Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 07:20:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Added docs for Windows SSL/TLS.

Browse source 
Thanks to xet7 !

Related #5866
This commit is contained in:
Lauri Ojansivu 2025-08-12 14:33:55 +03:00
parent 96be56a620
commit 92c0543614
1 changed files with 282 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

282
docs/Platforms/Propietary/Windows/Offline.md
View file

@ -57,6 +57,288 @@ RELATED INFO:
- Windows 2022 server example https://github.com/wekan/wekan/issues/5084
- Other settings example https://github.com/wekan/wekan/issues/4932
## SSL/TLS at internal network, that is not connected to Internet, and can not used from Internet
Configuring Caddy for SSL/TLS on a local LAN without an internet connection requires you to **manually create and manage certificates**, as Caddy's automatic certificate provisioning relies on external services like Let's Encrypt, which need internet access. Here's a breakdown of the process:
#### Generate Certificates 🔑
First, you'll need to generate a self-signed certificate authority (CA) and then use it to sign a certificate for your local domain. You can use tools like **OpenSSL** or **Caddy's own `cert` command**.
1. **Create a Root CA:**
`openssl genrsa -out rootCA.key 2048`
`openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 365 -out rootCA.pem`
2. **Create a Server Certificate:**
* Create a configuration file (`server.csr.cnf`) for your server certificate.
* `openssl req -new -nodes -newkey rsa:2048 -keyout server.key -out server.csr -config server.csr.cnf`
* `openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile server.csr.cnf -extensions req_ext`
This process creates `server.crt` and `server.key`—the files Caddy will use.
#### Configure Caddyfile 📜
Next, you need to tell Caddy to use these specific certificates instead of trying to get them automatically.
Modify your `Caddyfile` to use the `tls` directive with the paths to your generated files.
Caddyfile:
```
wekan.example.com {
tls {
load C:\wekan\certs\example.com.pem
alpn http/1.1
}
proxy / localhost:2000 {
websocket
transparent
}
}
```
* **`your_local_domain.lan`** is the hostname you'll use to access the site from other computers on your network.
* **`tls C:\path\to\server.crt C:\path\to\server.key`** is the key part. It explicitly tells Caddy to use these certificate and key files.
#### Trust the Certificate 🔒
Finally, for browsers and other clients on your network to trust the connection and not show a security warning, you must **install the root CA certificate (`rootCA.pem`) on each client machine**.
1. On each client, navigate to the certificate management store (e.g., in Windows, search for "Manage computer certificates").
2. Import the `rootCA.pem` file into the "Trusted Root Certification Authorities" store.
This tells the client that any certificate signed by this CA (like your `server.crt`) is trustworthy. Without this step, every client will display a **security warning** because the certificate isn't from a publicly trusted authority.
#### Add wekan.example.com to every computer hosts file
As Administrator, edit with Notepad, changing dropdown *.txt to All Files, C:\Windows\System32\drivers\etc\hosts textfile.
To hosts file, add WeKan server local IP address:
```
192.168.0.200 wekan.example.com
```
Alternatively, use some nameserver at Windows server to have domain names at local network.
#### Other remaining settings for local network SSL/TLS, not connected to Internet
Look at similar settings below.
## SSL/TLS with Caddy webserver, accessible at Internet
This will start Caddy, like this:
```
example.com CloudFlare SSL/TLS Origin Certificate HTTP 443
=> Public IPv4 Cable modem HTTPS port 443
=> Local IPv4 HTTPS port 443 Caddy
=> Local IPv4 HTTP port 2000 Node.js main.js WeKan
=> MongoDB port 27017
```
From CloudFlare to Caddy, all is SSL/TLS encrypted.
Caddy proxies all encrypted traffic to Node.js unencrypted HTTP port 2000.
At WeKan server laptop/desktop, locally between these executeable files,
HTTP traffic is not encrypted:
- Between Caddy and WeKan
- Between WeKan and MongoDB
But outside of that server, all is SSL/TLS encrypted.
### 1) Check your WeKan server Windows computer local IPv4 address
You can check your IP address on Windows 11 using either the **Settings app** or the **Command Prompt**.
These methods will show you your **local IP address**, which is the address your device uses to
communicate within your home or office network.
Your **public IP address**, which is what devices outside your network see, is assigned by your
internet service provider (ISP) and can be found using an online tool or a simple web search.
#### Method 1: Using the Settings App ⚙️
1. Open the **Start menu** and click on **Settings** (or press the **Windows key + I**).
2. In the left-hand menu, click on **Network & internet**.
3. Click on the connection you're currently using, either **Wi-Fi** or **Ethernet**.
4. On the next screen, your IP address (both IPv4 and IPv6) will be listed under the **Properties** section.
#### Method 2: Using the Command Prompt 💻
1. Click the **Start menu** or the **search icon** on your taskbar, type "**cmd**," and press **Enter**.
2. In the Command Prompt window, type `ipconfig` and press **Enter**.
3. Look for your active connection (e.g., "Ethernet adapter" or "Wireless LAN adapter Wi-Fi").
Your IP address will be listed next to "**IPv4 Address**."
### 2) Finding Your Public IP Address 🌍
a) At Arris Cable Modem, public IP address is at Login / WAN Setup / DHCP / IP Address
b) To find your public IP address, simply open a web browser and search for "**what is my IP**."
A search engine like Google will display your public IP address right at the top of the search results.
### 3) If you don't have domain name like example.com
1. Register and login to https://cloudflare.com
2. Buy a domain, like example.com
### 4) Add settings at CloudFlare
1. CloudFlare / Account Home / AI Audit: Block all AI crawlers, so that they do not slow down your websites and WeKan.
But if you need Google Search to see your website like example.com, allow Googlebot.
2. CloudFlare / Account Home / example.com / DNS / Records / Add Record
```
Type: A
Name: wekan (for wekan.example.com, or kanban for kanban.example.com)
IPv4 Address: YOUR-PUBLIC-IPv4-ADDRESS (example: 80.123.123.123)
- Proxy Status: Orange cloud selected (not grey cloud)
- TTL: Auto
```
3. Click Save
4. CloudFlare / Account Home / example.com / Origin Server / Create Cerfificate for example.com
5. At Notepad, copy paste SSL/TLS certs in this order from top to bottom to one textfile `example.com.pem`:
```
1. Private Cert
2. Public Cert
3. Certificate Chain
```
6. Have for example this directory structure (can also be D: or E: etc)
```
C:.
├───wekan directory
│ ├───files directory
│ ├───certs directory
│ │ └───example.com.pem
│ ├───bundle directory
│ │ └───main.js
│ ├───caddy.exe from .zip file
│ ├───Caddyfile textfile for Caddy 2 config
│ └───start-wekan.bat textfile
└───Program Files
```
7. Edit `start-wekan.bat` with Notepad, search and change these settings, change subdomain wekan.example.com
and node saving cmd.exe text outout to log.txt for logging:
```
SET WRITABLE_PATH=..\FILES
SET ROOT_URL=https://wekan.example.com
SET PORT=2000
node main.js > log.txt 2>&1
```
If you have problems with attachments, instead try:
```
SET WRITABLE_PATH=..\FILES\
```
8. Download newest Caddy webserver caddy_VERSION-NUMBER_windows_amd64.zip from
https://github.com/caddyserver/caddy/releases ,
extract .zip file, and copy caddy.exe to above directory structure.
- Caddy website https://caddyserver.com
- Caddy features https://caddyserver.com/features
- Caddy code https://github.com/caddyserver/caddy
- Caddy forum https://caddy.community/
9. To Caddyfile, with Notepad add this:
```
wekan.example.com {
tls {
load C:\wekan\certs\example.com.pem
alpn http/1.1
}
proxy / localhost:2000 {
websocket
transparent
}
}
```
10. Open `cmd.exe` terminal, write there:
```
C:
cd \wekan
wekan.bat
```
11. Open another `cmd.exe` terminal, write there:
```
C:
cd \wekan
caddy fmt --overwrite Caddyfile
caddy validate
```
If there is errors, ask Google Search about that error, edit Caddyfile with Notepad to fix it.
If there is not any errors, start Caddy:
```
caddy
```
This will start Caddy, like this:
example.com CloudFlare SSL/TLS Origin Certificate HTTP 443
=> Public IPv4 Cable modem HTTPS port 443
=> Local IPv4 HTTPS port 443 Caddy
=> Local IPv4 HTTP port 2000 Node.js main.js WeKan
=> MongoDB port 27017
From CloudFlare to Caddy, all is SSL/TLS encrypted.
Caddy proxies all encrypted traffic to Node.js unencrypted HTTP port 2000.
At WeKan server laptop/desktop, locally between these executeable files,
HTTP traffic is not encrypted:
- Between Caddy and WeKan
- Between WeKan and MongoDB
But outside of that server, all is SSL/TLS encrypted.
#### 1) At your Internet router, forward ports HTTP 80 and HTTPS 443 to your server laptop/desktop IP address. Example:
Arris cable modem:
1. Login
2. Firewall / Virtual Server Port Forwarding
3. Add HTTP 80 and HTTPS 443:
HTTP 80:
```
Description: HTTP
Inbound Port: 80 to 80
Format: TCP
Private IP Address: YOUR-WEKAN-SERVER-LOCAL-IPv4-ADDRESS (example: 192.168.0.200)
Local Port: 80 to 80
```
HTTPS 443:
```
Description: HTTP
Inbound Port: 443 to 443
Format: TCP
Private IP Address: YOUR-WEKAN-SERVER-LOCAL-IPv4-ADDRESS (example: 192.168.0.200)
Local Port: 443 to 443
```
## Docker WeKan Offline