Securely accessing the Web GUI

Hi,

I’m trying to figure out how to securely get access to the Web GUI. Right now I have it behind a Apache proxy so that my connection is over SSL but other than that it would seem that access to the web GUI right now is only as secure as my password.

Is there a better more secure way I could be doing this? I want to ensure I can access my Syncthing setup so I can add more connections if I need to but I want to ensure it’s only me getting access.

Also I wonder if there is a two factor authentication I could set up for this.

If you already have syncthing behind a reverse proxy, you could go the complicated but secure way and use SSL/TLS client authentication. Setting this up probably requires some knowledge in the field and browser support isn’t supberb, but it works.

Another way I could imagine would be to use SSH instead - configure apache to only accept connections from localhost [or strip the reverse proxy entirely] and tunnel everything over SSH. Client public key authentication in SSH is a lot more beautiful than TLS.

Do you mean setting up a domain certificate so all my connections between a web browser and the web server are encrypted?

So another question. The software is reasonably secure by default right? so all the syncing should be fine if I just keep that open but restrict the Web GUI to SSH and/or LAN?

Encryption and authentication are not the same. TLS by default only authenticates the server (using a [server-]certificate) - the client is unauthenticated on protocol level. The common solution to authenticate a user (= client) is to use a password.

If password authentication is not considered secure enough, you could configure apache to also authenticate the client on TLS protocol level. This means configuring apache to require some specific client certicate (a self signed one would suffice) which is then added to the browser. This way both server & client are authenticated via TLS using certificates. A password is then no longer neccessary, as only users with access to the client certificate can log in to the webinterface.

It may be easier to use SSH instead, because SSH doesn’t require certificates or complicated config files (SSH can be configured to authenticate using public keys on both sides).

Not exactly sure what “reasonably secure by default” means in this context. Anyone with access to the webinterface can add/remove new devices or folders and sync any data. Thus access to the webinterface must be restricted: That means

  • If the webinterface listens only locally, only local users can access it (Users connecting using SSH tunnels and related things can be considered “local”).

  • If the webinterface is reachable from the outside (internet), the connection should additionally be encrypted (https or some sort of secure tunnel/VPN).

  • Users should be authenticated, for example using a password or external methods on a lower protocol level (TLS certificates, SSH public keys or other network authentication methods)

I know the Web GUI is major security weak point if not properly secured for. I’m pretty much screwed if someone can access and mess around with syncthing settings though the Web GUI.

What I mean is the underlying sync. How secure is that? I’m going with the idea that everything is encrypted securely on syncing files. If you can secure access to the Web GUI and keep the software up to date you are pretty much good to go.

Right now I’m going to limit the Web GUI to localhost so that only people who can SSH in (mainly me right now) can access the Web GUI, that seems like the best plan.

That is correct.