[HowTo] Authentication for your Razberry (using nginx)

Tips, Tricks and Scripts to enhance your home automation and workaround known device bugs, limitations and incompatibilities
Post Reply
dolpheen
Posts: 119
Joined: 10 Feb 2015 00:38

[HowTo] Authentication for your Razberry (using nginx)

Post by dolpheen » 16 Apr 2015 19:42

The topic decribe how to set-up autentication for your Razberry. For example if you have several razberries in your local network and want to restrict access to them or if you want to securely access your razberry outside from your local network if you have static ip or dynamic DNS (as alternative for find.z-wave.me and until we have embedded authentication mechanism in z-way software).

The procedure was tested on Rasberry Pi 2 platform with 2.0.1-rc25 installed.
For installing you need access to command line of your razberry and be familiar with some linux editor ( I used Midnight Commander).

Step 1- Setting up of nginx server
Install it with the next commands from command line

Code: Select all

sudo apt-get install nginx
Run it

Code: Select all

sudo /etc/init.d/nginx start
From your browser go to IP address of your razberry (192.168.10.98 in my case)

If you see the following screen then congratulations! you have your personal server running on razberry!
nginx_after_install.png
nginx_after_install.png (12.92 KiB) Viewed 11812 times
In case of problems check the following link How to install nginx on Raspberry...

Step 2- Making nginx as reverse proxy for your Razberry
With your favorite editor edit the next file '/etc/nginx/sites-available/default'
Put the next lines in 'location /' section.

Code: Select all

location / {
                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   Host $http_host;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass         http://localhost:8083/;
        }
In my editor it looks like that
nginx_reverse_proxy.png
nginx_reverse_proxy.png (35.87 KiB) Viewed 11812 times
Restart the nginx server

Code: Select all

sudo /etc/init.d/nginx restart
Then go in your browser to IP of your razberry again.
You should see the Welcome screen of your Raspberry
razberry_with_ngin_back_proxy.png
razberry_with_ngin_back_proxy.png (61.99 KiB) Viewed 11812 times
Step 3- Provide access only for authenticated user
Install helper utility

Code: Select all

sudo apt-get install apache2-utils
Create sample user and password for it more info...

Code: Select all

sudo htpasswd -c /etc/nginx/.htpasswd superuser
Add the next lines in nginx configuration file '/etc/nginx/sites-available/default'
Add it in section 'location /' after proxy settings

Code: Select all

auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
Restart the nginx server

Code: Select all

sudo /etc/init.d/nginx restart
Then you should see request for your login and password to access the razberry.
But you still can access it on :8083 port, so lets block it.

Code: Select all

iptables -A INPUT -p tcp -s localhost --dport 8083 -j ACCEPT
iptables -A INPUT -p tcp --dport 8083 -j DROP
Tha't s all! Now only user that knows password has access to your raZpberry! :ugeek:

***To revert changes to iptables run 'iptables -L --line-numbers' and check that there are 3 lines in INPUT section, then you can delete it with the next commands

Code: Select all

iptables -D INPUT 1
iptables -D INPUT 1
iptables -D INPUT 1

Adding SSL - Step 1
Create certificate for your razberry more info...
From command line enter

Code: Select all

sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Adding SSL - Step 2
Modify your nginx configuration file - '/etc/nginx/sites-available/default'
Add lines to 'server' section.

Code: Select all

listen 8085 ssl;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
For SSL we will use 8085 port because standard 443 is used by razberry mongoos webif server.
Restart nginx.

Code: Select all

sudo /etc/init.d/nginx restart
Now you have secure SSL connection to your razberry.

And the last section
Example of settings to control razzberry remotely from javascript

The config file should look like that to allow cross origin requests

Code: Select all

location / {
                add_header Access-Control-Allow-Origin http://localhost:8000;
                add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
                proxy_set_header   X-Real-IP $remote_addr;
                proxy_set_header   Host $http_host;
                proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass         http://localhost:8083/;
                proxy_hide_header  Access-Control-Allow-Origin;

                auth_basic "Restricted";
                auth_basic_user_file /etc/nginx/.htpasswd;
        }
The Javascript example to request sensor value via SSL and authentication.

Code: Select all

$.ajax({
  type: 'GET',
  url: 'https://superuser:password@192.168.10.98:8085/JS/Run/controller.devices.get("ZWayVDev_zway_2-1-48-1").get("metrics:level")',
  xhrFields: {
    withCredentials: true
  },
  data: {},
  crossDomain: true
}).done(function(data) {
  console.log("Data returned: " + data);
});
Razberry B+ 2.0.1-rc25 on ZW500 + 15 devices / Razberry B 2.0.1-rc25 on ZW300 for test

pz1
Posts: 2053
Joined: 08 Apr 2012 13:44

Re: [HowTo] Authentication for your Razberry

Post by pz1 » 17 Apr 2015 10:07

Thanks for sharing your knowledge

xchatter
Posts: 25
Joined: 27 Mar 2015 16:27

Re: [HowTo] Authentication for your Razberry

Post by xchatter » 20 Apr 2015 23:33

Thanks for this dolpheen !

pz1
Posts: 2053
Joined: 08 Apr 2012 13:44

Re: [HowTo] Authentication for your Razberry (using nginx)

Post by pz1 » 10 Sep 2015 15:04

@dolpheen
How does your solution compare to/interfere with the newly added native authentication in Zway?

Post Reply