HTTPS

From FOG Project
Revision as of 20:27, 3 February 2020 by SebastianRoth (talk | contribs)
Jump to: navigation, search

Secure connections like HTTPS become state of the art all over the web over the years. While FOG did use secure encryption for the fog-client communication since 2016 already the FOG web UI was still using plain HTTP. Using secure HTTPS is not as easy as generating a certificate and setting Apache to use it because PXE boot also relies on HTTP(S) communication with the FOG server.

We try to make setting up a fully HTTPS-enabled FOG server more convenient and encourage people to use it but still don't consider it wise to make it the default yet because it's a complex topic (FOG server, PXE boot, fog-client). Up until now you had to use the command line switch "--force-https" to enable HTTPS but with FOG 1.5.8 this will be a question asked by the installer. Both will make FOG run in HTTPS mode:

  • The Web UI will be accessible through the new URL https://fogserver/fog/ but will also redirect requests going to the old HTTP URL.
  • The installer generates a different Apache configuration to enable HTTPS as well as redirect all requests from HTTP to HTTPS (minor exceptions exist).
  • The installer compiles custom iPXE binaries for you including your personal FOG server CA certificate for sending information via HTTPS

The last point seems trivial but really is not. On PXE booting there are situation where password and username are being sent over the wire and we wanted to make this as secure as the rest. This means the iPXE binary booting on the client needs to trust your FOG webserver and we build that trust chain by embedding the CA certificate into the iPXE binary.


All fine, I have enabled HTTPS but now I have this ugly warning in my web browser saying this connection is not secure at all. Yes, this is because we can't offer certificates from an official certificate authority. Therefore we use self generated CA and certificates which are not known to your browser.