has th=
en renew after two months. I get emails when it works or doesn't, and if =
it doesn't it retrys some hours later. The longest it failed was about 8 =
hours, and then it worked. Been a year probably since I've had servers wo=
rking this way. My system was to modify someone else's solution to change=
the way it did the authentication and put the required data in a specifi=
c directory (which my http server is publishing), and then go ahead, so n=
o IIS or manual step. Also note that the easy way is putting a file in an=
http server directory, but that might conflict with your https server, s=
o it is a small complication (I use a little http server written in Delph=
i that redirects any request to https, except those in the .well-known di=
rectory). But there are other solutions, so up to anyone to choose the op=
tion that suits.
>
> Note that you typically need to restart the service to apply the new ce=
rtificate.
>
> Stunnel is another way to do this reverse proxy of course. I've not pla=
yed with it - it didn't fit my needs (which are aimed at custom load bala=
ncing). The certificate is still needed in some way.
>

Thu, Sep 14 2017 6:28 AMPermanent Link

Matthew Jones

Hüseyin Aliz wrote:

> I found following site, i hope it's useful for others as well..
>
> https://www.sslforfree.com/

Let us know how you get on. I am not sure how they can manage it, given "We generate certificates using their ACME server by using domain validation" and I don't know how they can be your domain just from a web browser, but maybe there is a way that I don't understand. Such certificates would be okay for experiments, but not for long term use. You want them generated on your server for real use.

--

Matthew Jones
Image