Securing your DeviceServer for Internet Access

Today I want to explain how to securely expose your DeviceServer to the Internet.
There are two things which are a must in this case:
User Authentication - only allowed users should access the DeviceServer
encrypted communication between you and the DeviceServer

In order to get this done we use the Apache Webserver as a proxy, providing
SSL Encrypted communication and basic user authentication.

In my example
I use a Raspberry Pi running the DeviceServer and the Apache.


Prerequisites:

ensure you have configured your Router to pass access to port 443/TCP to
yourRaspberry Pi and you have DynDNS configured to access your Pi over
the Internet by a name. In my Example we use myraspi.dydns.org as symbolic
hostname, and our router is configured to forward accesses to Port 443 to the
Raspberry Pi


Now Let's start:


1. Configure Apache to use SSL


we don't have a valid certificate, we just make one ourselve. The disadvantage is
that we need to allow the untrusted certificate in our browser. Nevertheless all
communication is encrypted and that's what we want.
Get user root on your Pi and configure the following:


# make directory for the cerificate files
mkdir /etc/apache2/ssl-cert.d
# set hostname in /etc/hosts to the exact fqhn like in the certificate
# in our example myraspi.dydns.org
vi /etc/etc/hostname
# generate keys ( same fqhn as above in hosts: myraspi.dydns.org )
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apach
e2/ssl-cert.d/apache.key -out /etc/apache2/ssl-cert.d/apache.crt
# enable ssl
a2enmod ssl
# generate startup link
cd /etc/apache2/sites-enabled
ln -s ../sites-available/default-ssl 001-default-ssl 
# enter certificate in config 
vi /etc/apache2/sites-available/default-ssl
# set  
SSLCertificateFile /etc/apache2/ssl-cert.d/apache.crt 
SSLCertificateKeyFile /etc/apache2/ssl-cert.d/apache.key
#restart apache
service apache2 restart
# test https://myraspi.dydns.org/


You should see the apache standard "It works" page in your browser after
accepting the untrusted certificate.

2. Configure the Proxy


Next we need to configure the Apache server to forward all accesses to one
directory to our DeviceServer.I choosed the directory homecontrol for that:


#enable apache proxy modul 
a2enmod proxy_http
# in site config zB /etc/apache/sites-available/default-ssl  
ProxyRequests Off 
<Proxy *>
          Order deny,allow
          Allow from all 
</Proxy> 
ProxyPass /homecontrol/ http://localhost:10080/  
ProxyPassReverse /homecontrol/ http://localhost:10080/  
SetEnvIf Request_URI "^/homecontrol/u" dontlog

# log directiven anpassen 
ErrorLog /var/log/apache2/tools-error.log  env=!dontlog
CustomLog /var/log/apache2/AllSites-access.log combined env=!dontlog

#restart apache
service apache2 restart


If you now open  https://myraspi.dydns.org/homecontrol/index.html
you should get the start page of the DeviceServers.

Now we need to add the password access and we have achived our goal.

3. configure the Password protection

# go to the document root
cd /var/www
# generate a password file with users and passwords
htpasswd -cs .htpasswd youruser

# to add more users use
htpasswd -s .htpasswd anotherruser

# add password protection to homecontrol
# edit the sites config eg /etc/apache/sites-available/default-ssl and add
<Location /homecontrol>
    AuthType Basic
    AuthUserFile /var/www/.htpasswd
    AuthName "Homecontrol"
    order deny,allow
    allow from all
    require valid-user
</Location>

#restart apache
service apache2 restart