Secure nginx proxy setup – domoticz

The goal is to use a hardened Nginx proxy to provide secure remote access to your Domoticz instance. Data recovery external hard drive Nginx is used by many of the biggest sites on the internet and many people believe its a better candidate for exposing directly to the internet than the included webserver.

• Ability to parallel proxy of other services, this will allow you to share your Certificate, IP Address and port for more than one Web service.


Database 1 to many (sorta like Virtual Hosting for SSL/TLS)

With a Proper x509 Configuration, Firewall, and SSH Keys required for access your Domoticz Server will not be susceptible to brute force attacks. Data recovery galaxy s6 This method is considered to be one of the most secure methods for remotely accessing your Domoticz Server, only authorized clients in possession of a certificate you signed are ever exposed to the Domoticz process.

This document will outline setting up and configuring a nginx proxy of varying degrees of security, It would be wise to get normal HTTPS working prior to enabling and using x509 Client Certs.

• Client Authentication (x509 Auth) – Both the client and server have cryptographic certificates that they use to validate eachother for trust.

Nginx (pronounced engine-x) is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server. Os x data recovery software Compared to Apache it is small and uses a lot less memory.

Haveged is a Linux entropy source using the HAVEGE algorithm, this helps the speed up the random generator durring key generation. Database technology Helps the system generate entropy on servers with out the normal entropy sources (keyboard/mouse).

OPTIONAL: Simple Firewall if you wish to lock down your Domoticz server so even local network access requires going through the proxy… Database queries definition may be good precaution against poor wifi security.

First step is to create the SSL certificates that wil be used to encrypt the HTTPS traffic. Data recovery mac free You can also buy an official SSL certificate that will be recognised by the browser and does not give you a warning. Data recovery phone In most instances you should have access to each client device accessing your Domoticz Server, you can simply install your own Certificate Authority on these devices and they will be displayed correctly by browsers without throwing a security warning.

This guide gives you two options to create and manage your certs, XCA a Graphical interface to OpenSSL, or the basic OpenSSL CLI, choose one and safely ignore the other.

Click on the Type under x509v3 Basic Constraints and choose Certification Authority and set your expiration out about 10 years so you dont get locked out. Database normalization Then press OK.

For OpenSSL CLI extract your ca.crt file from your linux server, leave the keys behind.. Data recovery quote This is a public cert and can be transmitted insecurely.

Copy the CA Cert to all your devices, Desktops, Laptops, Mobiles and install it, on most operating systems you simply double click on it and import it into your CA as “Trusted”. Database key types Mobile Devices are a little harder and you may consider getting your cert signed by a 3rd party authority.

Next, we need to create another key. Database instance This will be used to generate an SSL certificate for use on the server. Data recovery raid 0 Make sure that the certificate contains the url it’s going to be used at (for example domoticz.com)

Create a Certificate the much same way you created your CA above, except on the Source window make sure you select your CA, pay special attention to your commonName is valid, and finally on the extensions pane set your x509v3 Basic Constraint Type: not defined

Select x509v3 Subject Alternative Name’, press Edit and then Add any IP Addresses, Hostnames both Long and Short that you wish to access domoticz from (ie, internal DNS)

Now on your linux box lets save the certs, go to Certificates” tab in XCA’s Main Display, select your server cert then right click, export to clipboard. Data recovery tools Return to the console on your server:

If the tasks fails, probably the text in the server.key file is formatted wrong. Database programming languages Please verify that the last line contains the closing statement only like “—–END RSA PRIVATE KEY—–“

Domoticz should be available now on https://my_domain_name.com:port. Super 8 database To access Domoticz from the outside you have to setup port forwarding for tcp/80 and tcp/443 to your Domoticz server..

Now Nginx will listen on both http (80) and https (443) and force all connections to be secure (443). 5 databases This behavior is best so you can just type your address in the bar without worrying about the prefix.

If you don’t want to read the warnings about SSL certificate, and are unable or unwilling to install your own Certificate Authority on your devices you can get a certificate signed by an already trusted Authority. H data recovery registration code There are many paid vendors that can churn you out a 3year cert for under $20USD within 10mins or you can get a free one from StartSSL if your patient.

Recommended: you can setup Client Side x509 Authentication, this way Domoticz will only be available if a trusted x509 TLS certificate that YOU signed is installed on the client. Database link Without this certificate Nginx will refuse to proxy any requests to Domoticz.

x509 Client Authentication will work fine with a server certificate signed by a 3rd party CA, Your CA you made above will still be used to sign client certs and grant them access.

TIP: Create individual certificates for each client device that will access your Domoticz Server. Database google If the device becomes lost or stolen you can simply revoke that device’s certificate

Follow the same steps you did to create your server certificate, this time use the HTTPS_Client Template and you can omit the SubjectAltNames.. Database update dont forget to match your CN to your Username in Domoticz.

SECURELY Copy the resulting file to the client, and import it into the devices keystore. Data recovery news Use a secure connection such as USB or SFTP to transfer the file, never email it to your self.

Clients connecting to the webserver without a valid SSL certificate will get a standard error or redirected to your custom error page, clients with a valid certificate will be tunneled directly to your Domoticz process.

Go to Setup -> Settings -> Website Protection and input the commonName of your client cert into the Username field provided, in the Password field put the emailAddress from your certificate in. Data recovery austin Exactly the same way they appear in your client certs.

Set Authentication to Basic-Auth and Apply Settings, you should now be able to add more users via Setup -> More Options -> Edit Users using the same method. Data recovery micro sd card commonName = username, emailAddress= password.

User Permissions will now work and the username will be extracted from the certificate you provide, no password prompt will appear, however please note if a matching commonName/emailAddress are not found in the username/password database an Offline error message will appear.

You can still issue external json requests using Basic-Auth when directly calling the native http/https server, for example http://username: [email protected]:8080/json.html?

If you use a firewall to lock down your system and still need to run json calls from remote machines you can tunnel your requests over SSH to the loopback device, allowing easy scripting with client TLS support.

If you wish to force all access to Domoticz through your proxy, even on your LAN, you should install a local firewall and block access to all but your newly hardened services.. Database relationship diagram If your using x509 auth this is suggested to help prevent local attacks bypassing your security. Data recovery services near me (ie, accessing domoticz via http on port 8080)

banner