OpenSprinkler Forums Hardware Questions OpenSprinkler Pi (OSPi) sprinklers_pi & authentication Re: Re: sprinklers_pi & authentication

#27094

fbret
Member

Ok, here are the gory details! btw, I think WB50 is asking about the standard opensprinkler software… this is not about it but instead for the alternate software called sprinklers_pi. Most of my howto should be applicable to the default software, but I have not tested.

1st, we want to configure apache as a proxy. This is important for several reasons:

  • while sprinklers_pi is an excellent web server, it is extremely limited in it’s support of the http protocol. Adding support for authentication or SSL would be serious work.
  • as I intend to have this device internet accessible, I trust apache infinitely more than I trust the sprinklers_pi code. Rich Z, I hope you do not take offense, but being a coder myself, I’m pretty sure you would agree with my statement!
  • why reinvent the wheel? Apache is the software running 40% of the sites on the internet.
  • Apache is infinitely configurable.

I will assume you know how to ssh to the device.

To verify that you have apache2 installed:

sudo apt-get install apache2

Now enable the proxy module:


sudo a2enmod proxy_http
sudo a2enmod rewrite
sudo service apache2 restart

Now, create the virtual host that will proxy the sprinklers_pi site:


sudo nano /etc/apache2/sites-enabled/000-default

The file should have the following content:



LogLevel warn

ProxyRequests On
ProxyPass / http://127.0.0.1:8080/

CustomLog ${APACHE_LOG_DIR}/access.log combined

Now restart apache:


sudo service apache2 restart

Now verify that the proxy works by opening http://[IP of rPi]. It should behave identically to http://[IP of rPi]:8080

Congratulations, you have successfully set up the proxy.

Let’s move on to authentication. If you don’t care about authentication, you can skip the following.
First, let’s create a password file that will contain all user names and passwords allowed to log onto the web site. I decided to call my user “admin” and store the password file in the home directory:


pi@sprinkler ~ $ htpasswd -c /home/pi/.htpasswd admin
New password:
Re-type new password:
Adding password for user admin
pi@sprinkler ~ $

Edit your apache config once more:


sudo nano /etc/apache2/sites-enabled/000-default

It should look like this once you added the location block:



LogLevel warn

AuthType Basic
AuthName "OpenSprinkler"
AuthUserFile /home/pi/.htpasswd
Require valid-user


ProxyRequests On
ProxyPass / http://127.0.0.1:8080/

CustomLog ${APACHE_LOG_DIR}/access.log combined

Test again that the proxy works by opening http://[IP of rPi]. It should now ask for credentials first.
But remember the site on port 8080? You did not block direct access to it. So going to http://[IP of rPi]:8080 should still allow you to anonymously access the sprinkler site. 🙁
It might be ok. If for example you want to have internet access to the apache site where you need authentication, but still provide anonymous access when you are on the local network. If that’s not ok, we are going to block access to the 8080 site:

We are going to have to edit the source code of sprinklers_pi and recompile it:


cd sprinklers_pi/
nano port.cpp

Search for (should be on line 103):


sin.sin_addr.s_addr = INADDR_ANY;

and replace with:


sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);

Save the file. The build and install:


make
sudo make install
sudo /etc/init.d/sprinklers_pi restart

Test again! Now, http://[IP of rPi] should work fine and require authentication, but http://[IP of rPi]:8080 should not respond.

Now, the final part: turn the proxy to https…

We’ll have to:

  • create an SSL certificate
  • allow apache to run over https
  • do some translation of the page

Creation of the SSL certificate:


cd ~
openssl req -nodes -new -x509 -keyout server.key -out server.cert

Fill out all the properties when prompted by openssl.

Now enable SSL:


sudo a2enmod ssl

Edit the config:


sudo nano /etc/apache2/sites-enabled/000-default

It should look like this:




LogLevel warn

SSLEngine On
SSLCertificateFile /home/pi/server.cert
SSLCertificateKeyFile /home/pi/server.key


AuthType Basic
AuthName "OpenSprinkler"
AuthUserFile /home/pi/.htpasswd
Require valid-user


ProxyRequests On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/

CustomLog ${APACHE_LOG_DIR}/access.log combined

Now restart apache:


sudo service apache2 restart

Now i’m stuck! all pages have references to http://code.jquery.com/. This needs to be converted to https://code.jquery.com/. I’m pretty sure one can do it with the apache mod_rewrite, but I failed… so my (ugly) workaround:


cd ~/sprinkler_pi/web
find . -name "*.htm" -print | xargs sed -i 's/http:/https:/g'
cd ~/sprinkler_pi
make
sudo make install
sudo /etc/init.d/sprinklers_pi restart

You now have a perfectly functional https site with authentication that is appropriate to NAT through your firewall.

Enjoy!

-Fred