What if I don't want HTTPS?

lavacano201014 · May 26, 2019, 5:34am

My NextCloud instance is only available when you’re signed into my OpenVPN network. Therefore, traffic is already implied to be encrypted at the network level (AES-128-CBC if you’re curious). Running HTTPS within an already encrypted network would cause the traffic to be encrypted and decrypted twice, which is a huge performance hit that I don’t want.

Can I disable the HTTPS requirement without having to fork the whole project? I can’t just switch back to Passman, it won’t import my backup and apparently Passman is dead now.

I don’t normally say this kind of thing, but if you would prefer not to have instructions on how to bypass the HTTPS restriction available in a public location (honestly, fair), I’ll accept answers via private message.

# --expert --disable-mitm-warnings

ralfi · May 26, 2019, 7:01am

IMHO you do not need https in your environment - nearly my “backup access” with AVM fritzbox VPN access …

I am using for regular access two apache2 sub domains (one for nc, one for libreoffice online) with letsencrypt and reverse proxy config to forwarding to the correspondending docker images. These internal connections are unencrypted.

But do not forget that the focus to TLS access from internet should not be broken. And IMHO the android / android talk app works only with TLS.

mdw · May 26, 2019, 9:29am

There is no option to disable the HTTPS requirement in the Passwords app and there won’t be one.

HTTPS or HTTP/2 usually has no notable performance impact. If it does on your server, then i wonder what the server side encryption of this app will do to it.

This app also does use browser APIs that are either are already restricted to secure environments (meaning HTTPS) or will be so in the future. Functionality of the web interface will be broken if these APIs are not available.

Since the API of the app promises that HTTPS will be used in all cases, i would not expect any official or third party client to support non-https connection or even let you set up one.

You can fork the app and maintain your own version or you can use HTTPS.

stratege1401 · May 26, 2019, 4:59pm

i don’t want to be “vulgaire”, but having HTTPS is like having a condom, even in a safe environment. It is call good policies …

Not having HTTPS, is like … see what i mean.

mdw · May 26, 2019, 5:26pm

Better safe than sorry.

lavacano201014 · May 26, 2019, 10:19pm

That’s what I was afraid of. How do I lock my thread?

val · June 5, 2022, 10:10am

I use an internal IP inside my isolated private network for nextcloud.
So I just forced to refuse using the passwords.

The most funny thing is that also I’m tunneling http 80 port to a third-party server that encrypts the connection over https. So nextcloud sees it as https and the browser sees https too. The Passwords works but of course it’s a free giveaway of passwords

Forcing https restriction without being able to configure it is the worst thing ever imaginable

mdw · June 5, 2022, 2:13pm

@val I don’t know what is so hard to understand about this:

Here is a video of what i meant: Imgur: The magic of the Internet

I don’t know what you want to configure there. I also don’t want to waste my time on supporting a http mode that’s broken by design.

I don’t know why you would go out of your way to make an insecure HTTPS setup, but you do you i guess.

JimmyKater · September 3, 2022, 2:24pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.