-
-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature Request: Support for TLS #236
Comments
@t3chn0m4g3 why not run a proxy like caddy with TLS and auto-renew in front of your SNARE instances? I would prefer to keep the SNARE complexity low. |
@glaslos Thanks for your feedback. Yes this is possible of course, however if you look here you will hopefully agree that introducing Caddy (which is great) will only introduce another point of failure and increase complexity with regard to analyzing logs / events in just one place. |
it kind of depends on how we want to implement #36 If SNARE does multi site, then we could also do TLS in SNARE, if we recommend with one SNARE instance per site, then it would make more sense to also do TLS in the proxy doing the vhost. |
Thanks for the feedback. Is #36 part of GSoC 2020? |
Probably, @afeena is quite open and will plan the features with the student. |
I think it might be a good task to work on :) I am definitely up for spending some time on it |
Sounds great :) Thx. |
@t3chn0m4g3 @glaslos I am planning to include this in my GSoC proposal, I was thinking of adding TLS without doing the multi-site support. I wanted to know what problems I will run into, and what approach will you recommend to take. |
Generally any site will need a separate certificate, so I think you are fine with suggesting this for a single domain approach. Would be nice if you would add some thoughts on how to scale to multiple sites. |
@glaslos @Parth1811 I do not think every site needs its own cert since Let's Encrypt supports wildcard certificates with certbot 0.22.0. |
@t3chn0m4g3 @glaslos Regarding wildcard certificates, Let's Encrypt only supports in ACMEv2 for which you have to get validated using the DNS-01 challenge which would be difficult with dynamic IP/DDNS. So my plan of action would be to provide two methods of certificate generation:-
Also, I think each site will need a different certificate. We can do a certificate management task at the beginning of each SNARE instance for different sites. Correct me if I got something wrong :) |
Yeah, wildcards only solves the problem only for subdomains, I'm usually setting up multiple FQDN. Do some research on how difficult this is in Python and let me know what you find. |
Most websites are running on TLS today which attackers will most likely to focus on. Would be great if Snare had the option of using TLS.
The text was updated successfully, but these errors were encountered: