Skip to content

HTTPS Encryption with Apache Proxy

Before you proceed, consider the warning!

AnkiDroid may not verify encryption certificates

I (@kuklinistvan) did not verify personally, but I've read somewhere in an issue that AnkiDroid accepts any SSL certificate it gets while initiating the encrypted connection.

This is a problem, because it can be very easily hijacked which can render the encryption completely useless.

Keep in mind that at the moment this is kind of a gossip. Please, if you, as the reader can confirm or refute this - for example, with an experiment -, contact us at Gitter. It can be easily the case that it is no longer true (if it has ever been), but some paranoia is very useful when it comes to encryption.

I just did not want to mislead you :)

Install Apache2 on your operating system

On Linux, look up the manuals and install the appropriate packages from the system package manager.

  1. Install these software components:

    • Apache2
      • mod_proxy
      • mod_ssl
  2. Enable the mods with:

    a2enmod proxy
    a2enmod proxy_http
    a2enmod ssl
    
  3. Restart Apache2 service.

Get a certificate

Unfortunately, managing SSL certificates and PKI in general is not a quick topic. At the end of the day, you need to get a certificate for your server that is trusted both by your Android device and your computer.

You can either:

  • Get your server online and get a free certificate from Let's Encrypt
  • Create an in-house Certificate Authority, install its certificate to your Android device and to your computer and issue a certificate for the server with that

Do not underestimate the importance of the measurements!

We highly advise you to learn about this topic in depth at Web Service Security Tutorial - otherwise, there is a high chance of creating false encryption, which does not actually protect you.

Create or extend a <VirtualHost>

Here is a VirtualHost with SSL and proxying enabled.

<VirtualHost *:443>
    ServerName anki.my.fancy.server.net

    <Location /sync>
        ProxyPass http://127.0.0.1:27701/sync
        ProxyPassReverse http://127.0.0.1:27701/sync
    </Location>
    <Location /msync>
        ProxyPass http://127.0.0.1:27701/msync
        ProxyPassReverse http://127.0.0.1:27701/msync
    </Location>

    UseCanonicalName off
    SSLEngine on
    SSLProtocol +TLSv1.2
    SSLCertificateFile /path/to/the/cert/cert.pem
    SSLCertificateKeyFile /path/to/the/key/key.pem
    ProxyRequests off
    ProxyPreserveHost on
</VirtualHost>

Apache2 References