Encryption (HTTPS)

HTTPS

Encrypt communication to and from your website using HTTPS. It is important to encrypt as much web traffic as possible to prevent data theft and other tampering. This is a critical step toward building a safer, better Internet.

Traffic between an agent and the public service is always encrypted and encryption cannot be disabled.

There are several crypto options for tunnels:

• Off: is an option that disables encryption.

• Flexible: is a most common option for secure websites, testing and demo environments. It allows both HTTP and HTTPS traffic.

• Full: is an option that enforces HTTPS by redirecting all traffic from HTTP to HTTPS.

To create a tunnel with flexible encryption use --crypto flexible flag:

$ relay connect --crypto flexible http://localhost:4000/
Connecting: 
http://5k9kpuvdek1ld8lahz4tgj.webrelay.io <----> http://localhost:4000/
https://5k9kpuvdek1ld8lahz4tgj.webrelay.io <----> http://localhost:4000/

HTTPS is available for all paid plans on all tunnels.

TLS pass-through

HTTPS tunnels terminate TLS (SSL) traffic at the Webhook Relay servers (*.webrelay.io). For production traffic or anything that includes sensitive information such as authentication tokens, you will want your tunnel traffic to be encrypted with your own key and certificate. Webhook Relay supports TLS tunnels and it’s really easy to use them.

To specify TLS pass-through mode when using connect command:

relay connect --crypto tls-pass-through https://127.0.0.1:8123/ 
Connecting: 
https://7hhnns081m8t1jtg8vmh9t.webrelay.io <----> https://127.0.0.1:8123/
TLS pass-through enabled, make sure your destination 'https://127.0.0.1:8123/' can terminate HTTPS

Now, you can access it with curl:

curl --insecure https://7hhnns081m8t1jtg8vmh9t.webrelay.io

TLS pass-through tunnels without certificate warnings

In previous command example --insecure option is required so that we can ignore certificate warnings. You need to specify that because your local HTTPS server doesn’t have the TLS key and certificate necessary to terminate traffic for any *webrelay.io subdomains. If you try to load up that page in a web browser, it will ask you to add an exception.

If you want your certificates to match and be protected from man-in-the-middle attacks, you need two things. First, you’ll need to buy an SSL (TLS) certificate for a domain name that you own and configure your local web server to use that certificate and its private key to terminate TLS connections. How to do this is specific to your web server and SSL certificate provider and beyond the scope of this documentation. For the sake of example, we’ll assume that you were issued an SSL certificate for the domain secure.yourdomain.com.

Once you have your key and certificate, it’s time to run a a TLS tunnel on your own custom domain name. The instructions to set this up are identical to those described in the previous section, we will just be specifying new --host option. The custom domain you register should be the same as the one in your SSL certificate (secure.yourdomain.com). After you’ve set up the custom domain, use the --host argument to connect the TLS tunnel on your own domain. Forward TLS traffic over your own custom domain

relay connect --host secure.yourdomain.com --crypto tls-pass-through https://192.168.1.137:8123/ 
Connecting: 
http://secure.yourdomain.com <----> https://192.168.1.137:8123/
https://secure.yourdomain.com <----> https://192.168.1.137:8123/
TLS pass-through enabled, make sure your destination 'https://192.168.1.137:8123/' can terminate HTTPS 

TLS termination

It is possible that the server you want to expose can’t terminate TLS connections. Webhook Relay client can terminate TLS for you, so you can have your traffic end-to-end encrypted without worrying about your local service supporting TLS. To do this, provide --key and --crt command line options when starting a tunnel:

relay connect -s demo --key tls.key --crt tls.crt --crypto tls-pass-through http://localhost:4000

Auto-generating TLS certificate

Sometimes even though you don’t have a certificate, you want your traffic to still be end-to-end encrypted. There are plenty of tools that can generate you self-signed certificates, but Webhook Relay client can also do it:

relay connect -s demo --key tls.key --crt tls.crt --auto-generate=true --crypto tls-pass-through http://localhost:4000

In this case, relay client will generate certificates if they don’t exist.

Non-HTTP services over TLS

Webhook Relay doesn’t intercept encrypted TLS traffic so any protocol that is wrapped in TLS can be used with TLS tunnels (for example smpts, ftps, etc).