HTTP vs HTTPS for Allmon3

WA1NVC · January 30, 2025, 4:54pm

I was giving a talk last night on ASL V3 and an observant listener pointed out that the Web Admin Portal(Cockpit) is https but the Node Links(Allmon3) is http and NOT https!!!

Why?

This means the Allmon3 login username and password are being sent in the clear.

Roger
WA1NVC

N8EI · January 30, 2025, 6:40pm

You need to be more specific about “ASL v3”. Are you talking about a Pi Appliance or did you install the ASL3 packages on a stock Debian 12 system?

On an ASL3 Pi Appliance image, the website is absolutely configured to use HTTPS unless it was reconfigured not to.

On a generic Debian 12 system, it’s based on whatever the system admin configured. Allmon3 doesn’t/can’t control the webserver configuration for that.

WA1NVC · January 30, 2025, 8:45pm

This is an up to date Pi-appliance node(RPi4B 4 GB).

I did more investigation:

I tunneled to the LAN behind the router where this node is located and tried local https access and sure enough https works there for Dashboard, Cockpit, and Allmon3.

The confusing part was why the Cockpit used https and Allmon3 did not.

Port 9090 (Cockpit) is port forwarded in the router to the ASL node.

A 5 digit WAN port number is port forwarded to LAN port 80 on the ASL node.

For Allmon3, and the Dashboard, I think I need to figure out how to port forward the 5 digit port number to both ports 80 & 443.

Can I port forward that 5 digit port number to both port numbers 80 and 443?

Maybe I should just Port forward the 5 digit WAN port number to LAN port 443 and not port forward port 80 and block it at the ASL Firewall?

For nodes with a public IP what’s the best way to handle this?

Block port 80 in FirewallD and change Apache2 to use something other than port 443 and port 80?

Roger
WA1NVC

N8EI · January 30, 2025, 11:18pm

Hrm… the redirection on the Pi appliance is not universally working properly. There are pathways to get it to serve up a non-TLS URL.

However the best way to deal with this if you’re port-forwarding is just portforward to port 443. Then you can’t escape the TLS.

WA1NVC · February 1, 2025, 10:51pm

I think I have a solution.

Since for one node where the Wireguard client is installed on the node, I could block the http port in FirewallD and make sure to not block the https port.

On another node I have behind a router, I only port forwarded the https port and not the http port. For added obscurity, the WAN https port number is not the same as the LAN https port number. I do the same for ssh.

Roger
WA1NVC