HTTPS for remote node UI: Is it essential if port forwarding?


I am just in the process of setting up Syncthing for the first time and wanted to ask for clarification on HTTPS warnings and security. Title pretty much says it all, but:

When I login to the UI, my browser complains about it not being secure, unless I add it to exceptions. I realise this is probably fine for local connections - ie computers that aren’t accessible from outside, but I plan to have a remote node accessible using port forwarding so that I do not have to rely on relays.

Will this remote computer with the port being forwarded to it be insecure without generation of a certificate and HTTPS? Or have I misunderstood? Basically, can I just forward and leave it? Or is there some critical point I have missed that’s going to leave me wide open?

Thanks for any insight.

HTTPS trafic is encrypted, HTTP is not. If you have someone malicious on your network, they could read the web UIs username and password in plain text by just intercepting the network traffic.

This sentence makes it look like there is a misconception: Relaying has nothing to do with the UI login/https settings. The actual sync connection (which may be by relay) is always secured, there’s nothing you can configure.

The browser exception thingy is because by default when enabling https for the UI, a “self-generated” certificate is used, i.e. the browser can’t verify the issuer of it. If you are the only one to access the web UI, I don’t think there is anything wrong with adding exceptions. Otherwise you’ll have to look into replacing the generated certificate by one signed by an authority (e.g. lets encrypt).

Thanks both, I think that answers it.

I think I was partly confusing the web UI port and the sync protocol port.

So providing that only the sync protocol port is forwarded and not the web UI, I don’t need to do anything else?

No, that’s fine.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.