-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
Providing encrypted web access to Etherpad Lite using SSL certificates (HTTPS: )
which when referencing an insecure (http) resource within a secure (https) page. Such references create vulnerabilities that put the privacy and integrity of an otherwise-secure page at risk, because the insecure content could be modified in transit. If added to the DOM, insecurely-delivered content can read or alter the rest of the page even if the bulk of the page was delivered over a secure connections. (cited from https://blogs.msdn.com/b/ieinternals/archive/2009/06/22/https-mixed-content-in-ie8.aspx?Redirected=true)
The following information has been carefully collected but may contain errors or may be fully or partially outdated. Please use the description with care.
Familiarise yourself with the SSL concept and get a second opinion of SSL, server keys and encrypted transmission by studying also other web resources.
Only deploy SSL to your production system if you exactly know what you are doing.
By default, Etherpad Lite runs via http:// which is unsecure in many respects, for example regarding the transmission of admin or user passwords in plain text, and also regarding confidential pad contents. When using http.
But there is hope.
As a server admin using this patch you can now set up your Etherpad Lite to use the native https server part of Node and Express framework in a fully secure way. There is no need for using an additional Apache or Nginx server or proxy.
The following description for Linux assume that you want to
- generate self-signed keys
- which are valid for 9000 days.
If you want to have your key signed by approved Certificate Authority (CA), it's getting difficult and you usually need to pay yearly. There is at least one "Web of Trust" (WoT) community CA called "CAcert" (see reference section), which - once you became assured member - allows you to get CAcert-signed server keys which lasts for two years for free.
Some intermediate files will be generated but not explained here, too keep it concise. Read the page in "References" if you are curious what they are for.
- uncomment the SSL section in the settings.json.template of your EPL installation
- generate a file epl-server.key which does not require a password
# generate the server key
openssl genrsa -des3 -out epl-server.key 4096
openssl req -new -key epl-server.key -out epl-server.csr
openssl x509 -req -days 9000 -in epl-server.csr -signkey epl-server.key -out epl-server.crt
# make a version of the server key which does not require a password
openssl rsa -in epl-server.key -out epl-server.key.insecure
mv epl-server.key server.key.secure
mv epl-server.key.insecure epl-server.key
- generate a second key as your own "Certificate Authority" (CA) with which you can self-sign the epl-server.key
# generate a second (temporary) key as the key of your own CA
openssl genrsa -des3 -out own-ca.key 4096
openssl req -new -x509 -days 9000 -key own-ca.key -out own-ca.crt
# sign your epl-server.key with the certificate of your own CA resulting in a self-signed epl-server.key
openssl x509 -req -days 9000 -in epl-server.csr -CA own-ca.crt -CAkey own-ca.key -set_serial 001 -out epl-server.crt
- deploy the two files (epl-server.key and epl-sever.crt) on your server, so that only the etherpad (process, task, program) user can access this sensitive data
chmod 400 epl-server.key
chown etherpad epl-server.key
chmod 400 epl-server.crt
chown etherpad epl-server.crt
- these files are no longer needed unless you want to create further keys as "own CA":
epl-server.key.secure
epl-server.csr
own-ca.key
own-ca.crt
- restart your EPL server
An important thing is to tell users what a "fingerprint of the server key" is and how they can check whether the received fingerprint in the current browser connection matches the correct server fingerprint. (Details will be added later, I just wanted to mention it.)
- Creating Certificate Authorities and self-signed SSL certificates if you want to know everything about CA and self-signed SSL certificates.
- https://www.cacert.org If want to have free certificates issued to you, join the CAcert Community.
- https://en.wikipedia.org/wiki/Cacert "CAcert.org is a community-driven certificate authority that issues free public key certificates to the public (unlike other certificate authorities which are commercial and sell certificates). CAcert has over 200,000 verified users and has issued nearly 800,000 certificates as of January 2012."
- Docs
- Translating
- HTTP API
- Plugin framework (API hooks)
- Plugins (available)
- Plugins (list)
- Plugins (wishlist)
- Etherpad URIs / URLs to specific resources IE export
- Etherpad Full data export
- Introduction to the source
- Release Procedure
- Etherpad Developer guidelines
- Project to-do list
- Changeset Library documentation
- Alternative Etherpad-Clients
- Contribution guidelines
- Installing Etherpad
- Deploying Etherpad as a service
- Deploying Etherpad on CloudFoundry
- Deploying Etherpad on Heroku
- Running Etherpad on Phusion Passenger
- Putting Etherpad behind a reverse Proxy (HTTPS/SSL)
- How to setup Etherpad on Ubuntu 12.04 using Ansible
- Migrating from old Etherpad to Etherpad
- Using Etherpad with MySQL
- Customizing the Etherpad web interface
- Enable import/export functionality with AbiWord
- Getting a list of all pads
- Providing encrypted web access to Etherpad using SSL certificates
- Optimizing Etherpad performance including faster page loads
- Getting to know the tools and scripts in the Etherpad /bin/ folder
- Embedding a pad using the jQuery plugin
- Using Embed Parameters
- Integrating Etherpad in a third party app (Drupal, MediaWiki, WordPress, Atlassian, PmWiki)
- HTTP API client libraries