59 lines
2.2 KiB
Raw Normal View History

Encrypting the communication with the CryptoBox webserver with SSL
2006-12-13 23:04:27 +01:00
This file describes how to encrypt your connection to the CryptoBox webserver.
This is highly recommended as the encryption password for your data could be
exposed to intruders in your local network otherwise.
2006-12-13 23:04:27 +01:00
There are two ways for setting up a SSL connection:
- run the CryptoBox webserver behind an ssl-enabled webserver
- use stunnel to provide an SSL socket
2006-12-13 23:04:27 +01:00
1) CryptoBox behind an ssl-enabled webserver
Read the documentation of your favourite webserver to learn how to enable
ssl encryption.
The CryptoBox webserver cannot detect whether the connection is encrypted
or not since it is behind the proxy webserver and does not share its
environment. Thus you have to tell the CryptoBox in the request header
whether the connection is encrypted or not.
for apache2:
1) enable the 'headers' module (for debian: "a2enmod headers")
2) add this line to your ssl-enabled virtualhost:
RequestHeader set X-SSL-Request 1
3) restart your webserver
for lighthttpd:
2) CryptoBox behind stunnel
2006-12-15 14:47:19 +01:00
You may want to tunnel the traffic between the cryptobox-server
2006-12-14 17:21:32 +01:00
and your browser. "stunnel" is an excellent candidate for this job.
If you do not have an ssl certificate yet, then you should create
one first. On Debian: "apt-get install ssl-cert" and run the following
2006-12-15 14:47:19 +01:00
command (replace the <NAMES>; a default CERT_CONF is shipped with the
cryptobox-server package):
2006-12-14 17:21:32 +01:00
make-ssl-cert <CERT_CONF> <CERT_FILE_NAME>
In case, that you already have a certificate just run this command:
2006-12-14 17:21:32 +01:00
stunnel -p <CERT_FILE_NAME> -r localhost:80 -d 443
2006-12-14 17:21:32 +01:00
And maybe you want to add the last command to your bootup scripts.
3) Problems with SSL detection?
If the CryptoBox continues to complain about the unencrypted connection, even
if it runs behind an ssl-enabled webserver or behind stunnel, then you can do
one of the following things:
- set the request header value "X-SSL-Request" to "1" (the digit 'one')
- set the environment setting "HTTPS" to a non-empty value during the
startup of the CryptoBox webserver. Maybe /etc/default/cryptobox-server
would be the right place for this.
- let the CryptoBox webserver listen to port 443
2006-12-13 23:04:27 +01:00