Thank you for your donation!


Cloudsmith graciously provides open-source package management and distribution for our project.


TLS
#1
Hi,

Is there any appetite for TLS on Mo0de? I use DNS to reference everything internally and like to have things under TLS to save on browser warnings.

If there is I'm happy to roll my sleeves up and try and add it.

Cheers

Bump
Reply
#2
Hi,

Use of HTTPS/TLS protocol does not really involve DNS. Its use is negotiated during the connection request from client Browser to Web server.

moOde uses NGINX Web server and so this is the component that would need to be configured for HTTPS/TLS.
http://nginx.org/en/docs/http/configurin...rvers.html

Some of the challenges are:

- Unless the TLS Certificate is from a "well known CA" the Browser will display warning dialogs to the user.
- There is an ongoing cost to using a Cert from a well known CA that includes the initial cost plus the periodic renewal cost.
- There is a performance penalty incurred as a result of the encryption process

-Tim
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Reply
#3
Ah poor wording on my part. The reference to using DNS was just for the user story scenario.

Yes, TLS would have to be handled by nginx in the case mo0de.

For the Ubiquiti devices I use Let's Encrypt to provide and handle cert renewal automatically. Here's my repo for unifi controllers https://github.com/LeePorte/unifi-lets-encrypt

Do you think the performance hit would be significant on the Pi?

Cheers

Bump
Reply
#4
I really don't know if the performance hit from TLS encryption process will translate into a perceptible performance degradation i.e., less responsive UI.

If u have a configuration that could be tested I'll be happy to try it out.
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Reply
#5
OK I'll shonk something together for the purpose of performance testing and get back to you.
Reply
#6
Just out of interest do you use any of the DNS providers located at https://github.com/Neilpang/acme.sh/wiki/dnsapi ?

Or would you prefer me to supply a cert and key and do some DNS poising for testing purposes?
Reply
#7
I've always used Router DHCP which sets client DNS to the LAN address of the Router. The Router then functions as a DNS proxy using whatever WAN DNS address was assigned by the ISP.
Enjoy the Music!
moodeaudio.org | Mastodon Feed | GitHub
Reply
#8
Ah it was DNS for domains you own that I was referring to. For the purpose of cert generation using Let's Encrypt.
Reply


Forum Jump: