[HowTo] Authentication for your Razberry (using nginx)
Posted: 16 Apr 2015 19:42
The topic decribe how to set-up autentication for your Razberry. For example if you have several razberries in your local network and want to restrict access to them or if you want to securely access your razberry outside from your local network if you have static ip or dynamic DNS (as alternative for find.z-wave.me and until we have embedded authentication mechanism in z-way software).
The procedure was tested on Rasberry Pi 2 platform with 2.0.1-rc25 installed.
For installing you need access to command line of your razberry and be familiar with some linux editor ( I used Midnight Commander).
Step 1- Setting up of nginx server
Install it with the next commands from command line
Run it
From your browser go to IP address of your razberry (192.168.10.98 in my case)
If you see the following screen then congratulations! you have your personal server running on razberry! In case of problems check the following link How to install nginx on Raspberry...
Step 2- Making nginx as reverse proxy for your Razberry
With your favorite editor edit the next file '/etc/nginx/sites-available/default'
Put the next lines in 'location /' section.
In my editor it looks like that
Restart the nginx server
Then go in your browser to IP of your razberry again.
You should see the Welcome screen of your Raspberry Step 3- Provide access only for authenticated user
Install helper utility
Create sample user and password for it more info...
Add the next lines in nginx configuration file '/etc/nginx/sites-available/default'
Add it in section 'location /' after proxy settings
Restart the nginx server
Then you should see request for your login and password to access the razberry.
But you still can access it on :8083 port, so lets block it.
Tha't s all! Now only user that knows password has access to your raZpberry!
***To revert changes to iptables run 'iptables -L --line-numbers' and check that there are 3 lines in INPUT section, then you can delete it with the next commands
Adding SSL - Step 1
Create certificate for your razberry more info...
From command line enter
Adding SSL - Step 2
Modify your nginx configuration file - '/etc/nginx/sites-available/default'
Add lines to 'server' section.
For SSL we will use 8085 port because standard 443 is used by razberry mongoos webif server.
Restart nginx.
Now you have secure SSL connection to your razberry.
And the last section
Example of settings to control razzberry remotely from javascript
The config file should look like that to allow cross origin requests
The Javascript example to request sensor value via SSL and authentication.
The procedure was tested on Rasberry Pi 2 platform with 2.0.1-rc25 installed.
For installing you need access to command line of your razberry and be familiar with some linux editor ( I used Midnight Commander).
Step 1- Setting up of nginx server
Install it with the next commands from command line
Code: Select all
sudo apt-get install nginx
Code: Select all
sudo /etc/init.d/nginx start
If you see the following screen then congratulations! you have your personal server running on razberry! In case of problems check the following link How to install nginx on Raspberry...
Step 2- Making nginx as reverse proxy for your Razberry
With your favorite editor edit the next file '/etc/nginx/sites-available/default'
Put the next lines in 'location /' section.
Code: Select all
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8083/;
}
Code: Select all
sudo /etc/init.d/nginx restart
You should see the Welcome screen of your Raspberry Step 3- Provide access only for authenticated user
Install helper utility
Code: Select all
sudo apt-get install apache2-utils
Code: Select all
sudo htpasswd -c /etc/nginx/.htpasswd superuser
Add it in section 'location /' after proxy settings
Code: Select all
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
Code: Select all
sudo /etc/init.d/nginx restart
But you still can access it on :8083 port, so lets block it.
Code: Select all
iptables -A INPUT -p tcp -s localhost --dport 8083 -j ACCEPT
iptables -A INPUT -p tcp --dport 8083 -j DROP
***To revert changes to iptables run 'iptables -L --line-numbers' and check that there are 3 lines in INPUT section, then you can delete it with the next commands
Code: Select all
iptables -D INPUT 1
iptables -D INPUT 1
iptables -D INPUT 1
Adding SSL - Step 1
Create certificate for your razberry more info...
From command line enter
Code: Select all
sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
Modify your nginx configuration file - '/etc/nginx/sites-available/default'
Add lines to 'server' section.
Code: Select all
listen 8085 ssl;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
Restart nginx.
Code: Select all
sudo /etc/init.d/nginx restart
And the last section
Example of settings to control razzberry remotely from javascript
The config file should look like that to allow cross origin requests
Code: Select all
location / {
add_header Access-Control-Allow-Origin http://localhost:8000;
add_header Access-Control-Allow-Methods GET,POST,OPTIONS;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8083/;
proxy_hide_header Access-Control-Allow-Origin;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
}
Code: Select all
$.ajax({
type: 'GET',
url: 'https://superuser:password@192.168.10.98:8085/JS/Run/controller.devices.get("ZWayVDev_zway_2-1-48-1").get("metrics:level")',
xhrFields: {
withCredentials: true
},
data: {},
crossDomain: true
}).done(function(data) {
console.log("Data returned: " + data);
});