HTTPS Encryption with Apache Proxy
Before you proceed, consider the warning!
AnkiDroid may not verify encryption certificates
I (@kuklinistvan) did not verify personally, but I've read somewhere in an issue that AnkiDroid accepts any SSL certificate it gets while initiating the encrypted connection.
This is a problem, because it can be very easily hijacked which can render the encryption completely useless.
Keep in mind that at the moment this is kind of a gossip. Please, if you, as the reader can confirm or refute this - for example, with an experiment -, contact us at Gitter. It can be easily the case that it is no longer true (if it has ever been), but some paranoia is very useful when it comes to encryption.
I just did not want to mislead you :)
Install Apache2 on your operating system
On Linux, look up the manuals and install the appropriate packages from the system package manager.
Install these software components:
Enable the mods with:
a2enmod proxy a2enmod proxy_http a2enmod ssl
Restart Apache2 service.
Get a certificate
Unfortunately, managing SSL certificates and PKI in general is not a quick topic. At the end of the day, you need to get a certificate for your server that is trusted both by your Android device and your computer.
You can either:
- Get your server online and get a free certificate from Let's Encrypt
- Create an in-house Certificate Authority, install its certificate to your Android device and to your computer and issue a certificate for the server with that
Do not underestimate the importance of the measurements!
We highly advise you to learn about this topic in depth at Web Service Security Tutorial - otherwise, there is a high chance of creating false encryption, which does not actually protect you.
Create or extend a
Here is a VirtualHost with SSL and proxying enabled.
<VirtualHost *:443> ServerName anki.my.fancy.server.net <Location /sync> ProxyPass http://127.0.0.1:27701/sync ProxyPassReverse http://127.0.0.1:27701/sync </Location> <Location /msync> ProxyPass http://127.0.0.1:27701/msync ProxyPassReverse http://127.0.0.1:27701/msync </Location> UseCanonicalName off SSLEngine on SSLProtocol +TLSv1.2 SSLCertificateFile /path/to/the/cert/cert.pem SSLCertificateKeyFile /path/to/the/key/key.pem ProxyRequests off ProxyPreserveHost on </VirtualHost>