(((meta (@ (content . "External server to encrypt message transport") (name . "title"))) (meta (@ (content . "manual") (name . "role"))) (meta (@ (content . "#configuration #encryption #manual #security #zettelstore") (name . "tags"))) (meta (@ (content . "zmk") (name . "syntax"))) (meta (@ (content . "00001010000000 00001018000000") (name . "back"))) (meta (@ (content . "00001004010000 00001010000000 00001018000000") (name . "backward"))) (meta (@ (content . "1") (name . "box-number"))) (meta (@ (content . "(c) 2020-present by Detlef Stern <ds@zettelstore.de>") (name . "copyright"))) (meta (@ (content . "20210126175322") (name . "created"))) (meta (@ (content . "00001003000000 00001004010000") (name . "forward"))) (meta (@ (content . "en") (name . "lang"))) (meta (@ (content . "EUPL-1.2-or-later") (name . "license"))) (meta (@ (content . "20220217180826") (name . "modified"))) (meta (@ (content . "20220217180826") (name . "published"))) (meta (@ (content . "public") (name . "visibility")))) (p "Since Zettelstore does not encrypt the messages it exchanges with its clients, you may need some additional software to enable encryption.") (h2 (@ (id . "public-key-encryption")) "Public-key encryption") (p "To enable encryption, you probably use some kind of encryption keys." " " "In most cases, you need to deploy a " (@L (@H "&ldquo;") "public-key encryption" (@H "&rdquo;")) " process, where your side publish a public encryption key that only works with a corresponding private decryption key." " " "Technically, this is not trivial." " " "Any client who wants to communicate with your Zettelstore must trust the public encryption key." " " "Otherwise the client cannot be sure that it is communication with your Zettelstore." " " "This problem is solved in part with " (a (@ (class . "external") (href . "https://letsencrypt.org/")) "Let's Encrypt") "," " " (@L (@H "&ldquo;") "a free, automated, and open certificate authority (CA), run for the public’s benefit." " " "It is a service provided by the " (a (@ (class . "external") (href . "https://www.abetterinternet.org/")) "Internet Security Research Group") (@H "&rdquo;")) ".") (p "Alternatively, you can buy these keys for public-key encryption at " (@L (@H "&ldquo;") "certificate authorities" (@H "&rdquo;")) " or its dealers.") (h2 (@ (id . "server-software-for-encryption")) "Server software for encryption") (p "The solution of placing a server for encryption in front of an encryption-unaware server is a relatively old one." " " "There are many different alternatives to choose.") (p "First, there are web servers." " " "Business-grade web servers must enable encryption." " " "Most of them allow to forward a request unencrypted to another web server." " " "Some examples:") (ul (li (a (@ (class . "external") (href . "https://httpd.apache.org/")) "Apache Web Server") ": enable " (a (@ (class . "external") (href . "http://httpd.apache.org/docs/current/mod/mod_proxy.html")) "mod_proxy") " and configure a reverse proxy.") (li (a (@ (class . "external") (href . "https://nginx.org/")) "nginx") ": set-up a reverse proxy with the " (a (@ (class . "external") (href . "https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass")) (kbd "proxy_pass")) " directive.") (li (a (@ (class . "external") (href . "https://caddyserver.com/")) "Caddy") ": see below for details.")) (p "Other software is also possible." " " "There exists software dedicated for this task of handling the encryption part." " " "Some examples:") (ul (li (a (@ (class . "external") (href . "https://www.stunnel.org/")) "stunnel") " (" (@L (@H "&ldquo;") "a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code." (@H "&rdquo;")) ")") (li (a (@ (class . "external") (href . "https://traefik.io/")) "Traefik") ": set-up a " (a (@ (class . "external") (href . "https://docs.traefik.io/routing/routers/")) "router") ".")) (h2 (@ (id . "example-configuration-for-caddy")) "Example configuration for Caddy") (p "For the inexperienced owner of a Zettelstore, " (a (@ (class . "external") (href . "https://caddyserver.com/")) "Caddy") " is a good option" (sup (@ (id . "fnref:1")) (a (@ (class . "zs-noteref") (href . "#fn:1") (role . "doc-noteref")) "1")) "." " " "Caddy has the capability to automatically fetch appropriately encryption key from Let's Encrypt, without any further configuration." " " "The only requirement of doing this is that the server must be publicly accessible.") (p "Here is the base configuration for the main site for Zettelstore at " (a (@ (class . "external") (href . "https://zettelstore.de/")) "https://zettelstore.de/") ":") (pre (code "zettelstore.de {\n  reverse_proxy localhost:23123\n}")) (p "That's all!") (p "If you want to add some additional content on the server, you could change the configuration as follows:") (pre (code "zettelstore.de {\n  file_server * {\n    root /var/www/html\n  }\n  route /manual/* {\n    reverse_proxy localhost:23123\n  }\n}")) (p "This will forwards requests with the prefix " (@L (@H "&ldquo;") "/manual/" (@H "&rdquo;")) " to the running Zettelstore." " " "All other requests will be handled by Caddy itself.") (p "In this case you must specify the " (a (@ (href . "00001004010000#url-prefix")) "startup configuration key " (kbd "url-prefix")) " with the value " (@L (@H "&ldquo;") "/manual/" (@H "&rdquo;")) "." " " "This is to allow Zettelstore to ignore the prefix while reading web requests and to give the correct URLs with the given prefix when sending a web response."))