Jul 2021
20 / 30
Jul 2021
Jul 2021
Denis_O
Jul '21

I would like to be able to use both http and https. In the LAN itself I perfer using http as it is easier to troubleshoot (packet captures) if needed. but for accessing the server from the Internet of course ssl is mandatory.

I will do my research and see how to configure ssl for nginx… I hope to be able to report good news soon!

StefanUEGroupware GmbH
Jul '21

Ohhh

Lets Encrypt can set up automatic forwarding to https for you, or you can leave it alone.

I strongly recommend that you ALWAYS use SSL. This security is also necessary in the internal network.

I also don’t know what you want to read in the traffic. To debug problems with a web application you use the web browser developer tools.

Apart from that:
In a web application that lives on links and linking, how is anything supposed to work with a mixture of https and http addresses?

You also get problems with Collabora Online, Rocket.Chat, Guacamole or whatever you want to integrate in the future.

Please ALWAYS use https. You are doing yourself (and us) a big favour!

Stefan

Denis_O
Jul '21

well, the encrypted/unencrypted traffic in LAN debate is an old one, revived with the increase of ransomware attacks in recent times… Fact is that SSL encryption inevitably creates blind spots within the Network, which can easily lead to malware to travel through your network unnoticed (cf. Broadcom/Symantec, A10, Gartner 2019 studies among others). The technically best answer to the problem is to perform SSL decryption at strategic points which in turn can cause legal troubles with GDPR. Professionally, I had to struggle a lot with such designs in the last couple of years.

In this particular case with egw however, I indeed makes sense to have ssl everywhere, I agree, and I’m gonna go down this path especially if it may interfere with some modules as you pointed out. Maybe I’ll ask for a wirespeed SSL decryptor for Xmas to make things perfect.

I’ll check how to use letsencrypt with nginx later this afternoon.

Denis_O
Jul '21

Okay, I got it working. I used this procedure to setup encryption:

I decided to go for a self-signed certificate as all certificates issues for free (Letsencrypt and others) need to be renewed every 3 months, and honestly I don’t have the patience to do that 4x/year. I will buy a certificate on a yearly basis (or more) as it doesn’t cost that much.

I also found a way aound my unencrypted vs ssl dilemma: I have set it up encrypted, and if I need to tshoot a session between a user and the server, I can just remove the auto redirect in the egroupware.conf file during tshoot if needed, and reenabling it afterwards (just needs to restart nginx for that)

StefanUEGroupware GmbH
Jul '21

Works automatically. If you want…

grafik

Stefan

Denis_O
Jul '21

really? in that case, definitely yes. I need to dig into this.

StefanUEGroupware GmbH
Jul '21

For example, if you use certbot, it will be set up automatically:

I had also written this in the old instructions for an Apache reverse proxy:

And a bit more about how to configure the SSL even more securely.

Stefan

Denis_O
Jul '21

Sold! I’m going for that solution. I didn’t think about automating the renewal process with cron jobs. As said, I’m really new at linux so I don’t have all the. guru reflexes (yet).

That being said, I’d like to thank you very much for your support, Stefan, and I have to say that I’m really impressed with egroupware. Even from a graphical perspective it really stands ahead of all other groupware solutions, both free or proprietary (in my opinion, though).

Cheers
Denis

StefanUEGroupware GmbH
Jul '21

Hi Denis.

We’re glad to hear that.
Then spread the word!
Feel free to star, follow, retweet, like, … at:
https://github.com/EGroupware/egroupware2
https://twitter.com/egroupware
https://www.facebook.com/EGroupware
https://www.youtube.com/user/EGroupware
https://fosstodon.org/@EGroupware

Let us close this topic:

Stefan