Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes

    Feature Requests
    3
    7
    286
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      Mastadamus last edited by

      For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.

      girish 1 Reply Last reply Reply Quote 0
      • girish
        girish Staff @Mastadamus last edited by girish

        @Mastadamus Can you can also decrypt the traffic if you have the certs which you can get from /home/yellowtent/platformdata/nginx/cert ) ? Something like https://support.f5.com/csp/article/K19310681 or https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

        M 1 Reply Last reply Reply Quote 0
        • M
          Mastadamus @girish last edited by

          @girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.

          83b31fff-15c6-4705-9eb3-da9f20d123c5-image.png

          girish 1 Reply Last reply Reply Quote 1
          • girish
            girish Staff @Mastadamus last edited by

            @Mastadamus said in Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes:

            You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms

            Indeed, it cannot be decoded because PFS is a property of ECDH. See also Right, I guess this is because of PFS - https://serverfault.com/questions/869354/decoding-ssl-packets-with-cipher-tls-ecdhe-rsa-in-wireshark

            I think having a way to support reverse proxies in front of cloudron would help the situation. It seems many people are hitting this limitation when they deploy at home.

            M 1 Reply Last reply Reply Quote 0
            • M
              Mastadamus @girish last edited by

              @girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

              robi girish 2 Replies Last reply Reply Quote 0
              • robi
                robi @Mastadamus last edited by

                @Mastadamus why not do it behind?

                Life of Advanced Technology

                1 Reply Last reply Reply Quote 0
                • girish
                  girish Staff @Mastadamus last edited by

                  @Mastadamus not yet, no. I think it's quite low priority, it needs a lot of testing/changes to support http. Cloudron is designed everywhere to be secure (https) by default, making this complicated.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Powered by NodeBB