As per subject; currently remote access runs off regular HTTP — would that mean password is sent in the clear? and or I suppose the details of the duplicati setup for anyone watching the communication…
Would be nice to have a HTTPS version…
It is supported, I’ve seen some people report that they use certificates with the web server engine, but I would strongly advise against exposing the Duplicati Web UI to an untrusted network (like the Internet).
I remember reading posts by the authors that the Web UI is not hardened for situations like that, and you are potentially exposing very critical information (authentication keys to cloud storage, encryption passwords, etc).
Instead maybe VPN in to your private network and then manage it that way. TLS is less of a necessity in that situation.
It sounds like something that is hackable bolt-on rather than really supported.
I am running on Windows environment so unclear how to break into webs server internals
The option to provide hostnames implied external access but the points you make about security risks are valid - so a bit of a contradictory approach.
Anyway - put to bed given the VPN alternative
No break in needed. Just give it the options, e.g. it needs to know your certificate information.
Duplicati.Server.exe (and should also work on Duplicati.GUI.TrayIcon.exe if that’s what’s run).
--webservice-sslcertificatefile
The certificate and key file in PKCS #12 format the webserver use for SSL. Only RSA/DSA keys are supported.--webservice-sslcertificatepassword
The password for decryption of certificate PKCS #12 file.
Exactly how you add options depends on what you’re running. For example, if you Run a TrayIcon at Windows user login, then editing the shortcut (or maybe making one’s own to avoid Duplicati installer meddling with the custom version) works. For a Windows service, Duplicati.WindowsService.exe gets those additional options on its install run, although it’s likely easier to just edit the Windows service.
Running duplicati docker container with https is a How-To for Docker, but likely works without Docker.
There are topics in other forum categories that get into setup as well. I see some in Support category.
Forum search for sslcertificatefile has discussions to supplement the How-To. I don’t run https myself.
So maybe not needed, but I wanted to say it in this feature request to show it’s a built-in, not a bolt-on.
2 Likes
Background - just spent 1.5 hours trying to update the certificate for some additional new domains. The documentation not obvious what to do.
The final working solution
- must have both options (the file and the password; even if actual .p12 isn’t password protected must still have the option there but empty)
- the options are in format
--webservice-sslcertificatefile=[path]
--webservice-sslcertificatepassword=[password (empty is ok]