OpenSprinkler › Forums › Hardware Questions › OpenSprinkler Pi (OSPi) › Secure internet access to OSPi › Re: Re: Secure internet access to OSPi
nayr
redux, simpler if your not willing to do the Client TLS cert thing.. i know not everyone will be so you can also do this which is simpler and nearly as effective, still secure enough to expose to the internet. If your up to the challenge tho give my above suggestion a try.
Use apache reverse proxy on 443 to localhost:8080, install firehol and fail2ban like above and edit fail2ban’s filter.conf and enable the default apache rules which should drop anyone who tries to brute force your web server.
You can also use nginx which I would recommend but you’ll have to find the nginx-auth filters online and setup fail2ban manually.. Lighttpd will not work as it does not log failed auth attempts 🙄
Then use the apache auth mechanism to password protect your webroot and use damn strong passwords…
Also test out fail2ban make sure your sprinklers drop all your packets for 5mins or so if you enter too many incorrect passwords..
The weakest point of this setup will be your username/password and maybe a man in the middle attack if your cert isn’t trusted, brute forcing will be effectively stopped when the OSpi/OSBo stops responding.
You have to have your own external domain but you can get Trusted Signed SSL Certificates for Free Personal use form http://StartSSL.com, I’d recommend opening port 80 and running a redirect rule to your https FQDN (search Apache force SSL) this way you can type its local hostname into the browser and it will automatically connect you to the https://fqdn without a host error.. For dynamic IP users what you can do is setup sprinklers.yourdomain.com to be a cname for yourhome.dynip.org or something like that and get the cert for sprinklers.yourdomain.com
Here is an apache config to get you started, you’ll have to create the htpasswd file and certificate files, also correct the path to the mobile controller.
ServerName OpenSprinkler
ProxyRequests Off
ProxyVia Off
Order deny,allow
Allow from all
ProxyPass / http://localhost:8080
ProxyPassReverse / http://localhost:8080
Order allow,deny
Allow from all
AuthName "Access Restricted"
AuthType Basic
AuthUserFile "/etc/apache2/.htpasswd"
Require valid-user
Alias /mobile /home/username/OpenSprinkler-Controller
LogLevel info
CustomLog /var/log/apache2/access.log combined
ErrorLog /var/log/apache2/error.log
SSLEngine on
SSLCertificateFile /etc/apache2/server.crt
SSLCertificateKeyFile /etc/apache2/server.key
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXPORT
By the way I am a Security Engineer by trade 😉
If your wanting to use the native mobile app I’d suggest installing a VPN setup because while it might work over a https connection I doubt it’ll work with username:password@hostname:443, at least I havent tested it.. yet 🙂