How can I turn on https on Umbrel web interface?
Why it is turned off by default?
No, Umbrel works by default all behind Tor. That means access from outside LAN can be done using onion address for each app.
Accessing on local LAN there’s NO need for https, you just access using http://umbrel.local or http://192.x.x.x your local IP of your node.
If you really need access on clearnet for specific apps like btcpay or lnbits, then follow the dedicated guides from The Guides section of this forum.
I would also like an answer to the OP’s question. I just installed umbrel and was very shocked to see that by default it is running http.
Just saying that there is no reason to run https on your LAN is not accurate. There are many valid reasons to run https on even a secured network. Concepts of Defense in Depth tell us to not rely on a single defense mechanism, but as many as feasible. If a host on LAN is compromised, they will own your umbrel quick without https.
There is definetely a way to use SSL/TLS on any address, local or not. Most routers have it built in out of the box. May not be connected to Certificate Authority, but still better than unencrypted.
Using https is always a best practice and in this day in age, http should not be used at all for anything remotely confidential.
Also, running http accross Tor does not fully secure the connection. Tor provides data CONFIDENTIALITY from the ISP, but not Tor exit node (which can be run by anyone).
Tor also does not provide data INTEGRITY which verifies that the message or information was not changed in flight.
TLS secures data INTEGRITY and CONFIDENTIALITY end to end. Tor provides a layer of anonymity and encryption.
I’m sure I can pretty easily turn on TLS by playing around with the Debian environment, but if this is not a built in feature it brings into question the security stance of Umbrel as a whole…
12 Likes
If you do not trust your own LAN… I don’t know why are you are still using internet… use smoke signals
3 Likes
This is such a stupid and uneducated comment. Techengineer21 is 100% correct in his/her post, and umbrel should implement https if it is to be taken seriously as a productivity tool. Heck there is already a docker image called caddy that already does this for you (automatically uses Let’s Encrypt and could be attached as a front end to all the other docker images). Adding https would only benefit this project.
18 Likes
Any updates?
I just installed Umbrel but I can´t use it anymore because I need to use a REMOTE computer to connect to my umbrel, so https is essential even though it is via TOR because even so login passwords travel through TOR clearly
Of course, I had the same thoughts. Two days ago I got Umbrel up and running on my Linux Mint box. I am quite excited.
I installed Tailscale as a solution for remote access just in case I need it. Any thoughts on that?
I would like to learn more. I’m new to using TOR extensively so I have been reading these comments with great interest.
Getting ready to launch my second BTC full node. The first on is running on a Linux box but I’m excited to fire it up inside Umbrel and start expanding my activities.
3 Likes
Well, becaouse of this I’m not so happy as I could. There is ofcourse way of using reverse proxy (and I can do it) however not having the option at all on umbrel id definitely bad practise. There is so many useful apps, but no one for simple webservice, with LE or another free valid SSL certificate? C’mon man!
1 Like
strong textcheck this
From some quick research, it seems that Umbrel supporting https is an old and pretty common request as it is still an active request on the projects Github.
As it is pointed out in the Issue, only relying on tor is not only a bad practice for a few reasons but alot of apps are not fully functional or functionally broken due to the lack of https. Some of the commonly mentioned solutions are:
-
SSL-Proxy
-
NGINX
-
Traefik
It seems that NGINX is the most common because it is a very standard solution . I cannot speak on it as a tool because I have never used it however, I use Traefik on my other server and can attest to it being a straight forward solution that is easy to setup as a one container solution and implement reverse proxying with the individual apps through labels on the docker container.
Personally, I feel that Traefik would be the most straight forward solution as once the Umbrel team can smooth out the initial traefik proxy/socket container to make it compatible with the dashboard. They can then require the maintainers of the apps to implement the labels into their containers and record the ports that they use so that multiple maintainers don’t use the same ports making running both apps useless. This would however require the end user to have their own domain name.
This post came out longer than expected I just wanted to round up some information out their on the issue to kind of centralize a talking point on this discussion.
1 Like
Specter wallet also depends on https when using the camera to authorize air gapped transactions or simply to scan a QR, it forces to run the wallet on localhost or https, I shared a workaround to run umbrel in a VM as localhost but that won’t work when connecting from another device in a bridged network which is the usual setup when running from an Umbrel Home or Raspberry Pi 4 and even if there were a setting to ignore SSL like sparrow wallet I’d prefer not to use it because I travel a lot with my Umbrel and I can’t assume all of the LAN networks I join are safe
The lack of HTTPS gives issues with apps such as Snort, and likely other apps in the future. Regardless of one trusting their own LAN or not, using HTTPS should be a default offering… Many buyers of Umbrel are Bitcoiners who all cares about security, so catering to the primary customer base seems like a no brainer…
2 Likes
Any news from developers on the https issue? Its been and ongoing question for years, should be solved now, if ever?
Any news about this?
The only news I’ve seen is when the 1.0 ad dropped they stated that it’s soon on the docket. However, I feel like they’ve been saying soon for a while so as far as when it’s actually going to be implemented? no idea.