Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes

Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes

Scheduled Pinned Locked Moved Feature Requests
7 Posts 3 Posters 1.1k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M Offline
    M Offline
    Mastadamus
    wrote on last edited by
    #1

    For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.

    girishG 1 Reply Last reply
    0
    • M Mastadamus

      For those of us who wish to capture our network traffic for inspection, It makes more sense for us to put a LB/reverse proxy in front of our cloudron and then terminate SSL/TLS at the LB and pass un encrypted to our Cloudron. Obviously for certain traffic where E2E encryption is preferred we can proxy pass https. It would be nice if we had the ability to maybe select whether or not we want to also serve on port 80.

      girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by girish
      #2

      @Mastadamus Can you can also decrypt the traffic if you have the certs which you can get from /home/yellowtent/platformdata/nginx/cert ) ? Something like https://support.f5.com/csp/article/K19310681 or https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

      M 1 Reply Last reply
      0
      • girishG girish

        @Mastadamus Can you can also decrypt the traffic if you have the certs which you can get from /home/yellowtent/platformdata/nginx/cert ) ? Something like https://support.f5.com/csp/article/K19310681 or https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/

        M Offline
        M Offline
        Mastadamus
        wrote on last edited by
        #3

        @girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.

        83b31fff-15c6-4705-9eb3-da9f20d123c5-image.png

        girishG 1 Reply Last reply
        1
        • M Mastadamus

          @girish Yeah thats what I do for my actual job, but it does introduce a ton of issues. 1. You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms. This would prevent decryption since you can't MITM diffie hellman as far as I know.

          83b31fff-15c6-4705-9eb3-da9f20d123c5-image.png

          girishG Offline
          girishG Offline
          girish
          Staff
          wrote on last edited by
          #4

          @Mastadamus said in Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes:

          You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms

          Indeed, it cannot be decoded because PFS is a property of ECDH. See also Right, I guess this is because of PFS - https://serverfault.com/questions/869354/decoding-ssl-packets-with-cipher-tls-ecdhe-rsa-in-wireshark

          I think having a way to support reverse proxies in front of cloudron would help the situation. It seems many people are hitting this limitation when they deploy at home.

          M 1 Reply Last reply
          0
          • girishG girish

            @Mastadamus said in Please include ability to serve HTTP unencrypted over port 80 for network traffic inspection purposes:

            You can decrypt if you are using Diffie Helman. As far as I can determine currently the cloudron only accepts ECDH algorithms

            Indeed, it cannot be decoded because PFS is a property of ECDH. See also Right, I guess this is because of PFS - https://serverfault.com/questions/869354/decoding-ssl-packets-with-cipher-tls-ecdhe-rsa-in-wireshark

            I think having a way to support reverse proxies in front of cloudron would help the situation. It seems many people are hitting this limitation when they deploy at home.

            M Offline
            M Offline
            Mastadamus
            wrote on last edited by
            #5

            @girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

            robiR girishG 2 Replies Last reply
            0
            • M Mastadamus

              @girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

              robiR Offline
              robiR Offline
              robi
              wrote on last edited by
              #6

              @Mastadamus why not do it behind?

              Conscious tech

              1 Reply Last reply
              0
              • M Mastadamus

                @girish do we have a way to do this yet? Support for reverse proxies in front of cloudron?

                girishG Offline
                girishG Offline
                girish
                Staff
                wrote on last edited by
                #7

                @Mastadamus not yet, no. I think it's quite low priority, it needs a lot of testing/changes to support http. Cloudron is designed everywhere to be secure (https) by default, making this complicated.

                1 Reply Last reply
                0
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                • Login

                • Don't have an account? Register

                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Bookmarks
                • Search