Listen address and SSL

[kdcisit]

Hi all,

Here are the specs for my setup:
Raspberry pi 4
Ubuntu 20.04
OSPI Firmware 2.19 (3)
App Version 2.2.0

I am securing my setup to use SSL. I do not have my system exposed to the internet but I am securing on my local LAN.

First question: is there a way to configure the listen address for OSPI to listen only on the localhost address? I don’t want to rely on a host firewall so I would prefer that the application control that. I want OSPI to be available only through the nginx reverse proxy and not the app port directly.

Second question: I have nginx serving as a reverse proxy to the app. I have a valid 3rd party certificate and have configured nginx to use this valid cert. However, when I go to the SSL site I get a warning that the connection is not fully secure and that is due to remote unsecured data being served. What would be pulling remote content and is there a way to stop or prohibit that? I haven’t seen this issue with my other sites and services that are using this certificate.

Please let me know if there is any additional information that might be helpful.

Thanks!

[sirkus7]

Hi kdcisit — Regarding your second question, the default setup for the web UI loads assets (such as javascript files) from a cloud server at ui.opensprinkler.com. You can move those to your local OSPI and serve them up from your nginx server, which would solve your mixed-source SSL/TLS warning.

For info about how to do this, check out https://openthings.freshdesk.com/support/solutions/articles/5000164006-using-a-different-server-for-ui-assets

Hope that helps. Cheers

[nachtigall]

First question: is there a way to configure the listen address for OSPI to listen only on the localhost address? I don’t want to rely on a host firewall so I would prefer that the application control that. I want OSPI to be available only through the nginx reverse proxy and not the app port directly.

I try to achieve the same since I already reverse proxy opensprinkler’s 8080 behind a local apache. How can I make OSPI bind only to localhost, seems like there’s no config for this – anybody found a solution?

[D N]

Hello,
I realise the last post was some time ago, but I’m also wrestling with the same problem. I want to host my OpenSprinkler setup over HTTPS, locally on my home network.

I have configured an instance of apache2 on my Raspberry Pi to host the UI assets and reconfigured OSPi to use it (with the help of a support ticket). I have tried various reverse proxy configuration (using Apache’s mod_proxy) and now have it mostly working.

The system appears to respond, but occasionally shows a generic “Network error” in the red ticker at the bottom of the OpenSprinkler UI (the same thing which shows if you have Raid delay set). I think this is possibly a problem with the “Weather Service” due to “mixed content” loading in the Browser, but I’m still trying to figure it out.

I stumbled through the official guide as it is lacking a lot of detail but eventually got the UI assets hosted
https://openthings.freshdesk.com/support/solutions/articles/5000164006-using-a-different-server-for-ui-assets

I then wrestled with the mod_proxy configuration and got the following to *mostly* work.

Firstly I have two DNS entries for the Raspberry Pi hosting this. For these examples they are “opensprinkler.lan” and “othername.lan”. both names resolve to the same IP, that of the Raspberry PI.

I then configured Apache for a basic SSL configuration (not documented here) using self-signed certificates for now (I’ll fix this later)

Then I enabled the following two “site” config files, after extracting the OSPi assets file in to /var/www/html

This is saved as ospi-assets-ssl.conf:
`
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName othername.lan
ServerAlias othername.lan
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
DocumentRoot /var/www/html
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
</IfModule>
`

This is saved as reverseproxy-ssl.conf:
`
IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerName opensprinkler.lan
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
<FilesMatch “\.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://127.0.0.1:8008/
ProxyPassReverse / http://127.0.0.1:8008/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
</IfModule>
`
Then reloaded apache and tested.

I then configured my OpenSprinkler to use Javascript assets from https://othersite.lan/js . I had to do this by going to http://opensprinkler.lan:8008 (the insecure port I have OpenSprinkler run on) and I followed the instructions in the guide linked at the top of this post to change the JavaScript URL there.

As mentioned this *mostly* works. Occasional network errors occur but the interface otherwise seems to work.

[nachtigall]

Well, it is working for me (i.e. hosting OpenSprinkler using https with apache an a Raspberry Pi). The only thing, that I do not do is hosting the UI Assets on another server. I guess you are doing this for a certain reason like that you do not have internet access in your garden maybe? Sounds like this causes the error maybe… When you get the TypeError – do you also maybe have a 404 Not Found error in the Browser’s DevTools network tab?

I would try without hosting the assets on another server and see if that works. This way you can at least narrow down the bug/problem.

[D N]

I wanted to delete my second post (above) as I had updated the first after (mostly) solving the issue.

Sadly both my posts got stuck waiting for a moderator. It seems the forum filters don’t like my habit of going back and editing posts more than once to get them just_right!

To work around the intermittent (non-fatal) errors I ended up adding the following lines to the end of my reverseproxy-ssl.conf file in apache:

# Avoid races (at the cost of performance) to re-use a pooled connection
# where the connection is closed
SetEnv proxy-nokeepalive 1
SetEnv force-proxy-request-1.0 1

Could you share some of your config please nachtigall?

[nachtigall]

This is my apache config from /etc/apache2/sites-enabled/000-default-le-ssl.conf

`
<IfModule mod_ssl.c>
<VirtualHost *:99999>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request’s Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName http://www.example.com

ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

# Available loglevels: trace8, …, trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with “a2disconf”.
#Include conf-available/serve-cgi-bin.conf

# Proxy OpenSprinkler
# NOTE: Errors like this are normal, see https://opensprinkler.com/forums/topic/openspinkler-server-sends-back-rst-using-httptiny/
# [Tue Sep 21 08:39:13.280067 2021] [proxy_http:error] [pid 22540:tid 2911843360] (104)Connection reset by peer: [client 91.66.126.53:44360] AH01110: error reading response, referer: https://myhost.mydomainsite.org:99999/waterrunning/
<Location /waterrunning/>
AuthType Basic
AuthName “Restricted”
AuthUserFile /etc/apache2/.htpasswd
AuthBasicProvider file
Require user my_user_for_extra_http_auth
ProxyPreserveHost On
ProxyPass http://127.0.0.1:8080/
ProxyPassReverse http://127.0.0.1:8080/
</Location>

# Addy by Let’s Encrypt
ServerName myhost.mydomainsite.org
SSLCertificateFile /etc/letsencrypt/live/myhost.mydomainsite.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/myhost.mydomainsite.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
`

[Author]

Posts