2006-12-14 01:23:10 +01:00
|
|
|
Encrypting the communication with the CryptoBox webserver with SSL
|
2006-12-13 23:04:27 +01:00
|
|
|
|
2006-12-14 01:23:10 +01:00
|
|
|
This file describes how to encrypt your connection to the CryptoBox webserver.
|
|
|
|
This is highly recommended as the encryption password for your data could be
|
|
|
|
exposed to intruders in your local network otherwise.
|
2006-12-13 23:04:27 +01:00
|
|
|
|
2006-12-14 01:23:10 +01:00
|
|
|
There are two ways for setting up a SSL connection:
|
|
|
|
- run the CryptoBox webserver behind an ssl-enabled webserver
|
|
|
|
- use stunnel to provide an SSL socket
|
2006-12-13 23:04:27 +01:00
|
|
|
|
|
|
|
|
2006-12-14 01:23:10 +01:00
|
|
|
1) CryptoBox behind an ssl-enabled webserver
|
|
|
|
Read the documentation of your favourite webserver to learn how to enable
|
|
|
|
ssl encryption.
|
|
|
|
|
|
|
|
The CryptoBox webserver cannot detect whether the connection is encrypted
|
|
|
|
or not since it is behind the proxy webserver. Thus you have to tell the
|
|
|
|
CryptoBox whether the connection is encrypted or not.
|
|
|
|
|
|
|
|
for apache2:
|
|
|
|
1) enable the 'headers' module (for debian: "a2enmod headers")
|
|
|
|
2) add this line to your ssl-enabled virtualhost:
|
|
|
|
RequestHeader set X-SSL-Request 1
|
|
|
|
3) restart your webserver
|
|
|
|
|
|
|
|
for lighthttpd:
|
|
|
|
TODO
|
|
|
|
|
|
|
|
|
|
|
|
2) CryptoBox behind stunnel
|
|
|
|
If you do not have an ssl certificate yet, then you should create it first.
|
|
|
|
Please take a look into the "start_stunnel.sh" script. You may use it
|
|
|
|
to create a certificate and dig a tunnel.
|
|
|
|
|
|
|
|
In case, that you already have a certificate just run this command:
|
|
|
|
|
|
|
|
stunnel -p "$YOUR_CERT_FILE" -r localhost:80 -d 443
|
|
|
|
|
|
|
|
Maybe you should add this to your bootup scripts.
|
|
|
|
|
|
|
|
|
|
|
|
3) Problems with SSL detection?
|
|
|
|
If the CryptoBox continues to complain about the unencrypted connection, even
|
|
|
|
if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
|
|
|
|
one of the following things:
|
|
|
|
- set the request header value "X-SSL-Request" to "1" (one)
|
|
|
|
- set the environment setting "HTTPS" to a non-empty value during the
|
|
|
|
startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
|
|
|
|
would be the right place for this.
|
|
|
|
- let the CryptoBox webserver listen to port 443
|
2006-12-13 23:04:27 +01:00
|
|
|
|