Securing your DeviceServer for Internet Access
Today I want to explain how to securely expose your DeviceServer to the Internet.
There are two things which are a must in this case:
User Authentication - only allowed users should access the DeviceServer
encrypted communication between you and the DeviceServer
In order to get this done we use the Apache Webserver as a proxy, providing
SSL Encrypted communication and basic user authentication.
In my example
I use a Raspberry Pi running the DeviceServer and the Apache.
Prerequisites:
ensure you have configured your Router to pass access to port 443/TCP to
yourRaspberry Pi and you have DynDNS configured to access your Pi over
the Internet by a name. In my Example we use myraspi.dydns.org as symbolic
hostname, and our router is configured to forward accesses to Port 443 to the
Raspberry Pi
Now Let's start:
1. Configure Apache to use SSL
we don't have a valid certificate, we just make one ourselve. The disadvantage is
that we need to allow the untrusted certificate in our browser. Nevertheless all
communication is encrypted and that's what we want.
Get user root on your Pi and configure the following:
# make directory for the cerificate files
mkdir /etc/apache2/ssl-cert.d
# set hostname in /etc/hosts to the exact fqhn like in the certificate
# in our example myraspi.dydns.org
vi /etc/etc/hostname
# generate keys ( same fqhn as above in hosts: myraspi.dydns.org )
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apach
e2/ssl-cert.d/apache.key -out /etc/apache2/ssl-cert.d/apache.crt
# enable ssl
a2enmod ssl
# generate startup link
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl 001-default-ssl
# enter certificate in config
vi /etc/apache2/sites-available/default-ssl
# set
SSLCertificateFile /etc/apache2/ssl-cert.d/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl-cert.d/apache.key
#restart apache
service apache2 restart
# test https://myraspi.dydns.org/
You should see the apache standard "It works" page in your browser after
accepting the untrusted certificate.
2. Configure the Proxy
Next we need to configure the Apache server to forward all accesses to one
directory to our DeviceServer.I choosed the directory homecontrol for that:
#enable apache proxy modul
a2enmod proxy_http
# in site config zB /etc/apache/sites-available/default-ssl
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /homecontrol/ http://localhost:10080/
ProxyPassReverse /homecontrol/ http://localhost:10080/
SetEnvIf Request_URI "^/homecontrol/u" dontlog
# log directiven anpassen
ErrorLog /var/log/apache2/tools-error.log env=!dontlog
CustomLog /var/log/apache2/AllSites-access.log combined env=!dontlog
#restart apache
service apache2 restart
If you now open https://myraspi.dydns.org/homecontrol/index.html
you should get the start page of the DeviceServers.
Now we need to add the password access and we have achived our goal.
3. configure the Password protection
# go to the document root
cd /var/www
# generate a password file with users and passwords
htpasswd -cs .htpasswd youruser
# to add more users use
htpasswd -s .htpasswd anotherruser
# add password protection to homecontrol
# edit the sites config eg /etc/apache/sites-available/default-ssl and add
<Location /homecontrol>
AuthType Basic
AuthUserFile /var/www/.htpasswd
AuthName "Homecontrol"
order deny,allow
allow from all
require valid-user
</Location>
#restart apache
service apache2 restart
