Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
How to enable HTTPS
#1
Hi all,
I'm interested in enabling https protocol for web interface.
How can I do that?.

Thanks to all.
Reply
#2
There are a couple of ways to do it.

See the SIP wiki topic about Reverse proxy:
https://github.com/Dan-in-CA/SIP/wiki/Reverse-proxy

You might also look at the web.py docs:
http://webpy.org/cookbook/ssl

See the section under web.py 0.37

SIP will be moving to web.py 0.4 in order to be Python 3 compatible. Then you can use the instructions for that version of web.py.

If you want to access SIP remotely another option is to install PiVPN:
http://www.pivpn.io/

That will give you secure access from anywhere in the world where there is an internet connection.
Reply
#3
If you running SIP on a Pi then I would vote against using Apache2 as a reverse proxy since it is somewhat massive for the Pi.
Nginx is more lightweight.

You could also look at HAProxy which is really good as a revproxy and do ssl offloading (my preferred option :-) )

--Gerard

**edit** If someone is interested I can post my haproxy config
Reply
#4
For those who are interested (if any) in protecting SIP with HAproxy here is my config. I also have made my own node-red dashboard to control SIP from a simple interface. That's why you see the /ui redirect.

Code:
global
       log /dev/log    local0
       log /dev/log    local1 notice
       chroot /var/lib/haproxy
       stats socket /run/haproxy/admin.sock mode 660 level admin
       stats timeout 30s
       user haproxy
       group haproxy
       daemon

       # Default SSL material locations
       ca-base /etc/ssl/certs
       crt-base /etc/ssl/letsencrypt

       # Default ciphers to use on SSL-enabled listening sockets.
       # For more information, see ciphers(1SSL). This list is from:
       #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
       ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
       ssl-default-bind-options no-sslv3

defaults
       log     global
       mode    http
       option  httplog
       option  dontlognull
       timeout connect 5000
       timeout client  50000
       timeout server  50000
       errorfile 400 /etc/haproxy/errors/400.http
       errorfile 403 /etc/haproxy/errors/403.http
       errorfile 408 /etc/haproxy/errors/408.http
       errorfile 500 /etc/haproxy/errors/500.http
       errorfile 502 /etc/haproxy/errors/502.http
       errorfile 503 /etc/haproxy/errors/503.http
       errorfile 504 /etc/haproxy/errors/504.http

frontend public
       bind :::80 v4v6
       bind :::443 v4v6 ssl crt /etc/ssl/letsencrypt/mycert.pem
       option forwardfor except 127.0.0.1
       redirect scheme https code 301 if !{ ssl_fc }
       use_backend nodered if { path_beg /ui }
       default_backend sip

backend sip
       acl needs_scheme req.hdr_cnt(X-Scheme) eq 0

       reqrep ^([^\ :]*)\ /(.*) \1\ /\2
       reqadd X-Scheme:\ https if needs_scheme { ssl_fc }
       reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }
       option forwardfor
       server sip1 127.0.0.1:5000
       errorfile 503 /etc/haproxy/errors/503-no-sip.http

backend nodered
       #reqrep ^([^\ :]*)\ /nodered/(.*)     \1\ /\2
       server nodered1  127.0.0.1:1880
       errorfile 503 /etc/haproxy/errors/503-no-nodered.http
Reply
#5
Thank you Gerard.

As always your input is very useful.
Reply
#6
Thank you guys... ill try it
Reply
#7
I use the traefik reverse proxy dock which is a lot simpler. Just a few codes in the traefik rules.

[backends]
  [backends.backend-sip]
    [backends.backend-sip.servers.server]
       url = "http://192.168.x.xxx"



[frontends]
  [frontends.frontend-sip]
      backend = "backend-sip"
      passHostHeader = true
      [frontends.frontend-sip.routes.opensprinkler]
          rule = "HostConfusedip.domain.com"
Reply
#8
The question was about https/ssl. I don't see any lines on that in your config.
Reply
#9
(2019 May 08, 08:07 PM)astrogerard Wrote: The question was about https/ssl. I don't see any lines on that in your config.
Here are more code lines in my traefik.toml. Once you have traefik setup, you can forward any LAN ip to domain, I got all free DNS domain from duckdns.
https://www.smarthomebeginner.com/traefi...or-docker/


# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations 
[api]
  entryPoint = "traefik"
  dashboard = true
  address = ":8080"

# Force HTTPS
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
Reply
#10
Thanks for mentioning traefik but to be honest I totally disagree with the writer of the article you mention, HAProxy is in my opinion way easier to usefully add to SIP than a dockerized traefik. For a newbie just adding haproxy to the pi with my config always works even with the limited resources on the pi.

btw, I love docker, podman and other containers but for a newbie to start with SIP? ..... not yet :-)
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)