search

ngoduykhanh / wireguard-ui

Wireguard web interface
MIT License
3.83k stars 471 forks source link

Doubt about https local ip #439

Open rcv11x opened 10 months ago

rcv11x commented 10 months ago

Good, I do not know if this is the right place to write it, but I have the question of how I can do to access the web is https instead of http, I do not plan to expose the web opening ports just want https to access local

Ghostshadow81 commented 10 months ago

Please, me too, can help?

petricf commented 10 months ago

On Debian i used nginx to run as reverse proxy.

After nginx installation i replaced the nginx-config (copied somewhere from the web):

server {
    listen 80;
    server_name wireguard-server.fritz.box;

    rewrite ^/(.*)$ https://$host$request_uri? permanent; 
}

server {
    listen 443;
    server_name wireguard-server.fritz.box;

    ssl                  on;
    ssl_certificate      /etc/ssl/private/wireguard-server.crt;
    ssl_certificate_key  /etc/ssl/private/wireguard-server.key;

    ssl_prefer_server_ciphers on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/ssl/private/dh2048.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

Maybe it is not the best configuration but "works for me".

You have to adapt the lines beginning with "server_name" to match your host name.

I used self signed certificates. I created them (here: valid for 20 years) this way:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/wireguard-server.key -out /etc/ssl/private/wireguard-server.crt
openssl dhparam -out /etc/ssl/private/dh2048.pem 2048

If wireguard-ui is running on the same host as the nginx-server you can change the start to: wireguard-ui -bind-address 127.0.0.1:5000

The http-port (80) is also served but immediately redirected to https.

This is how i did it.

systemcrash commented 9 months ago

A similar result is possible using Caddy.

stale[bot] commented 7 months ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.