Awesome
SDWUI Auto TLS-HTTPS Extension
This extension allows you to easily, or even completely automatically start using HTTPS with SDWUI. [It will help prevent your shrek image generations from being stolen! (see below)]
Extension implementation of https://github.com/AUTOMATIC1111/stable-diffusion-webui/pull/4417
This extension is not intended for use with Google Collab instances.
Usecase 1 - Automatic(Default):
If this extension is enabled it will, by default:
- generate a key/cert pair
- read the Python trust store from Python certifi
- create an intermediary bundle made from fusing our cert with the certifi trust store
- pass bundle to requests using the
REQUESTS_CA_BUNDLE
environment variable
Usecase 2 - Bring your own certificate:
If passed an existing key/cert pair by using --tls-keyfile
and --tls-certfile
, the extension will try to do the same as Usecase 1 but with your specific certificate.
note: if you choose this option make sure that your SDWUI server name (--server-name) matches the common name set in the certificate you pass. Otherwise you will likely encounter an exception causing your program to crash.
With both of these methods, by passing the certificate to Python requests as being trusted, the webui will be able to run using HTTPS. This is because the certificate will then be seen as valid by the SDWUI processes after the extension passes it to the webui.
Installation
You can install this extension automatically using SDWUI's "Extensions" tab if your installation is up to date.
See https://github.com/AUTOMATIC1111/stable-diffusion-webui/wiki/Extensions
For security reasons you may encounter an error in the console upon restart after installing if you are running with --listen
and do not include --enable-insecure-extension-access
.
If you are using a relatively new version of sdwui, you will want to add --disable-tls-verify
to your launch options if you are going with usecase 1.
But... I'm still getting certificate errors / I'm getting warnings
If you are in fact connecting to the link output by the webui console, this is expected, do not be alarmed. You have two options, the second is slightly more difficult to setup.
A. You can simply tell your browser to add an exception. (most browsers have similar steps)
B. You can properly configure things so that the browser knows that you trust the sdwui page:
This extension is, right now, dealing only with Python's certificate trust store. It is not interacting with your system level trust store. Operating system specific trust store support may be added later, but if having to give a certificate exception at the browser level is not adequate for you then you could add the webui.cert
to your OS's trust store which should eliminate those warnings.
Here's how to do that on some common platforms:
Additionally, firefox users should read https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox
Why?
Without this extension, SDWUI will simply use unencrypted HTTP. Read this article by cloudflare if you would like to better understand why this is bad. But long story short, If an attacker were to join your local network, they would be able to passively listen to your SDWUI traffic and grab entire images without even having direct access to your SDWUI server.
Here's an example of this using wireshark:
By filtering in Wireshark to connections made to my SDWUI and HTTP protocol, we can easily see the HTTP GET and response containing the entire unencrypted image which was generated in SDWUI.
GET Request:
Unencrypted Response:
After receiving the response with the PNG data we can simply:
- Select "Portable Network Graphics"
- Right click and select export packet bytes
- Read the file you saved the bytes to as a PNG
- You have now stolen some poor user's shrek image 😢