Add full SSL/TLS Support

[nikander100]

Allright so I can't figure this out myself, I would love to use ssl so I can use a sub domain to connect to the management panel instead of the ip. my domain nikander100.tk has its dns thru cloudflare and forces all requests to be https. if I enable ssl on the server manager it does connect but I get a message "err_SSL_VERSION_OR_CIPHER_MISMATCH" which might be the case cause I don't have any ssl on the machine where I host the server on, now my question is how and where would I add the certificate so that FSM can run SSL. I know how to self sign cert's etc. just need to know how to make it work with FSM :3

[nikander100]

nvm im stupid should have read the whole readme, https in docker only i think if i read it right :/

[knoxfighter]

I had a quick look into the code and we do call http.ListenAndServe(config.ServerIP+":"+config.ServerPort, router) which means there is no possible way to have any kind of ssl with the server directly (we should change that for sure).

It also doesn't has direct support for ssl inside docker. What you need to do is to setup a reverse proxy. You can use a docker reverse proxy like traefik or setup a reverse proxy with nginx.

[knoxfighter]

Reopen this issue to track the SSL/TLS feature implemented into the manager itself.

[Psychomantis71]

@nikander100 I mean, you can always put apache in front of it and enable SSL on it, terminate SSL on apache/reverse proxy to server manager on http. If you need a signed cert use certbot/letsencrypt

[nikander100]

Alright, gonna have to look into that then :D, can't wait and see how to further dev of the manager is going :3

[Psychomantis71]

Honestly maybe even better that way, then you can combine it with software like fail2ban to stop brute force attacks (anything you expose to the web someone/thing will try to brute-force it). My recommendation if you can (read: have the resources on the server) never expose any administration consoles/panels to the web directly, but rather setup a VPN to that environment and access it over that, expose only things like the ports of the game itself to the internet (anything only you/admins should see -> VPN only, anything that anyone should be able to access -> feel free to expose to the web).

[EphDoering]

So I have a working build that adds this feature (it just conditionally calls ListenAndServeTLS instead of ListenAndServe). This works for both the http stuff as well as the websocket. However, the solution is not complete/ideal because you have to manually specify port 443 since the default is 80. I was looking at making the default conditional based on if a cert was specified, but there doesn't seem to be a way to do that without significantly re-writing config.go. (we could make a hack that says if it's 80 and they have a cert make it 443, but that would preclude someone from using port 80 with https even by specifying port 80 (which someone might want to do if they don't have control over port forwarding)) I think I'm going to open another issue about the config situation to discuss ideal state, before I put effort into anything that goes against existing desires.

[Mattie112]

Why do you want this in FSM? I would opt to leave the app as your app and use a reverse proxy (something like NginxProxyManager or something if you prefer an UI) to do the SSL termination. Then you only have 1 place that needs access to your certificate and 1 place where you can define your ciphers.

(but if you want something I would say use 80 for http and 443 for https, having SSL on 80 is really strange. However for docker you might choose a different port (> 1024 to prevent the need to run as root)). You can map it to anything in docker in that case.

[EphDoering]

Well, FSM is the only place my server would be using TLS; so there'd still only be one place that it would need to be set up. And at least for me, adding it to FSM was easier than setting up a reverse proxy server as I've never done that before. I suppose for people who are already using a reverse proxy or need to start to use one cause they're proxing multiple services it wouldn't be helpful, but for everyone else I think it'd be nice if it were included.

On Sun, Feb 27, 2022, 1:54 PM Matthijs @.***> wrote:

Why do you want this in FSM? I would opt to leave the app as your app and use a reverse proxy (something like NginxProxyManager or something if you prefer an UI) to do the SSL termination. Then you only have 1 place that needs access to your certificate and 1 place where you can define your ciphers.

(but if you want something I would say use 80 for http and 443 for https, having SSL on 80 is really strange. However for docker you might choose a different port (> 1024 to prevent the need to run as root)). You can map it to anything in docker in that case.

— Reply to this email directly, view it on GitHub https://github.com/OpenFactorioServerManager/factorio-server-manager/issues/298#issuecomment-1053660809, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADA3Y6MH4X3OJNDSEY5RIPLU5J6QZANCNFSM5IZPWFWQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

You are receiving this because you commented.Message ID: <OpenFactorioServerManager/factorio-server-manager/issues/298/1053660809@ github.com>

[Mattie112]

I would still opt to not implement SSL here (but hey that's just my opinion). There are other pieces of software that can do a way better job.

You will get questions like:

• What ciphers?
• How to refresh SSL certs (or how to handle refreshes) (let's encrypt)

But I'm not a developer for this project. If you want to add it I would add a config setting like "ssl: boolean" and than also require the input of a private key / ca-bundle (and a list of ciphers). Port could still be port (but perhaps throw a warning if ssl is on and the port is 80).

[ikiris]

Go default config handles ciphers now correctly and has for some time. Cert management is not complicated, its dead simple to generate a self signed if none are selected, and its literally 2 files to drop on the server to do signed. Any http endpoint that handles authentication but is not capable of being encrypted at this point is pretty embarrassing and has been for at least 10 years.

[Mattie112]

Not if you expect that SSL termination is handled by some other service/proxy :)

But yeah that's just how I think it should work. Just giving my 2 cents. Self-signed is an option ofc then the service should generate a certificate (and perhaps tell the user on how to trust that cert).