OpenSprinkler Forums OpenSprinkler Unified Firmware Listen address and SSL

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #67569

    kdcisit
    Participant

    Hi all,

    Here are the specs for my setup:
    Raspberry pi 4
    Ubuntu 20.04
    OSPI Firmware 2.19 (3)
    App Version 2.2.0

    I am securing my setup to use SSL. I do not have my system exposed to the internet but I am securing on my local LAN.

    First question: is there a way to configure the listen address for OSPI to listen only on the localhost address? I don’t want to rely on a host firewall so I would prefer that the application control that. I want OSPI to be available only through the nginx reverse proxy and not the app port directly.

    Second question: I have nginx serving as a reverse proxy to the app. I have a valid 3rd party certificate and have configured nginx to use this valid cert. However, when I go to the SSL site I get a warning that the connection is not fully secure and that is due to remote unsecured data being served. What would be pulling remote content and is there a way to stop or prohibit that? I haven’t seen this issue with my other sites and services that are using this certificate.

    Please let me know if there is any additional information that might be helpful.

    Thanks!

    #68392

    sirkus7
    Participant

    Hi kdcisit — Regarding your second question, the default setup for the web UI loads assets (such as javascript files) from a cloud server at ui.opensprinkler.com. You can move those to your local OSPI and serve them up from your nginx server, which would solve your mixed-source SSL/TLS warning.

    For info about how to do this, check out https://openthings.freshdesk.com/support/solutions/articles/5000164006-using-a-different-server-for-ui-assets

    Hope that helps. Cheers

    #71198

    nachtigall
    Participant

    First question: is there a way to configure the listen address for OSPI to listen only on the localhost address? I don’t want to rely on a host firewall so I would prefer that the application control that. I want OSPI to be available only through the nginx reverse proxy and not the app port directly.

    I try to achieve the same since I already reverse proxy opensprinkler’s 8080 behind a local apache. How can I make OSPI bind only to localhost, seems like there’s no config for this – anybody found a solution?

    #73168

    D N
    Participant

    Hello,
    I realise the last post was some time ago, but I’m also wrestling with the same problem. I want to host my OpenSprinkler setup over HTTPS, locally on my home network.

    I have configured an instance of apache2 on my Raspberry Pi to host the UI assets and reconfigured OSPi to use it (with the help of a support ticket). I have tried various reverse proxy configuration (using Apache’s mod_proxy) and now have it mostly working.

    The system appears to respond, but occasionally shows a generic “Network error” in the red ticker at the bottom of the OpenSprinkler UI (the same thing which shows if you have Raid delay set). I think this is possibly a problem with the “Weather Service” due to “mixed content” loading in the Browser, but I’m still trying to figure it out.

    I stumbled through the official guide as it is lacking a lot of detail but eventually got the UI assets hosted
    https://openthings.freshdesk.com/support/solutions/articles/5000164006-using-a-different-server-for-ui-assets

    I then wrestled with the mod_proxy configuration and got the following to *mostly* work.

    Firstly I have two DNS entries for the Raspberry Pi hosting this. For these examples they are “opensprinkler.lan” and “othername.lan”. both names resolve to the same IP, that of the Raspberry PI.

    I then configured Apache for a basic SSL configuration (not documented here) using self-signed certificates for now (I’ll fix this later)

    Then I enabled the following two “site” config files, after extracting the OSPi assets file in to /var/www/html

    This is saved as ospi-assets-ssl.conf:
    `
    <IfModule mod_ssl.c>
    <VirtualHost *:443>
    ServerName othername.lan
    ServerAlias othername.lan
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    <FilesMatch “\.(cgi|shtml|phtml|php)$”>
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    DocumentRoot /var/www/html
    <Location />
    Order allow,deny
    Allow from all
    </Location>
    </VirtualHost>
    </IfModule>
    `

    This is saved as reverseproxy-ssl.conf:
    `
    IfModule mod_ssl.c>
    <VirtualHost _default_:443>
    ServerName opensprinkler.lan
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
    SSLEngine on
    SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
    SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    <FilesMatch “\.(cgi|shtml|phtml|php)$”>
    SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
    SSLOptions +StdEnvVars
    </Directory>
    ProxyRequests Off
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>
    ProxyPass / http://127.0.0.1:8008/
    ProxyPassReverse / http://127.0.0.1:8008/
    <Location />
    Order allow,deny
    Allow from all
    </Location>
    </VirtualHost>
    </IfModule>
    `
    Then reloaded apache and tested.

    I then configured my OpenSprinkler to use Javascript assets from https://othersite.lan/js . I had to do this by going to http://opensprinkler.lan:8008 (the insecure port I have OpenSprinkler run on) and I followed the instructions in the guide linked at the top of this post to change the JavaScript URL there.

    As mentioned this *mostly* works. Occasional network errors occur but the interface otherwise seems to work.

    #73202

    nachtigall
    Participant

    Well, it is working for me (i.e. hosting OpenSprinkler using https with apache an a Raspberry Pi). The only thing, that I do not do is hosting the UI Assets on another server. I guess you are doing this for a certain reason like that you do not have internet access in your garden maybe? Sounds like this causes the error maybe… When you get the TypeError – do you also maybe have a 404 Not Found error in the Browser’s DevTools network tab?

    I would try without hosting the assets on another server and see if that works. This way you can at least narrow down the bug/problem.

    #73203

    D N
    Participant

    I wanted to delete my second post (above) as I had updated the first after (mostly) solving the issue.

    Sadly both my posts got stuck waiting for a moderator. It seems the forum filters don’t like my habit of going back and editing posts more than once to get them just_right!

    To work around the intermittent (non-fatal) errors I ended up adding the following lines to the end of my reverseproxy-ssl.conf file in apache:

    # Avoid races (at the cost of performance) to re-use a pooled connection
    # where the connection is closed
    SetEnv proxy-nokeepalive 1
    SetEnv force-proxy-request-1.0 1

    Could you share some of your config please nachtigall?

    #73214

    nachtigall
    Participant

    This is my apache config from /etc/apache2/sites-enabled/000-default-le-ssl.conf

    `
    <IfModule mod_ssl.c>
    <VirtualHost *:99999>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request’s Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName http://www.example.com

    ServerAdmin [email protected]
    DocumentRoot /var/www/html

    # Available loglevels: trace8, …, trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with “a2disconf”.
    #Include conf-available/serve-cgi-bin.conf

    # Proxy OpenSprinkler
    # NOTE: Errors like this are normal, see https://opensprinkler.com/forums/topic/openspinkler-server-sends-back-rst-using-httptiny/
    # [Tue Sep 21 08:39:13.280067 2021] [proxy_http:error] [pid 22540:tid 2911843360] (104)Connection reset by peer: [client 91.66.126.53:44360] AH01110: error reading response, referer: https://myhost.mydomainsite.org:99999/waterrunning/
    <Location /waterrunning/>
    AuthType Basic
    AuthName “Restricted”
    AuthUserFile /etc/apache2/.htpasswd
    AuthBasicProvider file
    Require user my_user_for_extra_http_auth
    ProxyPreserveHost On
    ProxyPass http://127.0.0.1:8080/
    ProxyPassReverse http://127.0.0.1:8080/
    </Location>

    # Addy by Let’s Encrypt
    ServerName myhost.mydomainsite.org
    SSLCertificateFile /etc/letsencrypt/live/myhost.mydomainsite.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/myhost.mydomainsite.org/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    </VirtualHost>
    </IfModule>
    `

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.

OpenSprinkler Forums OpenSprinkler Unified Firmware Listen address and SSL