search

papuSpartan / stable-diffusion-webui-auto-tls-https

An extension for AUTOMATIC1111's Stable Diffusion Web-UI that enables easy or zero-conf TLS for HTTPS
61 stars 4 forks source link
automatic1111 https security ssl stable-diffusion stable-diffusion-web-ui stable-diffusion-webui-plugin tls

readme

SDWUI Auto TLS-HTTPS Extension

This extension allows you to easily, or even completely automatically start using HTTPS with SDWUI. [It will help prevent your shrek image generations from being stolen! (see below)]

Extension implementation of https://github.com/AUTOMATIC1111/stable-diffusion-webui/pull/4417

This extension is not intended for use with Google Collab instances.

Usecase 1 - Automatic(Default):

If this extension is enabled it will, by default:

Usecase 2 - Bring your own certificate:

If passed an existing key/cert pair by using --tls-keyfile and --tls-certfile, the extension will try to do the same as Usecase 1 but with your specific certificate. note: if you choose this option make sure that your SDWUI server name (--server-name) matches the common name set in the certificate you pass. Otherwise you will likely encounter an exception causing your program to crash.

With both of these methods, by passing the certificate to Python requests as being trusted, the webui will be able to run using HTTPS. This is because the certificate will then be seen as valid by the SDWUI processes after the extension passes it to the webui.

Installation

You can install this extension automatically using SDWUI's "Extensions" tab if your installation is up to date. \ See https://github.com/AUTOMATIC1111/stable-diffusion-webui/wiki/Extensions

For security reasons you may encounter an error in the console upon restart after installing if you are running with --listen and do not include --enable-insecure-extension-access.

If you are using a relatively new version of sdwui, you will want to add --disable-tls-verify to your launch options if you are going with usecase 1.

But... I'm still getting certificate errors / I'm getting warnings

warning

If you are in fact connecting to the link output by the webui console, this is expected, do not be alarmed. You have two options, the second is slightly more difficult to setup.

A. You can simply tell your browser to add an exception. (most browsers have similar steps)\ B. You can properly configure things so that the browser knows that you trust the sdwui page:

This extension is, right now, dealing only with Python's certificate trust store. It is not interacting with your system level trust store. Operating system specific trust store support may be added later, but if having to give a certificate exception at the browser level is not adequate for you then you could add the webui.cert to your OS's trust store which should eliminate those warnings.

Here's how to do that on some common platforms:

Windows \ OSX \ Linux(Ubuntu)

Additionally, firefox users should read https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox

Why?

Without this extension, SDWUI will simply use unencrypted HTTP. Read this article by cloudflare if you would like to better understand why this is bad. But long story short, If an attacker were to join your local network, they would be able to passively listen to your SDWUI traffic and grab entire images without even having direct access to your SDWUI server.

Here's an example of this using wireshark:

By filtering in Wireshark to connections made to my SDWUI and HTTP protocol, we can easily see the HTTP GET and response containing the entire unencrypted image which was generated in SDWUI.

GET Request: image

Unencrypted Response: image

After receiving the response with the PNG data we can simply:

  1. Select "Portable Network Graphics" image
  2. Right click and select export packet bytes
  3. Read the file you saved the bytes to as a PNG
  4. You have now stolen some poor user's shrek image 😢

image