HTTPS Support #546
Comments
|
Thanks for the suggestion! During beta, Umbrel makes the assumption that the local network is secure. This is pretty much the industry standard and how every consumer router or smart device that exposes a web interface work. We agree this isn't really good enough as an industry standard. We think we have some clever ideas on how we can do secure communication out of the box for a stable release. However I think it's out of scope for the beta. Secure communication over a local network is not an easy problem to solve. I don't think encouraging users to install root certs is a good idea. That should only be done by very technical users who know what they're doing and understand the implications. As an aside, if you're concerned your local network is not secure then anything malicious could inject a fake root cert when you download it over HTTP, and then compromise your entire browser/OS when you install the bad cert. For now, if you're worried about plain text local network communication, I'd recommend accessing your Umbrel via the Tor hidden service which will ensure all data is encrypted in transit. Checkout our security doc if you haven't already: https://github.com/getumbrel/umbrel/blob/master/SECURITY.md |
|
I would vote to re-open this, not because of unencrypted data in the local network but because of unencrypted data leaving Tor. If I understand Tor correctly, then without HTTPS, traffic in Tor is only encrypted up to the exit node. No extra encryption exists between the exit node and the destination. There was a prominent attack on Tor traffic exploiting this in 2007. Without HTTPS, the exit node or some eavesdropper between the exit node and the destination could very easily read my Umbrel password. Likewise, if I use the Electrum server without HTTPS over Tor, my wallet information would be totally exposed between the exit node and the destination. Why not use a self-signed certificate, since I am both the user and the certificate creator? |
|
Hello, just wanted to chime in with my two cents. I've got good results in modifying my nginx.conf and using certbot + dns01 challenges to get SSL certs for use locally. My dns records just point at the private IP so nothing touches clearnet while getting that nice green checkmark in the browser |
|
Adding my vote for this one. This is required to run BTCPayServer I believe. |
|
Agreed, this really needs to be addressed |
|
The following instructions could be a useful resource (specific to BTCPayServer but presumably could be generalised): Installing the NGINX reverse proxy with an SSL certificate for Umbrel / BTCPay Server This uses certbot, not something I have come across before (I thought you had to pay for SSL certificates) and also requires dynamic DNS if you have no fixed IP. I wonder if anyone knows of a [free] command-line service for dynamic DNS allocation in a similar fashion to certbot for SSL certificates. If so, this would presumably mean this could all be configured from an installation without much user configuration other than port forwarding on their router. Perhaps something like How to Install the Dynamic Update Client on Linux is part of the solution. I would be very interested to see if this could be done. |
|
Why was this closed? |
|
Just noting that enabling access via HTTPS would allow browsers to access and use camera functionality. See https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getUserMedia |
|
FYI issue you will have related to this topic: https://community.getumbrel.com/t/apps-remain-in-starting-but-actually-work-fine/6338/7 |
|
All it takes is one Umbrel vuln to bring down half of the lightning network? HTTPS integration needs to be the #1 priority for the Umbrel team at this point. As the network continues to scale, it is unacceptable to assume that everyone's local network should be secure, especially when that service communicates with the outside world. |
|
Again, why was this closed? |
|
Yes, why closed? An umbrel https connection would also be a benefit for specter, because it allows Notifications_API. |
|
This makes running a home node via Tor insecure. Self signed cert is fine for private use. Seems like a basic requirement. |
|
Besides that it insecure for Tor, Apple will soon block API calls (currently depreciated), making it impossible for apps like Zeus and others to connect to Umbrel over Tor. Currently, NSAllowsArbitraryLoads -> true is required to make the connection possible. |
|
HTTPS is required for some browser api's breaking some things in nextcloud, could this please be re-opened? |
I want https because of nextcloud as well. With just the tor I can't use the nextcloud app. |
HTTPS SUPPORT ..AND SOME ?Its a fine balance between Security/Usability/Functionality & initial Design purpose. Umbrel is primarily a Bitcoin Node which has morphed into a Personal OS/Server. HTTPS is important as briefly highlighted by some of the comments above and vendor changes are coming which will break some of the methods used currently by some apps/users of this product. However, conversely we have to ask ourselves as a community what it is exactly that we want from Umbrel? Do we want a Secure & Sandboxed BTC LN node env based around TOR and using Private Self-Signed SSL Certs (as-is now) I am sure the Devs are thinking long and hard about the course of direction they are taking Umbrel. Its a Stellar project and have blown me away with their work.. Personally, I would like to be able to better see the abstracted layers more clearly through a Customisable UI where instead of using Hidden services and NGINX reverse/transparent proxies acting as the abstraction layer between the modular components which docker offers and change this to a thin middleware management layer with options on how we can route services or how we offer services to the public or remain private; A simple way to explain this would be to Imagine a customisable WAF (WebApp Firewall) kind of like a Pi-Hole but expended to manage routing of Apps/Protocols/Services/IP's of Umbrel apps and services where we can dictate what is exposed what is hidden. Umbrel is in a good place now.. but I do think there is a very important area of conversation to be had around this topic, obviously as was mentioned above there are huge implications for the LN Network if any vulns were to strike Umbrel OS which is why due caution around this topic is important. Maybe there is a middle ground between the competing needs of Umbrel/LN/Privacy Vs a Personal Server which has part-Publicly exposed services 'or' isolated public exposure over clearnet. This topic should should remain open IMHO as its a crucial area of particular interest to Users and developers alike. |
|
Happy to re-open this issue to keep track of it. Since there's been a lot of discussion here recently I'll link to the places this has been brought up before. If you're wondering why Umbrel doesn't yet support SSL, it's because it's not trivial to support SSL over the local network in a way that doesn't fail to actually prevent MITM attacks or introduce dangerous security footguns, you can read more on the reasons why in these previous discussions:
We definitely want to support this at some point, and we have some ideas to experiment with, but it’s not a simple fix and we want to devote some more time in the future to make sure whatever solution we implement overcomes the existing shortcomings of using SSL on the local network. |
|
I just installed a test version of Umbrel and to my surprise I also discovered that the default configuration is insecure: This effectively means ingress traffic from "anywhere" to Umbrel can be sniffed. Assuming the "local" network is "secure" is foolish and just plain wrong. At a minimum adding Let's Encrypt support would be the easiest way to fix this. |
|
Umbrel without SSL is a toy. I just started to test this software stack and already want to move to other solutions because it's incomprehensible to me, how can Umbrel be a serious proposition for a Bitcoin/LN node without proper encryption. The assumption about safe network is just plain wrong. The tale about unsolvable problem of MITM on local networks is preposterous. If Umbrel image has to be written to SD card then it's a no brainer to generate/add certs at this point to the card as well. As mentioned by @jbrill - all it takes to bring down Umbrel is one exploit that can be automated and as Cave Johnson said it - "We're done here". Lack of SSL and no seed-based-non-default-passwords is IMHO simply reckless. |
|
Add SSL, without this, nobody can use umbrel in production purposes, and TOR is not convient for speed and specific browser requirement. |
|
i able to fix problem using https://github.com/suyashkumar/ssl-proxy |
|
I indeed use something similar but ,based on nginx. |
|
There should be a gui for this kinda like the nextcloud cli tool for adding ssl/tls |
|
There's a nice proposal for fixing this: https://makers.bolt.fun/story/easy-switch-tor-clearnet-for-bundle-nodes--155 |
@connected201 Did you build it on your Umbrel node (putting golang on there etc) or were you able to get "docker-compose -f ..." to work? |
|
no, i run ssl proxy and connect to web interface over ssl proxy, rad documentation, just download ssl proxy and run like this |
|
This should be possible using Tailscale: https://tailscale.com/kb/1153/enabling-https/ |
|
Adding on, definitely believe this is crucial |
Please, no additional components and service just to expose one application port. |
Tailscale is already included. |
|
And it does not increase number of software nor service providers and costs to run node? And it is improving decentralization on node runners. Please? |
|
Tailscale is a workaround, but bad UX when users have to remember to run it to use their wallet connected to their node. |
|
Can some1 explain detailed how can we get HTTPS via Tailscale |
|
Re: #1576 (comment) Bottom line: Saying that we can't have secure logins because old 90s problems is on the same level as someone telling you that you shouldn't @lukechilds Caddy does the cert-provisioning on the client-side as well. It's literally a OS (not browser) pop-up to add a cert to your keychain. But I don't really think that's the right solution anyway (despite that, I'd argue that the user trusts their own server to be a CA - if Google, Amazon, Wells Fargo, Auth0 and Okta haven't figured out CAA yet, that's truly on them). That aside, none of those arguments hold water in the least. That's like saying "We're not going to give you a knife because someone else might show up with a gun, or even a bigger knife. Best to be unarmed, and naked." "Perfect is the enemy of good" and all that. These are not challenging problems in today's age. No one is using SSL anymore. Dynamic DNS is free from multiple reputable providers from Name.com and DNSimple to GoDaddy and DuckDNS (in fact, I think you'd be hard pressed to find reputable providers that don't offer Dynamic DNS for free). Saying that customers can't trust a DNS you provide is a non-argument - they're running your software. They trust you implicitly and explicitly. This is akin to the 90s mentality of "don't curl | bash" - which I'm sure you are well aware of - all of the technical arguments against doing The Right Thing™ (having a simple installer from a trusted source) are based in myths that have a basis in (ancient) reality - back when raptors roamed the unix system control rooms, but not the reality that we live in today (especially the last 5 years or so). And the reason that trusting the local network is the industry standard is because the "local network" is a bunch of docker containers (or VPSes in the same private network group) that are never exposed to the outside world. When you buy a router or a smart device or something that's expected to be on a network that isn't inside a container, they're happy to pop up a warning page or have the setup tunnel through a secure server. |
|
i would like to open this again. Ist Umbrel anyway still alive or a deadwreck? |
|
It's no possible for example to use LNbits (Boltcard extension) because the NFC doesn't work over a non secure network. So we really need https:// |
|
well his years huge umbrel os update implements only a freaking new skin for the appstore, thats all. i don't even understand why there is a appstore when half of the apps not even working because they need https. |
|
Lack of HTTPS also disables Webauthn security key two-factor authentication in several Umbrel apps, such as BTCPay and Nextcloud |
|
This has been a long lasted ask and a necessity. We hear this from our local community of user space all the time. Umbrel basically kills the possibility of doing self-hosted secured btcpay server for merchants via their node. If that's not the THE MOST important use case for a node, I don't know what is. Hope the Umbrel team considers this. |
|
I'm willing to donate a bounty of 0.01BTC for umbrel to support HTTPS, this is a must have for umbrel to run a trust worthy bitcoin lightning and onchain wallets |
|
Why not just include a self signed cert by default? |
|
for self hosting you need https |
|
Still no updates on this? |
|
Maybe umbrel can implement traefik ( https://doc.traefik.io/traefik/ ) a good start can be adding labels in docker files like : See : |
|
+1 please find a solution for this! Looks like there are several good suggestions how to resolve this already (example) |
|
+1 we need HTTPS |
1 similar comment
|
+1 we need HTTPS |
|
i need https connection for btcpay server connect to woocommers any idea how can i do this. |
You can either wait for this issue to be closed (and it's been open since 2021), or you could get an Embassy from Start9. |
|
Also MyNodeBTC Premium (some ~$99) works too,
From: guttermonk ***@***.***>
Sent: perjantai 29. maaliskuuta 2024 2.05
To: getumbrel/umbrel ***@***.***>
Cc: Tomi Lind ***@***.***>; Comment ***@***.***>
Subject: Re: [getumbrel/umbrel] HTTPS Support (#546)
i need https connection for btcpay server connect to woocommers any idea how can i do this.
You can either wait for this issue to be closed (and it's been open since 2021), or you could get an Embassy from Start9.
—
Reply to this email directly, view it on GitHub<#546 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ABXJ6ZZMFCIW32JT4DFVLKDY2SV4NAVCNFSM4XY4M6RKU5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMBSGYZTIOJTGQZQ>.
You are receiving this because you commented.Message ID: ***@***.******@***.***>>
|
|
It's concerning that the devs believe the "local net" should be trusted, and so SSL is not a SUPER HIGH PRIORITY... I can't run LND in any form of production without proper security, local net included/especially. The security rule is simple... NOTHING IS TRUSTED. Trustless networking IS the industry standard now, and has been for 2+ years... I really hope this issue gets resolved. This is reckless. |
and others
Communicating with the node over HTTP on your local network seems dicey. Would you be interested in a pull request that would generate SSL certs locally and then allow you to download the root cert from the settings menu? I might be able to hack that together.
The text was updated successfully, but these errors were encountered: