Ok, here are the gory details! btw, I think WB50 is asking about the standard opensprinkler software… this is not about it but instead for the alternate software called sprinklers_pi. Most of my howto should be applicable to the default software, but I have not tested.
1st, we want to configure apache as a proxy. This is important for several reasons:
- while sprinklers_pi is an excellent web server, it is extremely limited in it’s support of the http protocol. Adding support for authentication or SSL would be serious work.
- as I intend to have this device internet accessible, I trust apache infinitely more than I trust the sprinklers_pi code. Rich Z, I hope you do not take offense, but being a coder myself, I’m pretty sure you would agree with my statement!
- why reinvent the wheel? Apache is the software running 40% of the sites on the internet.
- Apache is infinitely configurable.
I will assume you know how to ssh to the device.
To verify that you have apache2 installed:
sudo apt-get install apache2Now enable the proxy module:
sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo service apache2 restartNow, create the virtual host that will proxy the sprinklers_pi site:
sudo nano /etc/apache2/sites-enabled/000-default The file should have the following content:
LogLevel warn
ProxyRequests On
ProxyPass / http://127.0.0.1:8080/
CustomLog ${APACHE_LOG_DIR}/access.log combined
Now restart apache:
sudo service apache2 restartNow verify that the proxy works by opening http://[IP of rPi]. It should behave identically to http://[IP of rPi]:8080
Congratulations, you have successfully set up the proxy.
Let’s move on to authentication. If you don’t care about authentication, you can skip the following.
First, let’s create a password file that will contain all user names and passwords allowed to log onto the web site. I decided to call my user “admin” and store the password file in the home directory:
pi@sprinkler ~ $ htpasswd -c /home/pi/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
pi@sprinkler ~ $
Edit your apache config once more:
sudo nano /etc/apache2/sites-enabled/000-default It should look like this once you added the location block:
LogLevel warn
AuthType Basic
AuthName "OpenSprinkler"
AuthUserFile /home/pi/.htpasswd
Require valid-user
ProxyRequests On
ProxyPass / http://127.0.0.1:8080/
CustomLog ${APACHE_LOG_DIR}/access.log combined
Test again that the proxy works by opening http://[IP of rPi]. It should now ask for credentials first.
But remember the site on port 8080? You did not block direct access to it. So going to http://[IP of rPi]:8080 should still allow you to anonymously access the sprinkler site. 🙁
It might be ok. If for example you want to have internet access to the apache site where you need authentication, but still provide anonymous access when you are on the local network. If that’s not ok, we are going to block access to the 8080 site:
We are going to have to edit the source code of sprinklers_pi and recompile it:
cd sprinklers_pi/
nano port.cpp
Search for (should be on line 103):
sin.sin_addr.s_addr = INADDR_ANY;
and replace with:
sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
Save the file. The build and install:
make
sudo make install
sudo /etc/init.d/sprinklers_pi restart
Test again! Now, http://[IP of rPi] should work fine and require authentication, but http://[IP of rPi]:8080 should not respond.
Now, the final part: turn the proxy to https…
We’ll have to:
- create an SSL certificate
- allow apache to run over https
- do some translation of the page
Creation of the SSL certificate:
cd ~
openssl req -nodes -new -x509 -keyout server.key -out server.cert
Fill out all the properties when prompted by openssl.
Now enable SSL:
sudo a2enmod ssl
Edit the config:
sudo nano /etc/apache2/sites-enabled/000-default
It should look like this:
LogLevel warn
SSLEngine On
SSLCertificateFile /home/pi/server.cert
SSLCertificateKeyFile /home/pi/server.key
AuthType Basic
AuthName "OpenSprinkler"
AuthUserFile /home/pi/.htpasswd
Require valid-user
ProxyRequests On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
CustomLog ${APACHE_LOG_DIR}/access.log combined
Now restart apache:
sudo service apache2 restartNow i’m stuck! all pages have references to http://code.jquery.com/. This needs to be converted to https://code.jquery.com/. I’m pretty sure one can do it with the apache mod_rewrite, but I failed… so my (ugly) workaround:
cd ~/sprinkler_pi/web
find . -name "*.htm" -print | xargs sed -i 's/http:/https:/g'
cd ~/sprinkler_pi
make
sudo make install
sudo /etc/init.d/sprinklers_pi restart
You now have a perfectly functional https site with authentication that is appropriate to NAT through your firewall.
Enjoy!
-Fred