- This topic has 7 replies, 4 voices, and was last updated 2 months ago by
.
-
Posts
-
Hi all,
Here are the specs for my setup:
Raspberry pi 4
Ubuntu 20.04
OSPI Firmware 2.19 (3)
App Version 2.2.0I am securing my setup to use SSL. I do not have my system exposed to the internet but I am securing on my local LAN.
First question: is there a way to configure the listen address for OSPI to listen only on the localhost address? I don’t want to rely on a host firewall so I would prefer that the application control that. I want OSPI to be available only through the nginx reverse proxy and not the app port directly.
Second question: I have nginx serving as a reverse proxy to the app. I have a valid 3rd party certificate and have configured nginx to use this valid cert. However, when I go to the SSL site I get a warning that the connection is not fully secure and that is due to remote unsecured data being served. What would be pulling remote content and is there a way to stop or prohibit that? I haven’t seen this issue with my other sites and services that are using this certificate.
Please let me know if there is any additional information that might be helpful.
Thanks!
Hi kdcisit — Regarding your second question, the default setup for the web UI loads assets (such as javascript files) from a cloud server at ui.opensprinkler.com. You can move those to your local OSPI and serve them up from your nginx server, which would solve your mixed-source SSL/TLS warning.
For info about how to do this, check out https://openthings.freshdesk.com/support/solutions/articles/5000164006-using-a-different-server-for-ui-assets
Hope that helps. Cheers
First question: is there a way to configure the listen address for OSPI to listen only on the localhost address? I don’t want to rely on a host firewall so I would prefer that the application control that. I want OSPI to be available only through the nginx reverse proxy and not the app port directly.
I try to achieve the same since I already reverse proxy opensprinkler’s 8080 behind a local apache. How can I make OSPI bind only to localhost, seems like there’s no config for this – anybody found a solution?
Hello,
I realise the last post was some time ago, but I’m also wrestling with the same problem. I want to host my OpenSprinkler setup over HTTPS, locally on my home network.I have configured an instance of apache2 on my Raspberry Pi to host the UI assets and reconfigured OSPi to use it (with the help of a support ticket). I have tried various reverse proxy configuration (using Apache’s mod_proxy) and now have it mostly working.
The system appears to respond, but occasionally shows a generic “Network error” in the red ticker at the bottom of the OpenSprinkler UI (the same thing which shows if you have Raid delay set). I think this is possibly a problem with the “Weather Service” due to “mixed content” loading in the Browser, but I’m still trying to figure it out.
I stumbled through the official guide as it is lacking a lot of detail but eventually got the UI assets hosted
https://openthings.freshdesk.com/support/solutions/articles/5000164006-using-a-different-server-for-ui-assetsI then wrestled with the mod_proxy configuration and got the following to *mostly* work.
Firstly I have two DNS entries for the Raspberry Pi hosting this. For these examples they are “opensprinkler.lan” and “othername.lan”. both names resolve to the same IP, that of the Raspberry PI.
I then configured Apache for a basic SSL configuration (not documented here) using self-signed certificates for now (I’ll fix this later)
Then I enabled the following two “site” config files, after extracting the OSPi assets file in to
/var/www/htmlThis is saved as ospi-assets-ssl.conf:
`
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName othername.lan
ServerAlias othername.lan
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
DocumentRoot /var/www/html
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
</IfModule>
`This is saved as reverseproxy-ssl.conf:
`
IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName opensprinkler.lan
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8008/
ProxyPassReverse / http://127.0.0.1:8008/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
</IfModule>
`
Then reloaded apache and tested.I then configured my OpenSprinkler to use Javascript assets from https://othersite.lan/js . I had to do this by going to http://opensprinkler.lan:8008 (the insecure port I have OpenSprinkler run on) and I followed the instructions in the guide linked at the top of this post to change the JavaScript URL there.
As mentioned this *mostly* works. Occasional network errors occur but the interface otherwise seems to work.
Well, it is working for me (i.e. hosting OpenSprinkler using https with apache an a Raspberry Pi). The only thing, that I do not do is hosting the UI Assets on another server. I guess you are doing this for a certain reason like that you do not have internet access in your garden maybe? Sounds like this causes the error maybe… When you get the TypeError – do you also maybe have a 404 Not Found error in the Browser’s DevTools network tab?
I would try without hosting the assets on another server and see if that works. This way you can at least narrow down the bug/problem.
I wanted to delete my second post (above) as I had updated the first after (mostly) solving the issue.
Sadly both my posts got stuck waiting for a moderator. It seems the forum filters don’t like my habit of going back and editing posts more than once to get them just_right!
To work around the intermittent (non-fatal) errors I ended up adding the following lines to the end of my reverseproxy-ssl.conf file in apache:
# Avoid races (at the cost of performance) to re-use a pooled connection
# where the connection is closed
SetEnv proxy-nokeepalive 1
SetEnv force-proxy-request-1.0 1Could you share some of your config please nachtigall?
This is my apache config from
/etc/apache2/sites-enabled/000-default-le-ssl.conf`
<IfModule mod_ssl.c>
<VirtualHost *:99999>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName http://www.example.comServerAdmin webmaster@localhost
DocumentRoot /var/www/html# Available loglevels: trace8, …, trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warnErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with “a2disconf”.
#Include conf-available/serve-cgi-bin.conf# Proxy OpenSprinkler
# NOTE: Errors like this are normal, see https://opensprinkler.com/forums/topic/openspinkler-server-sends-back-rst-using-httptiny/
# [Tue Sep 21 08:39:13.280067 2021] [proxy_http:error] [pid 22540:tid 2911843360] (104)Connection reset by peer: [client 91.66.126.53:44360] AH01110: error reading response, referer: https://myhost.mydomainsite.org:99999/waterrunning/
<Location /waterrunning/>
AuthType Basic
AuthName “Restricted”
AuthUserFile /etc/apache2/.htpasswd
AuthBasicProvider file
Require user my_user_for_extra_http_auth
ProxyPreserveHost On
ProxyPass http://127.0.0.1:8080/
ProxyPassReverse http://127.0.0.1:8080/
</Location># Addy by Let’s Encrypt
ServerName myhost.mydomainsite.org
SSLCertificateFile /etc/letsencrypt/live/myhost.mydomainsite.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myhost.mydomainsite.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
`
- You must be logged in to reply to this topic.