Closed uplight-dev closed 8 months ago
Sorry this issue appears to be multiple statements baked in to one.
First off. You can do dns based acme with caddy/reverse proxy of your choice to get a valid tls certificate without exposing your internal services to the Internet.
Secondly, there isn't anything I can do to alter how Web browsers implement the webauthn protocol, and thus they will require a valid certificate, it's part of the spec (unless you're using it on local host).
2 & 3: the documentation lists that the tunnel option also takes the cert and key path arguments. This is the example config, I expected that having it just in the public option would be enough. The MFA page will still be avaliable regardless of whether it uses tls or not, not sure what you mean by this, in the example it just isn't on 443
4: A tls certificate isn't tied to the port it's used on, it's tied to the host address so using an alternate port makes no difference. You're more than welcome to use 443 as you can change the port in your own config
5: You can put this in your configuration if you like. However it doesn't make a lot of sense to remove the automatic additional of the rule to allow access to the MFA endpoint, and you can see this in your rules via the Web interface or cli when wag is running. Considering also that this would require everyone who uses wag to add effectively the same entry to their config it reduces work, plus I'm definitely not changing it now as it would break lots of wag deployments.
I'm trying to do MFA registration by using the internal wireguard network and without exposing 443 to the internet.
In the WAG README.md:
Thank you!