I would love to have an automated system that encrypts traffic between the controller and its targets automaticly. Then i only need to do https manually if needed on main controller since its the only one that is publicly accessable. Not every server has its own public ipv4 to use AMP's let's encrypt installer.
Auto https between controller and targets
- 63 Views
- Last Post 10 September 2021
- Topic Is Solved
That's how it works already. The controller provides the https offloading and you use the system firewall on the targets so that only the controller can access the AMP port ranges.
so it encrypts the traffic between controller and target, then im doing something wrong. I can access the targets both trough an man-in-the-middle attack and sniffing the packets since theyre not encrypted. I have several controllers since not of all my servers is in the same LAN and i host alot of other stuff aswell.
Ah no it doesn't between the controller and targets without a certificate for HTTPS. There's no plans to add that since you'd firewall it out. If you're subject to a man-in-the-middle attack the network is already considered fully compromised anyway. The game servers themselves don't encrypt traffic so passwords sent for things like RCON would be compromised. It's worth noting that AMP doesn't send passwords in this manner, it uses single-use tokens that are tied to the source IP so even if someone intercepted one - they wouldn't be able to use it.
What you can do if you can't use normal HTTPS is tunnel the connections over SSH which would encrypt the traffic between hosts. You can find plenty of guides on setting up SSH tunnels, but this isn't something we intend to build into AMP.
Thx for the answer, the usecase was mainly for servers on different networks. I'm going to tunnel the traffic then.