Trick #3: HTTPS with OSPI and Raspberry Pi

Homepage Forums Generally Trick #3: HTTPS with OSPI and Raspberry Pi

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • February 10, 2021 at 11:38 p.m #23346
    Admin
    Keymaster

    In order to access the OSPi with HTTPS encrypted data, you need an HTTPS proxy that encrypts the connection.

    One way to do this is with Nginx.

    1. Install Nginx:

    sudo apt-get update
    sudo apt-get install nginx

    2. Create SSL certificate:

    cd /etc/nginx
    sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt

    3. Edit configuration:

    sudo nano /etc/nginx/sites-enabled/default

    Delete all lines and use this configuration. You may need to customize the two digits with “RASPI” with the name of your Raspberry Pi.

    server {
    listen 80;
    return 301 https://$host$request_uri;
    }

    server {

    listen 443;
    server_name raspi;

    ssl_certificate /etc/nginx/cert.crt;
    ssl_certificate_key /etc/nginx/cert.key;

    ssl on;
    ssl_session_cache builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    # access_log /var/log/nginx/access.log;

    location / {

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Fix the “It appears that your reverse proxy set up is broken” error.
    proxy_pass http://localhost:8080;
    proxy_read_timeout 90;

    proxy_redirect http://localhost:8080 https://raspi;
    }
    }

    4. Enable Nginx and restart:

    sudo systemctl enable nginx

    sudo service nginx restart

    5. Done.

    You can now access via browser. It redirects http to https requests or you access it directly via http

    The original instructions come from here and have been adapted:

    https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-with-ssl-as-a-reverse-proxy-for-jenkins

    Don't forget to change the port release of your router to Raspi port 443 (e.g. previously change 3000 to raspi/80 to 3000 to raspi/443). In the OpenSprinkler app you then connect with the “SSL” option

    February 10, 2021 at 11:43 p.m #23347
    Admin
    Keymaster

    Unfortunately, this is not possible with OpenSprinkler 3 because there is no SSL client available for the system. However, you can use an (additional) Linux or Raspberry PI to redirect the encryption to the OpenSprinkler 3. Just replace in the two “http://localhost:8080” – Enter the “localhost” with the IP address of the OpenSprinkler and “8080” with “80”.

     

    April 14, 2021 at 5:33 p.m #23933
    nightingale
    Participant

    Great tip, that's what I was looking for anyway. Thanks. I also wanted DynDNS and letsencrypt, but I'll figure out whether and how that works. Ultimately, this has more to do with Raspberry than with OpenSprinkler...

    April 30, 2021 at 8:27 p.m #24088
    Admin
    Keymaster

    Yes, the SSL certificate is such a thing. The application doesn't work without a valid certificate; it only works in the web browser and then only if you confirm the certificate warning.

    However, there is still the option of exporting the certificate and installing it on the smartphone. The domain name must match the Common Name certificate.

    So if you e.g. For example, if you named your dyndns domain sprinkler.dyndns.bla, then the common name must be exactly that. And that's exactly how you have to use it in the app.

     

  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.