I mentioned in another thread that I had set up nginx as a reverse proxy and doing ssl off-load with a free ssl cert from letsencrypt..
Here are the notes I have cobbled together for setting all of this up this on a raspberry pi including mono and homegenie
I use the nginx config to un-restrict access to a specific URL, such as /api/Wallis.IFTTT/ ie internally:
http://192.168.0.1/api/Wallis.IFTTT/2/Control.Off - this allows this one set of api calls to be called by the IFTTT servers but add basic auth to all other bits, apart from the certificate verification.
Externally that then becomes:
https://www.mydomainname.co.uk/api/HomeAutomation.IFTTT/2/Control.Offthis can prob be simplified:
# Remove Mono if installed
sudo apt-get remove mono-complete --yes
sudo apt-get autoremove --yes
# Update Mono
sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF
echo "deb http://download.mono-project.com/repo/debian wheezy main" | sudo tee /etc/apt/sources.list.d/mono-xamarin.list
sudo apt-get update --yes
sudo apt-get install mono-complete
# Download & Install homegenie
sudo apt-get install gdebi-core --y
sudo wget http://sourceforge.net/projects/homegenie/files/homegenie-beta_1.1.r512_all.deb
sudo gdebi homegenie-beta_1.1.r512_all.deb --n
# Install nginx web server to be used as a reverse proxy and a web server for letsencrypt certificate auth
sudo apt-get install nginx --yes
# We need htpasswd to create and generate an encrypted for the user using Basic Authentication.
sudo apt-get -y install apache2-utils
# generate username and password to be used to 'secure' homegenie
sudo htpasswd -c /etc/nginx/.htpasswd myusername
# Install Let's Encrypt, Notes from here [url]https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04[/url]
sudo apt-get -y install git bc
sudo git clone [url]https://github.com/letsencrypt/letsencrypt[/url] /opt/letsencrypt
# The Standalone plugin provides a very simple way to obtain SSL certificates.
# It works by temporarily running a small web server, on port 80
# So stop HomeGenie whilst we do this.
sudo service homegenie stop
# stop nginx as its bound to 443
sudo service nginx stop
# prevent InsecurePlatformWarning error if running python < 2.7.9 and unable to upgrade
sudo apt-get install libssl-dev openssl
apt-get install python-augeas
# Ensure your firewall is forwarding port 80 to the server for the ACME protocol, change this to forward external
# port 80 to the internal IP on port 81
# Run Let's encrypt client
cd /opt/letsencrypt
./letsencrypt-auto certonly --standalone -d mydomainname.co.uk,www.mydomainname.co.uk
# Edit nginx config file and add the text below
sudo nano /etc/nginx/sites-available/default
server {
listen 81; #Homegenie running on 80 so portforward 80->81 on router
listen 443 ssl;
server_name mydomainname.co.uk, [url=http://www.mydomainname.co.uk;]www.mydomainname.co.uk;[/url]
gzip on;
gzip_proxied any;
gzip_types text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/$
gzip_vary on;
ssl_certificate /etc/letsencrypt/live/www.mydomainname.co.uk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.mydomainname.co.uk/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
#keepalive_requests 0;
#keepalive_requests 2147483647; # Attempt to set to near 'infinite'
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd; # Used for basic auth
location /api/HomeAutomation.IFTTT/ {
auth_basic off;
proxy_pass http://localhost;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
satisfy any; # by default this is all meaning IP and Basic Auth is needed, this means one or the other.
allow 127.0.0.1;
# allow 195.111.222.111; # Whitelist an external IP such as work?
# allow 195.222.111.23; # Whitelist an external IP such as work?
deny all;
# Reverse Proxy config
proxy_pass http://localhost;
proxy_set_header X-Real-IP $remote_addr;
}
# For Lets Encrypt Authentication
location /.well-known {
root /usr/share/nginx/www;
auth_basic off;
allow all;
}
}
#server {
# # Redirect HTTP to HTTPS
# listen 80;
# server_name mydomainname.co.uk, [url=http://www.mydomainname.co.uk;]www.mydomainname.co.uk;[/url]
# return 301 https://$host$request_uri;
#}
### END OF NGINX CONFIG
# Use nginx to serve ACME content, you can then setup a cronjob to update the cert
cd /opt/letsencrypt
/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/www -d mydomainname.co.uk,www.mydomainname.co.uk --agree-tos --renew-by-default
# restart homegenie and nginx
sudo service homegenie start
sudo service nginx start
For IFTT, create a recipe such as a geofence and then use the maker chanel to call the webservice url in the form of your domain
https://www.mydomainname.co.uk/api/HomeAutomation.IFTTT/2/Control.OffMethod: POST, content type: text/plain Body: Anything you want to pass..
I have then created a hgx that exposes virtual switches for a quick test, but what you do is up to you..
Cheers
David
