TLS config inside UI

[Alberto Palau]

It would be nice to have an easy way of installing the SSL cert for the panel and an option to enable TLS to serve streams as well.

[kjoule]

SSL certs are installed by default. If you want to replace them with your own certs you have to make them with openssl but there is no point. If you don't want self-signed certs you have letsencrypt. To use tls simply use https port instead of http. You can restrict tls only and exclude sslv3 in nginx.conf but not all players support tls.

[Alberto Palau]

I understand the process, and with all respect, there is a point, untrusted SSL certificates don't work across all devices, it is better to sign the cert with a trusted cert authority, letsencrypt is free, but... should you trust it? I rather go with a paid version, reason why I was asking for a feature to easily install a certificate, I know how to install it and how to make it work, but not everybody does 🙂

Edited December 5, 2021 by Alberto Palau

[kjoule]

You have to copy 3 cert files in the nginx directory. It is not difficult to do for the average user.

 

[midnightstreamer]

If you change the default cert files created during installation you need to update the "ca" attribute too in the "servers" database table and ca file on load balancers otherwise load balancers will not work properly.

The "ca" (certificate authority) attribute is used by the main and load balancers to validate each other to avoid man-in-the-middle attacks when using self-signed certificates.

If you have installed trusted certificates you are not vulnerable to man-in-the-middle attacks but you still need to make the above mentioned changes.

 

 

[Alberto Palau]

You don't have to update anything if your CA is already trusted, and this is my point since the beginning of the suggestion, but if you feel comfortable with no adding the feature, your call, this is not my software :-), and to be honest I was a bit excited when saw it, but you have a lot to fix to make it work properly, I do have a huge list of issues found, but being the case you guys are not receptive, keep plugging away 🙂

[midnightstreamer]

You do need to update the "ca" in the database table "servers" with the content of your new CA, trusted or not. The content of the "ca" in the db is used to validate the LBs. Since the majority of users will not install a trusted certificate, this is an effective way to protect main server/LBs communication from man-in-the middle attacks with self-signed certificates. As a collateral effect even users with a trusted cert will have to update the db. We are receptive to all issues we are informed of.

Regarding your proposal to install certificates in an easy way through the panel I think it's overkill for these reasons:

• You have to do it only once
• Few people need to do it
• You can do it on your own by literally copying 3 files and updating a database entry
• It would overengineer the panel
• Why not adding an easy way to install openvpn, generate certificates and configs then?

[Troncx]

I use trusted certificates on my balancers myself and I have to renew them every year. It would be nice get a warning when the certificates are about to expire.