Related pages: 🇫🇷 Configurer HTTPS
1. Introduction
HTTPS means that your connection to Pwic.wiki is encrypted for any role. The proof is that you have a padlock in the address bar. The problem is that issuing a certificate should be done with trust, else the user gets a warning telling that the identity of the website cannot be verified.
It is very important to avoid that your passwords are stolen. On a local network, it is very easy to intercept the passwords if you don't use a secured connection. On the Internet, it is a bit different but the risk is exactly the same. Even if the most critical tasks in Pwic.wiki can be done from shell only (that is encrypted by default), it is not a reason to not secure your connections.
There are several possibilities to obtain a certificate:
Also Pwic.wiki's configuration matters: is it running behind a reverse proxy server or not?
2. Generation of the certificates
2.1. Free self-signed certificates
This kind of certificate is definitely the cheapest way to do quick and dirty stuff for debugging purposes. At no moment these certificates can be recognized for a public use because you can sign any website of your choice.
The following script is available for Linux on which OpenSSL is installed. It has been designed by Mr.Buttons on the excellent forum StackOverflow and adapted by us to integrate with Pwic.wiki's code base. Save the following script in the file pwic_cert.py
:
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography import x509
from cryptography.x509.oid import NameOID
from cryptography.hazmat.primitives import hashes
import datetime
from os.path import isdir
from pwic_lib import PwicConst, PwicLib
# Helpers
def _ssl_input(topic: str, sample: str) -> str:
print('%s (ex: %s) : ' % (topic, sample), end='')
return input()
# Check the database
if not isdir(PwicConst.DB):
print('Error: the database is not created yet')
exit()
# Private key
key = rsa.generate_private_key(public_exponent=65537, key_size=2048, backend=default_backend())
with open(PwicConst.PRIVATE_KEY, 'wb') as f:
f.write(key.private_bytes(encoding=serialization.Encoding.PEM,
format=serialization.PrivateFormat.TraditionalOpenSSL,
encryption_algorithm=serialization.NoEncryption()))
# Public key
issuer = x509.Name([
x509.NameAttribute(NameOID.COUNTRY_NAME, _ssl_input('ISO code of the country on 2 characters', 'FR')),
x509.NameAttribute(NameOID.STATE_OR_PROVINCE_NAME, _ssl_input('Full country', 'France')),
x509.NameAttribute(NameOID.LOCALITY_NAME, _ssl_input('Your town', 'Paris')),
x509.NameAttribute(NameOID.ORGANIZATION_NAME, _ssl_input('Your organization', 'Pwic.wiki')),
x509.NameAttribute(NameOID.COMMON_NAME, _ssl_input('Common name', 'Pwic.wiki')),
])
hosts = PwicLib.list(_ssl_input('Your hosts separated by space', 'www.your.tld'))
if len(hosts) == 0:
exit()
cert = x509.CertificateBuilder() \
.subject_name(issuer) \
.issuer_name(issuer) \
.public_key(key.public_key()) \
.serial_number(x509.random_serial_number()) \
.not_valid_before(datetime.datetime.utcnow()) \
.not_valid_after(datetime.datetime.utcnow() + datetime.timedelta(days=365 * 5)) \
.add_extension(x509.SubjectAlternativeName([x509.DNSName(h) for h in hosts]), critical=False) \
.sign(key, hashes.SHA256(), default_backend())
with open(PwicConst.PUBLIC_KEY, 'wb') as f:
f.write(cert.public_bytes(serialization.Encoding.PEM))
# Final output
print('\nThe certificates are generated:')
print('- Private key: ' + PwicConst.PRIVATE_KEY)
print('- Public key: ' + PwicConst.PUBLIC_KEY)
After running this script with the command python3 pwic_cert.py
, two output files are saved in the directory db/
. The files are valid for the next 5 years and contain very precise information.
2.2. Free by Let's Encrypt
Let's Encrypt in an Internet initiative that offers free certificates that are recognized everywhere in the world. The procedure is a bit complex because you need to prove that you own your domain. In other words, Pwic.wiki must be configured for HTTP already.
We use the script that is proposed by diafygi because it is open source, simple and auditable. Download the script and follow the instructions of its readme file. If you have no reverse proxy, then you should edit Pwic.wiki's custom code PwicExtension.load_custom_routes
so that Let's Encrypt can access the cryptographic files in a special static folder. Beware to not expose your private keys in this folder.
At the end, you read this kind of output:
python3 acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir . > ./signed_chain.crt
Parsing account key...
Parsing CSR...
Found domains: pwic.wiki
Getting directory...
Directory found!
Registering account...
Registered! Account ID: https://acme-staging-v02.api.letsencrypt.org/acme/acct/00000000
Creating new order...
Order created!
Verifying pwic.wiki...
pwic.wiki verified!
Signing certificate...
Certificate signed!
The output files are domain.key
and signed_chain.crt
. The certificate expires after 90 days.
2.3. Paid by commercial companies
These certificates have a high value but also a high cost (tens of bucks per year). It is certainly not the cheapest way to obtain HTTPS if you are running a small website.
Simply check the website of the authorities and their resellers to know more about the various opportunities to certify your domain.
3. Enable HTTPS in Pwic.wiki
The files .key
and .crt
should be moved respectively to the locations given by the variables PwicConst.PRIVATE_KEY
and PwicConst.PUBLIC_KEY
defined in the file pwic_lib.py
.
Update the option base_url
to use HTTPS by running python3 pwic_admin.py set-env base_url https://your-site.tld
for example.
3.1. Without a reverse proxy server
This is the default behavior: Pwic.wiki is listening on the address 0.0.0.0
or ::
and serves all the requests.
The option https
needs to be enabled with the command: python3 pwic_admin.py set-env https X
.
3.2. With a reverse proxy server
The interest of using a reverse proxy server is explained in our technical FAQ.
In this situation, Pwic.wiki communicates with the reverse proxy server on a restricted local network and you don't need HTTPS. On the contrary, the reverse proxy server handles the secure connections with the external world and it needs your certificate. Refer to the documentation of your reverse proxy server to achieve the configuration.
4. Open your firewall
The last step consists in restarting Pwic.wiki and your reverse proxy server (if needed).
Also adapt the NAT rules of your firewall: HTTP runs on the port 80 and HTTPS on the port 443 by default.
Revision #1 was last modified by gitbra
on 2024-11-30 at 00:00:00 — d3b40b63f504a449