more G-Labs products

Author Topic: NGINX, Authentication, SSL and IFTTT  (Read 1649 times)

January 14, 2016, 10:06:28 PM
Read 1649 times

[email protected]

  • *****
  • Information
  • Hero Member
  • Posts: 271
I mentioned in another thread that I had set up nginx as a reverse proxy and doing ssl off-load with a free ssl cert from letsencrypt..

Here are the notes I have cobbled together for setting all of this up this on a raspberry pi including mono and homegenie



I use the nginx config to un-restrict access to a specific URL, such as /api/Wallis.IFTTT/ ie internally: http://192.168.0.1/api/Wallis.IFTTT/2/Control.Off - this allows this one set of api calls to be called by the IFTTT servers but add basic auth to all other bits, apart from the certificate verification.

Externally that then becomes: https://www.mydomainname.co.uk/api/HomeAutomation.IFTTT/2/Control.Off

this can prob be simplified:

Code: [Select]
# Remove Mono if installed
sudo apt-get remove mono-complete --yes
sudo apt-get autoremove --yes

# Update Mono
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo "deb http://download.mono-project.com/repo/debian wheezy main" | sudo tee /etc/apt/sources.list.d/mono-xamarin.list
sudo apt-get update --yes
sudo apt-get install mono-complete

# Download & Install homegenie
sudo apt-get install gdebi-core --y
sudo wget http://sourceforge.net/projects/homegenie/files/homegenie-beta_1.1.r512_all.deb
sudo gdebi homegenie-beta_1.1.r512_all.deb --n

# Install nginx web server to be used as a reverse proxy and a web server for letsencrypt certificate auth
sudo apt-get install nginx  --yes
 
# We need htpasswd to create and generate an encrypted for the user using Basic Authentication.
sudo apt-get -y install apache2-utils
 
# generate username and password to be used to 'secure' homegenie
sudo htpasswd -c /etc/nginx/.htpasswd myusername
 
# Install Let's Encrypt, Notes from here [url]https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04[/url]
sudo apt-get -y install git bc
sudo git clone [url]https://github.com/letsencrypt/letsencrypt[/url] /opt/letsencrypt
 
# The Standalone plugin provides a very simple way to obtain SSL certificates.
# It works by temporarily running a small web server, on port 80
# So stop HomeGenie whilst we do this.
sudo service homegenie stop
 
# stop nginx as its bound to 443
sudo service nginx stop
 
# prevent InsecurePlatformWarning error if running python < 2.7.9 and unable to upgrade
sudo apt-get install libssl-dev openssl
apt-get install python-augeas
 
# Ensure your firewall is forwarding port 80 to the server for the ACME protocol, change this to forward external
# port 80 to the internal IP on port 81

# Run Let's encrypt client
cd /opt/letsencrypt
./letsencrypt-auto certonly --standalone -d mydomainname.co.uk,www.mydomainname.co.uk
 
# Edit nginx config file and add the text below
sudo nano /etc/nginx/sites-available/default

server {
        listen 81; #Homegenie running on 80 so portforward 80->81 on router
        listen 443 ssl;
        server_name mydomainname.co.uk, [url=http://www.mydomainname.co.uk;]www.mydomainname.co.uk;[/url]
        gzip             on;
        gzip_proxied     any;
        gzip_types       text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/$
        gzip_vary        on;
        ssl_certificate /etc/letsencrypt/live/www.mydomainname.co.uk/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.mydomainname.co.uk/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        #keepalive_requests 0;
        #keepalive_requests 2147483647; # Attempt to set to  near 'infinite'
       
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd; # Used for basic auth
               
        location /api/HomeAutomation.IFTTT/ {
            auth_basic off;         
            proxy_pass              http://localhost;
            proxy_set_header        X-Real-IP $remote_addr;
        }
       
        location / {
            satisfy any; # by default this is all meaning IP and Basic Auth is needed, this means one or the other.
            allow 127.0.0.1;
            # allow 195.111.222.111; # Whitelist an external IP such as work?
            # allow 195.222.111.23; # Whitelist an external IP such as work?
            deny  all;
                       
            # Reverse Proxy config
            proxy_pass              http://localhost;
            proxy_set_header        X-Real-IP $remote_addr;
        }
       
        # For Lets Encrypt Authentication
        location /.well-known {   
            root /usr/share/nginx/www;
            auth_basic off;
            allow all;   
        }
}
 
#server {
#    # Redirect HTTP to HTTPS
#    listen 80;
#    server_name mydomainname.co.uk, [url=http://www.mydomainname.co.uk;]www.mydomainname.co.uk;[/url]
#    return 301 https://$host$request_uri;
#}
 
### END OF NGINX CONFIG

# Use nginx to serve ACME content, you can then setup a cronjob to update the cert
cd /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/www -d mydomainname.co.uk,www.mydomainname.co.uk --agree-tos --renew-by-default

# restart homegenie and nginx
sudo service homegenie start
sudo service nginx start
 



For IFTT, create a recipe such as a geofence and then use the maker chanel to call the webservice url in the form of your domain

https://www.mydomainname.co.uk/api/HomeAutomation.IFTTT/2/Control.Off

Method: POST, content type: text/plain Body: Anything you want to pass..

I have then created a hgx that exposes virtual switches for a quick test, but what you do is up to you..

Cheers

David



January 14, 2016, 11:12:21 PM
Reply #1

Maximo

  • ***
  • Information
  • Full Member
  • Posts: 84
Hi David,

I'll be honest I hate to see posts like this not acknowledged, so I thought I'd make the effort.

This looks very interesting, good work and thanks for your efforts.

Cheers,

Garry

January 15, 2016, 08:04:40 PM
Reply #2

[email protected]

  • *****
  • Information
  • Hero Member
  • Posts: 271
Thanks,  appreciate that.

IFTTT And geofencing was easier than writing my own app!

November 13, 2016, 11:30:16 PM
Reply #3

HGexperimenter

  • **
  • Information
  • Jr. Member
  • Posts: 42
Just read too - very interesting & learned some more! 
Thanks!!

November 14, 2016, 10:00:44 AM
Reply #4

[email protected]

  • *****
  • Information
  • Hero Member
  • Posts: 271
The lets encrypt steps have changed as they have a new app, and I need to get that working again just dont have the time at the moment, with other things on the go.