Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes

Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes

Scheduled Pinned Locked Moved Feature Requests
7 Posts 3 Posters 942 Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M Offline
      M Offline
      Mastadamus
      wrote on last edited by
      #1

      For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.

      girishG 1 Reply Last reply
      0
      • M Mastadamus

        For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.

        girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by girish
        #2

        @Mastadamus Can you can also decrypt the traffic if you have the certs which you can get from /home/yellowtent/platformdata/nginx/cert ) ? Something like https://support.f5.com/csp/article/K19310681 or https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

        M 1 Reply Last reply
        0
        • girishG girish

          @Mastadamus Can you can also decrypt the traffic if you have the certs which you can get from /home/yellowtent/platformdata/nginx/cert ) ? Something like https://support.f5.com/csp/article/K19310681 or https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

          M Offline
          M Offline
          Mastadamus
          wrote on last edited by
          #3

          @girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.

          83b31fff-15c6-4705-9eb3-da9f20d123c5-image.png

          girishG 1 Reply Last reply
          1
          • M Mastadamus

            @girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.

            83b31fff-15c6-4705-9eb3-da9f20d123c5-image.png

            girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #4

            @Mastadamus said in Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes:

            You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms

            Indeed, it cannot be decoded because PFS is a property of ECDH. See also Right, I guess this is because of PFS - https://serverfault.com/questions/869354/decoding-ssl-packets-with-cipher-tls-ecdhe-rsa-in-wireshark

            I think having a way to support reverse proxies in front of cloudron would help the situation. It seems many people are hitting this limitation when they deploy at home.

            M 1 Reply Last reply
            0
            • girishG girish

              @Mastadamus said in Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes:

              You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms

              Indeed, it cannot be decoded because PFS is a property of ECDH. See also Right, I guess this is because of PFS - https://serverfault.com/questions/869354/decoding-ssl-packets-with-cipher-tls-ecdhe-rsa-in-wireshark

              I think having a way to support reverse proxies in front of cloudron would help the situation. It seems many people are hitting this limitation when they deploy at home.

              M Offline
              M Offline
              Mastadamus
              wrote on last edited by
              #5

              @girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

              robiR girishG 2 Replies Last reply
              0
              • M Mastadamus

                @girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

                robiR Offline
                robiR Offline
                robi
                wrote on last edited by
                #6

                @Mastadamus why not do it behind?

                Conscious tech

                1 Reply Last reply
                0
                • M Mastadamus

                  @girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

                  girishG Offline
                  girishG Offline
                  girish
                  Staff
                  wrote on last edited by
                  #7

                  @Mastadamus not yet, no. I think it's quite low priority, it needs a lot of testing/changes to support http. Cloudron is designed everywhere to be secure (https) by default, making this complicated.

                  1 Reply Last reply
                  0
                  Reply
                  • Reply as topic
                  Log in to reply
                  • Oldest to Newest
                  • Newest to Oldest
                  • Most Votes


                    • Login

                    • Don't have an account? Register

                    • Login or register to search.
                    • First post
                      Last post
                    0
                    • Categories
                    • Recent
                    • Tags
                    • Popular
                    • Bookmarks
                    • Search