How To SSL with nginx and version 2.1.1 or 2.2.0

Tips, Tricks and Scripts to enhance your home automation and workaround known device bugs, limitations and incompatibilities
Post Reply
islipfd19
Posts: 126
Joined: 07 Jul 2014 03:35

How To SSL with nginx and version 2.1.1 or 2.2.0

Post by islipfd19 »

There are probably quite a few of us out there that may not like the idea of using passwords in a site that isn't encrypted. This "How To:" will allow you to update.

First things first, you'll need to update a configuration file in the automation directory, my full path for that is: '/opt/z-way-server/automation'. The file is named 'Webserver.js' and you want to replace line

Code: Select all

ws = new WebServer(8083, function(req) {
with

Code: Select all

ws = new WebServer("127.0.0.1:8083", function(req) {
You will probably need to update this file in the future if you perform any updates to 2.1.1. All I did was comment out the original with two slashes and add the new one. I don't like modifying files without a way to revert back to the way the were. Once done, you'll need to restart z-way-server with

Code: Select all

sudo z-way-server restart
At this point, you should no longer be able to access the z-way smarthome web page or the expert page for that manner.

The next steps will instruct you to install nginx. I got these from a couple of different web sites and was able to "monkey" around with the configuration file to get it to work as it didn't at first.

Code: Select all

sudo apt-get update
sudo apt-get install nginx
Next, create your certificate. I didn't perform this step as I already had one created. The steps should work without an issue.

Code: Select all

cd /etc/nginx
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
Now we are going to edit the default configuration file for nginx. It's located at '/etc/nginx/sites-enabled/default'

Code: Select all

sudo nano /etc/nginx/sites-enabled/default
Add this server directive, I placed it above the one that's there by default.

Code: Select all

server {
    listen 80;
    return 301 https://$host:8085$request_uri;
}
and finally update the default server directive, remember to update the cert names and your server name.

Code: Select all

server {
        #listen   80; ## listen for ipv4; this line is default and implied
        #listen   [::]:80 default_server ipv6only=on; ## listen for ipv6

        listen 8085;
        server_name SERVERNAME;

        ssl_certificate         /etc/nginx/CERT.crt;
        ssl_certificate_key     /etc/nginx/CERT.key;

        ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        access_log            /var/log/nginx/z-way-server.access.log;

        root /var/www;
        index index.cgi;

        # Make site accessible from http://localhost/
        location / {
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;

                # Fix the “It appears that your reverse proxy set up is broken" error.
                proxy_pass          http://localhost:8083;
                proxy_hide_header   Access-Control-Allow-Origin;
                proxy_read_timeout  90;
                proxy_redirect      http:// https://;
        }
Now you should be able to connect to the Smarthome UI using https and with port 8085 instead of 8083.
Last edited by islipfd19 on 22 Dec 2015 03:43, edited 1 time in total.
User avatar
PoltoS
Posts: 7565
Joined: 26 Jan 2011 19:36

Re: How To SSL with nginx and version 2.1.1

Post by PoltoS »

And are you ok to use self signed certificates that most of mobile phones and browsers never accepts? Doing SSL in Z-Way is not a problem, but it is impossible to get a CA signed cert for local IP. So, having encryption with possibility of man-in-middle attack is still no a good solution (I would say it is more a fake security).

Of course if you and only you will use it, why not, but in that case it is better to have well encrypted WiFi.

Remote access through https://find.z-wave.me is encrypted with a cert signed by a well know CA, so it is secure (HTTPS encrypts on the way to find.z-wave.me, SSH encrypts on the way from find.z-wave.me to your box)
islipfd19
Posts: 126
Joined: 07 Jul 2014 03:35

Re: How To SSL with nginx and version 2.1.1

Post by islipfd19 »

My certs are self signed and imported into each of my devices/computers. It's one of those "things" that if it can be done I'd like to try and attempt it.

I don't know how many companies use zwave, but itf it's one that's concerned about securing their network; they would probably want to know a way about how to do it.
User avatar
PoltoS
Posts: 7565
Joined: 26 Jan 2011 19:36

Re: How To SSL with nginx and version 2.1.1

Post by PoltoS »

Do you also have SSL to your WiFi router admin panel? ;) Hope you understand that having wired access to it is a security hole
jonarmani
Posts: 2
Joined: 16 Sep 2015 01:03

Re: How To SSL with nginx and version 2.1.1

Post by jonarmani »

Proper network security involves defense in depth, meaning securing your WiFi access with proper encryption alone is not sufficient. Imagine how much malware that you don't know about infests computers, tablets, and phones that connect to your WiFi, including the equipment friends bring over. I certainly don't trust that. Anything that gets a hold onto one of these devices can sniff the air or wire for plain-text transactions or MitM connections to the gateway.

Sure, you can't purchase an SSL cert for an internal IP. But the cryptographic protections of PKI can cover certs handed out by a local certificate authority that you trust. This can be done on a CentOS or Windows PC using software like EJBCA.
rabing
Posts: 31
Joined: 08 Mar 2013 03:00

Re: How To SSL with nginx and version 2.1.1

Post by rabing »

Of course you can by a cert for an interal IP. You buy the cert for a DNS name, which
resolves to whatever IP you like (if you own the nameservers).
Post Reply