Advanced connection options for server connection

[trekkie1707]

Is your feature request related to a problem? Please describe.
I have a paperless-ng server set up - and I wanted to make it a little more secure. I have it fronted by nginx and require a client certificate in order to get to the login page. This extra layer breaks the app as there is no way to specify this information.

Describe the solution you'd like
I'd like some kind of advanced connection button that would allow for specifying a client certificate or other options.

Describe alternatives you've considered
I can always turn off the client cert option in Nginx - but I'd like to use it at some point for extra peace of mind. I could fork the project and do things myself, but I am not familiar with android apps or the underlying programming language of this app.

[bauerj]

Hey,

thank you for sharing this idea! This seems like a useful feature, especially with all the sensitive documents that may be stored in Paperless.

I'm currently working on the document editing feature and improvements to the in-app scanner so I'm not able to work on this now. I'd be happy to accept a pull-request with this implemented.

To promote usage of client certificates, it would be nice if this could be integrated into the Paperless-NG documentation for the default Docker setup. Could you open an issue there as well?

[MuratovAS]

Good afternoon.
I am also worried about the issue of https certificates.
I am using paperless + nginx proxy manager with self signed certificate using openssl.
That is, my certificate is not certified by the CA. For this reason, the system does not allow me to use paperless_app with my server.

[bauerj]

One thing we could try is using a native Android HTTP client instead of using dio.

However, this has the disadvantage of making it harder to maintain compatibility with iOS and also means we have to rewrite a big part of the app. I would really prefer if this could be fixed in Flutter/Dart.

[knilde]

I'm another user and admin for friends, running instances of Paperless ng.
An option to accept a self-signed certificate stop me and others from using the app.

[MuratovAS]

I'm another user and admin for friends, running instances of Paperless ng.
An option to accept a self-signed certificate stop me and others from using the app.

I spent a very long time trying to get the application to work with a self signed certificate.
I tried:

1. Decompile the APK and add "network_security_config.xml"
2. Created my own CA and added the CA certificate to the custom store
3. I also tried adding my CA to the system trusted store

Neither option worked. As I understand it, this is the specifics of "dart" and the "dio" used.
As I understand it, this can only be solved by modifying the "dio" itself. But I'm not good at mobile development, so I didn't.

I found a way out for myself. I'm using HTTP over a VPN tunnel. I do not know how safe it is, I would like to know the opinion of experts in this matter.

[bauerj]

Thanks for testing this so thoroughly. At least we know now that we didn't miss anything obvious!

Your setup should be secure if you trust everyone in your VPN. However, I would still recommend using HTTPS.

What's stopping you from using a certificate from a trusted CA?

[MuratovAS]

I was planning to use "paperless" only on the local network anyway, behind the VPN.
I think not one certification authority will sign me a certificate for the local network.
Using HTTPS is an additional layer of protection in case of unauthorized intrusion into my network.

It seems to me that VPN will be more reliable in comparison with public paperless + HTTPS

[bauerj]

I think not one certification authority will sign me a certificate for the local network.

Sure, you can just use DNS validation, then you don't need a public IP. Let's Encrypt and ZeroSSL both offer that for free.

It seems to me that VPN will be more reliable in comparison with public paperless + HTTPS

Unlikely, but it will certainly be more secure!