From 5da7cceff6f28903403e2f291d2998d3486ae165 Mon Sep 17 00:00:00 2001
From: Bernd Storath <999999bst@gmail.com>
Date: Wed, 5 Mar 2025 12:48:45 +0100
Subject: [PATCH] add insecure option, link readme to docs

---
 Dockerfile                  |  1 +
 Dockerfile.dev              |  1 +
 README.md                   | 25 ++++++++++++++++---------
 docker-compose.yml          |  1 +
 src/server/utils/config.ts  |  7 +++++++
 src/server/utils/session.ts |  6 ++----
 6 files changed, 28 insertions(+), 13 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 50d60b93..65d96358 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -46,6 +46,7 @@ RUN update-alternatives --install /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tab
 ENV DEBUG=Server,WireGuard,Database,CMD
 ENV PORT=51821
 ENV HOST=0.0.0.0
+ENV INSECURE=false
 
 LABEL org.opencontainers.image.source=https://github.com/wg-easy/wg-easy
 
diff --git a/Dockerfile.dev b/Dockerfile.dev
index c3987112..b0c3a0dd 100644
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -26,6 +26,7 @@ RUN update-alternatives --install /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tab
 ENV DEBUG=Server,WireGuard,Database,CMD
 ENV PORT=51821
 ENV HOST=0.0.0.0
+ENV INSECURE=false
 
 # Install Dependencies
 COPY src/package.json src/pnpm-lock.yaml ./
diff --git a/README.md b/README.md
index 9c5c29dd..70d0d9f4 100644
--- a/README.md
+++ b/README.md
@@ -27,13 +27,18 @@ You have found the easiest way to install & manage WireGuard on any Linux host!
 - Gravatar support.
 - Automatic Light / Dark Mode
 - Multilanguage Support
-- Traffic Stats
 - One Time Links
 - Client Expiration
 - Prometheus metrics support
 - IPv6 support
 - CIDR support
 
+> [!NOTE]
+> To better manage documentation for this project, it has its own site here: [https://wg-easy.github.io/wg-easy/latest](https://wg-easy.github.io/wg-easy/latest)
+
+- [Get Started](https://wg-easy.github.io/wg-easy/latest/usage/)
+- [Basic Installation](https://wg-easy.github.io/wg-easy/latest/examples/tutorials/basic-installation/)
+
 ## Requirements
 
 - A host with a kernel that supports WireGuard (all modern kernels).
@@ -58,11 +63,10 @@ We offer multiple Docker image tags to suit your needs. The table below is in a
 
 ### 1. Install Docker
 
-If you haven't installed Docker yet, install it by running:
+If you haven't installed Docker yet, install it by running as root:
 
 ```shell
 curl -sSL https://get.docker.com | sh
-sudo usermod -aG docker $(whoami)
 exit
 ```
 
@@ -73,9 +77,11 @@ And log in again.
 The easiest way to run WireGuard Easy is with Docker Compose.
 
 Just download [`docker-compose.yml`](docker-compose.yml), make necessary adjustments and
-execute `docker compose up -d`.
+execute `sudo docker compose up -d`.
 
-The Web UI will now be available on `http://0.0.0.0:51821`.
+Now setup a reverse proxy to be able to access the Web UI from the internet.
+
+If you want to access the Web UI over HTTP, change the env var `INSECURE` to `true`. This is not recommended. Only use this for testing
 
 <!-- TOOD: add to docs: Grafana dashboard [21733](https://grafana.com/grafana/dashboards/21733-wireguard/) -->
 
@@ -136,10 +142,11 @@ Maintainer: [Buy kaaax0815 a coffee!](https://github.com/sponsors/kaaax0815) ☕
 
 These options can be configured by setting environment variables using `-e KEY="VALUE"` in the `docker run` command.
 
-| Env    | Default   | Example     | Description                 |
-| ------ | --------- | ----------- | --------------------------- |
-| `PORT` | `51821`   | `6789`      | TCP port for Web UI.        |
-| `HOST` | `0.0.0.0` | `localhost` | IP address web UI binds to. |
+| Env        | Default   | Example     | Description                    |
+| ---------- | --------- | ----------- | ------------------------------ |
+| `PORT`.    | `51821`   | `6789`      | TCP port for Web UI.           |
+| `HOST`     | `0.0.0.0` | `localhost` | IP address web UI binds to.    |
+| `INSECURE` | `false`   | `true`      | If access over http is allowed |
 
 ## Updating
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 9260fcd3..e8607ffe 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -7,6 +7,7 @@ services:
     #  Optional:
     #  - PORT=51821
     #  - HOST=0.0.0.0
+    #  - INSECURE=false
 
     image: ghcr.io/wg-easy/wg-easy
     container_name: wg-easy
diff --git a/src/server/utils/config.ts b/src/server/utils/config.ts
index 480186d9..71805e2e 100644
--- a/src/server/utils/config.ts
+++ b/src/server/utils/config.ts
@@ -11,3 +11,10 @@ export const OLD_ENV = {
   /** @deprecated Only for migration purposes */
   PASSWORD_HASH: process.env.PASSWORD_HASH,
 };
+
+export const WG_ENV = {
+  /** UI is hosted on HTTP instead of HTTPS */
+  INSECURE: process.env.INSECURE === 'true',
+};
+
+console.log(WG_ENV);
diff --git a/src/server/utils/session.ts b/src/server/utils/session.ts
index 7b248063..9602ded5 100644
--- a/src/server/utils/session.ts
+++ b/src/server/utils/session.ts
@@ -7,8 +7,6 @@ export type WGSession = Partial<{
 
 const name = 'wg-easy';
 
-// TODO: don't set secure to false by default
-
 export async function useWGSession(event: H3Event, rememberMe = false) {
   const sessionConfig = await Database.general.getSessionConfig();
   return useSession<WGSession>(event, {
@@ -18,7 +16,7 @@ export async function useWGSession(event: H3Event, rememberMe = false) {
     // maxAge: undefined
     cookie: {
       maxAge: rememberMe ? sessionConfig.sessionTimeout : undefined,
-      secure: false,
+      secure: !WG_ENV.INSECURE,
     },
   });
 }
@@ -29,7 +27,7 @@ export async function getWGSession(event: H3Event) {
     password: sessionConfig.sessionPassword,
     name,
     cookie: {
-      secure: false,
+      secure: !WG_ENV.INSECURE,
     },
   });
 }