How-to guidesInstallation

How to enable HTTPS for Web Admin

This guide covers HTTPS for the Web Administration interface only. SSH/SFTP and FTPS traffic is encrypted by their own protocols and is not affected.

By default, the Web Administration listens on plain HTTP (http://localhost:8880). Over HTTP, the admin login password, session cookies, server configuration, and any content submitted through the panel are transmitted in plain text — anyone able to observe the network between the browser and the server can read or tamper with them. HTTP is acceptable for strict loopback access (localhost), but any remote access should go over HTTPS.

Enabling HTTPS is a two-step process:

Get a TLS certificate

For production use, obtain a certificate from a trusted Certificate Authority (CA). CA-issued certificates are trusted by browsers and clients without warnings. The process varies by CA and is beyond the scope of this article.

For testing or internal use, generate a self-signed certificate — see Generate Self-signed X.509 Certificates (CLI).

Enable HTTPS in the configuration file

To enable HTTPS, you must define the HTTPS binding and the certificate path in the webconfig.yaml file, located in your configuration directory.

  1. Open webconfig.yaml and locate the bindings section.

  2. Add an entry for port 443 (the standard HTTPS port) and specify your certificate details:

    bindings:
  # ... other bindings
  # Listen for HTTPS requests on https://localhost
  - hostname: 'localhost'
    port: 443
    certificateFromFile:
      filePath: 'C:\path\to\burusftp.pfx'
      password: 'yourpassword'

    With this configuration, the Web Administration is only accessible from the same machine. To allow access from other machines on the network, change hostname from localhost to 0.0.0.0.

  3. Restart the Web Administration Service for the security changes to take effect. You can do this via the Services section in Windows Control Panel, or by running the following command as an administrator:

    burusftpwa svc restart

  4. Once restarted, attempt to access the administration tool using the HTTPS protocol.

Using a reverse proxy

Many users prefer to run the Web Admin behind a standalone web server acting as a reverse proxy. This is often the preferred method when using Rebex TLS Proxy, IIS, Apache, or NGINX, especially if you already have automated certificate renewal (e.g., Let's Encrypt via ACME).

Unencrypted HTTP endpoint

The web administration displays a warning when an unencrypted HTTP endpoint is used, which might be the case when using a reverse proxy. To suppress this warning, use suppressHttpEndpointWarning: true. See the suppressHttpEndpointWarning guide for more details.

Apply your license key

Previous Page

Harden the server

Next Page

On this page

Get a TLS certificateEnable HTTPS in the configuration fileUsing a reverse proxy