Login

r.baltasarm · 2019 Mar 09, 09:31 AM

Hi all,
I'm interested in enabling https protocol for web interface.
How can I do that?.

Thanks to all.

***dan*** · (This post was last modified: 2019 Mar 09, 03:43 PM by dan.)

There are a couple of ways to do it.

See the SIP wiki topic about Reverse proxy:
https://github.com/Dan-in-CA/SIP/wiki/Reverse-proxy

You might also look at the web.py docs:
http://webpy.org/cookbook/ssl

See the section under web.py 0.37

SIP will be moving to web.py 0.4 in order to be Python 3 compatible. Then you can use the instructions for that version of web.py.

If you want to access SIP remotely another option is to install PiVPN:
http://www.pivpn.io/

That will give you secure access from anywhere in the world where there is an internet connection.

astrogerard · (This post was last modified: 2019 Mar 09, 09:44 PM by astrogerard.)

If you running SIP on a Pi then I would vote against using Apache2 as a reverse proxy since it is somewhat massive for the Pi.
Nginx is more lightweight.

You could also look at HAProxy which is really good as a revproxy and do ssl offloading (my preferred option :-) )

--Gerard

**edit** If someone is interested I can post my haproxy config

astrogerard · 2019 Mar 11, 11:03 AM

For those who are interested (if any) in protecting SIP with HAproxy here is my config. I also have made my own node-red dashboard to control SIP from a simple interface. That's why you see the /ui redirect.

Code:
global

        log /dev/log    local0

        log /dev/log    local1 notice

        chroot /var/lib/haproxy

        stats socket /run/haproxy/admin.sock mode 660 level admin

        stats timeout 30s

        user haproxy

        group haproxy

        daemon

        # Default SSL material locations

        ca-base /etc/ssl/certs

        crt-base /etc/ssl/letsencrypt

        # Default ciphers to use on SSL-enabled listening sockets.

        # For more information, see ciphers(1SSL). This list is from:

        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

        ssl-default-bind-options no-sslv3

defaults

        log     global

        mode    http

        option  httplog

        option  dontlognull

        timeout connect 5000

        timeout client  50000

        timeout server  50000

        errorfile 400 /etc/haproxy/errors/400.http

        errorfile 403 /etc/haproxy/errors/403.http

        errorfile 408 /etc/haproxy/errors/408.http

        errorfile 500 /etc/haproxy/errors/500.http

        errorfile 502 /etc/haproxy/errors/502.http

        errorfile 503 /etc/haproxy/errors/503.http

        errorfile 504 /etc/haproxy/errors/504.http

frontend public

        bind :::80 v4v6

        bind :::443 v4v6 ssl crt /etc/ssl/letsencrypt/mycert.pem

        option forwardfor except 127.0.0.1

        redirect scheme https code 301 if !{ ssl_fc }

        use_backend nodered if { path_beg /ui }

        default_backend sip

backend sip

        acl needs_scheme req.hdr_cnt(X-Scheme) eq 0

        reqrep ^([^\ :]*)\ /(.*) \1\ /\2

        reqadd X-Scheme:\ https if needs_scheme { ssl_fc }

        reqadd X-Scheme:\ http if needs_scheme !{ ssl_fc }

        option forwardfor

        server sip1 127.0.0.1:5000

        errorfile 503 /etc/haproxy/errors/503-no-sip.http

backend nodered

        #reqrep ^([^\ :]*)\ /nodered/(.*)     \1\ /\2

        server nodered1  127.0.0.1:1880

        errorfile 503 /etc/haproxy/errors/503-no-nodered.http

***dan*** · 2019 Mar 11, 04:09 PM

Thank you Gerard.

As always your input is very useful.

r.baltasarm · 2019 Mar 12, 08:03 PM

Thank you guys... ill try it

cyberumb · 2019 May 02, 03:08 PM

I use the traefik reverse proxy dock which is a lot simpler. Just a few codes in the traefik rules.

[backends]
[backends.backend-sip]
[backends.backend-sip.servers.server]
url = "http://192.168.x.xxx"

[frontends]
[frontends.frontend-sip]
backend = "backend-sip"
passHostHeader = true
[frontends.frontend-sip.routes.opensprinkler]
rule = "Host Confused

ip.domain.com"

astrogerard · 2019 May 08, 08:07 PM

The question was about https/ssl. I don't see any lines on that in your config.

cyberumb · (This post was last modified: 2019 May 08, 10:31 PM by cyberumb.)

(2019 May 08, 08:07 PM)astrogerard Wrote: The question was about https/ssl. I don't see any lines on that in your config.

Here are more code lines in my traefik.toml. Once you have traefik setup, you can forward any LAN ip to domain, I got all free DNS domain from duckdns.
https://www.smarthomebeginner.com/traefi...or-docker/

# WEB interface of Traefik - it will show web page with overview of frontend and backend configurations
[api]
entryPoint = "traefik"
dashboard = true
address = ":8080"

# Force HTTPS
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]

astrogerard · 2019 May 11, 08:45 PM

Thanks for mentioning traefik but to be honest I totally disagree with the writer of the article you mention, HAProxy is in my opinion way easier to usefully add to SIP than a dockerized traefik. For a newbie just adding haproxy to the pi with my config always works even with the limited resources on the pi.

btw, I love docker, podman and other containers but for a newbie to start with SIP? ..... not yet :-)

Login
Username:
Password:	Lost Password?
	Remember me