SSL Support

Suggest new features here
KN6KKI
Posts: 3
Joined: Sun Sep 27, 2020 1:31 am

Re: SSL Support

Post by KN6KKI »

using Info from in here and other areas as mentioned I added https to my pi3b+ hotspot.

issues I've encountered - slightly slower lag in display -
won't update - just hangs on first line of update and never changes.
go over to http and it works without issue.

Pi Star SSL
This is more a rough Draft!
your mileage may vary!

-- certbot -- setup
Assumes
  • IP address,user:pass known & set static via reservation / other
  • NAT Port Forwarding know how.
  • SSH already prepped and
  • Pistar has inet access.
  • Using Cloudflare (one of the best most Reliable & Efficient cost effective "Free" DNS providers)
Primarily following > https://certbot.eff.org/lets-encrypt/de ... nginx.html
HTTPS ports supported by Cloudflare:
443
2053
2083
2087
2096 #<--- Using this port for my setup
8443

Get started

4.1.2 > SSH
Drop into Root vs having to type sudo each command

Code: Select all

sudo -i
rpi-rw
apt-get install certbot python-certbot-nginx 
apt-get install python3-certbot-dns-cloudflare

mkdir ~/.secrets/certbot/
chmod 0700 ~/.secrets/certbot/
#touch ~/.secrets/certbot/cloudflare.ini
chmod 0400 ~/.secrets/certbot/cloudflare.ini
nano ~/.secrets/certbot/cloudflare.ini
[b]modify below with your info from cflare[/b]

Code: Select all

### add below this info ####
# Cloudflare API credentials used by Certbot
dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234
### add above this info ####

Code: Select all

chmod 600 ~/.secrets/certbot/cloudflare.ini
Firewall Edits
http://wiki.pistar.uk/Adding_custom_fir ... to_Pi-Star

Code: Select all

nano /root/ipv4.fw

### add below this info ####
 # Comments can be added using the hash at the start of a line
 # This line adds outgoing access to UDP/41401
##  iptables -A OUTPUT -p udp --dport 41401 -j ACCEPT #	NXDN Outbound to extra host
 # This line adds DSCP marking to this traffic to give it voice priority on the network
 # you dont need this but its a good thing for voice packets
## iptables -t mangle -A POSTROUTING -p udp --dport 41401 -j DSCP --set-dscp 46


iptables -A INPUT -m state --state NEW -p tcp --dport 2096 -j ACCEPT

### add above this info ####

pistar-firewall
Get your Cert - Modify Domain name subdomain or other - I typically use sub.domains.com, like dmr.domain.com

Code: Select all

certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/certbot/cloudflare.ini \
  --dns-cloudflare-propagation-seconds 45 \
  -d sub.domain.com

Initial Run will ask for email for notifications
[email protected] used (use your own email)
Agree ToS - Y
Share email EFF - N
Performing DNS-01 challenge

/etc/letsencrypt/live/sub.domain.com/fullchain.pem

Edit nginx listeners for HTTPS

Code: Select all

nano /etc/nginx/sites-enabled/pi-star
-- add/insert just below port 80 Listener --
Don't forget to edit your domain name and remove the <>

Code: Select all

   listen 80 default  # Existing Line
# Add for Cerbot
    listen 2096 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/<dom.domain.com>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/<dom.domain.com>/privkey.pem; # managed by Certbot
# End for Cerbot

Code: Select all

nginx -t
nginx -s reload

Code: Select all

crontab -e 
Choose nano
Paste at end
14 5 * * * /usr/local/bin/certbot renew --quiet --post-hook "/usr/sbin/service nginx reload" > /dev/null 2>&1
Test (verify in crontab - might have to install)

Code: Select all

crontab -l
rpi-ro


single line install - haven't retested this though - have to edit domain, cfemail and key in the lines though.
Gets through Firewall Setup - then start at edit nginx listeners line...I think...

Code: Select all

apt-get install certbot python-certbot-nginx python3-certbot-dns-cloudflare \
;mkdir -p ~/.secrets/certbot/ \
;echo -e "# Cloudflare API credentials used by Certbot \ndns_cloudflare_email = [email protected] \ndns_cloudflare_api_key = your_cf_global_token \n" > ~/.secrets/certbot/cloudflare.ini \
;chmod 0700 ~/.secrets/certbot \
;chmod 0400 ~/.secrets/certbot/cloudflare.ini \
;echo -e "# Comments can be added using the hash at the start of a line \n# This line adds outgoing access to UDP/41401 \n##  iptables -A OUTPUT -p udp --dport 41401 -j ACCEPT #	NXDN Outbound to extra host \n# This line adds DSCP marking to this traffic to give it voice priority on the network \n# you dont need this but its a good thing for voice packets \n## iptables -t mangle -A POSTROUTING -p udp --dport 41401 -j DSCP --set-dscp 46 \n\n\niptables -A INPUT -m state --state NEW -p tcp --dport 2096 -j ACCEPT" >> /root/ipv4.fw \
;pistar-firewall
is probably not perfect but works...
W4JEW
Posts: 59
Joined: Sun Aug 12, 2018 12:53 am
Location: Atlanta, GA, United States
Contact:

Re: SSL Support

Post by W4JEW »

Thanks for putting this together!!! It looks very comprehensive.

I'm going to give it a try and will let you know if there are any issues.
Check out GeorgiaDMR.net - https://www.georgiadmr.net
And on Groups.io - https://groups.io/g/GeorgiaDMR

Jeff Hochberg
W4JEW
Atlanta, GA
2E0EPV
Posts: 11
Joined: Fri Jan 03, 2020 9:08 pm
Location: IO81

Re: SSL Support

Post by 2E0EPV »

W4JEW wrote: Sat Jan 26, 2019 7:49 am
I cringe at the fact that people even contemplate port forwarding the web interface out to the Internet without HTTPS!!! I urge people to not do this! It’s just bad practice.

/me off soapbox

Thank you!
This is why for now my RPI is only accessible over the internet via my VPN.
73,
Kyle
2E0EPV
Posts: 11
Joined: Fri Jan 03, 2020 9:08 pm
Location: IO81

Re: SSL Support

Post by 2E0EPV »

At some point I am planning to implement Let's Encrypt on my RPI so that I no longer have to pass it to the internet through my VPN. At the moment I am not forwarding it straight out the internet (obviously) because there is no SSL Cert (https://)
73,
Kyle
KN6KKI
Posts: 3
Joined: Sun Sep 27, 2020 1:31 am

Re: SSL Support

Post by KN6KKI »

Cert Still holding on my Rpi -
had it offline for a few weeks while testing Nextion soldering and finally got that going..

once it was back online the inbound https cert renewed automagically and all back via https...

updates still don't work via web well - all else seems to work fine.
User avatar
m0guy
Posts: 26
Joined: Mon May 04, 2020 12:57 pm
Contact:

Re: SSL Support

Post by m0guy »

While not necessarily the easy solutions here's two ways that I've secured pi-stars and other systems which do not directly support SSL certs.

1. I created a small Docker container, but could be anything really (Another pi for example), which runs NGINX as a reverse proxy. with these few lines of configuration:

Code: Select all

server {
    listen 443;
    server_name gb7gp.m0guy.com;

    location /admin {
      deny all;
      return 404;
    }

    location / {
      proxy_redirect      http://192.168.1.21 https://gb7gp.m0guy.com;
      proxy_pass          http://192.168.1.21;
      error_page 403      https://gb7gp.m0guy.com;
    }
    
}


This rejects all public requests to the /admin pages making sure if there is a bug in the pi-star code no-one can get to the admin configuration pages, and proxy everything else to the pi-star.

I've then just configured nginx to use SSL with letsencrypt.

2. I run pfsense (Free) firewall at the edge, and you can install the ACME certificate manager and HAProxy. Create a new HA configuration with just the one backend node (The pi-star), and use ACME to create and manage the SSL certificate for it.
PFsense then terminates the SSL and forwards the web traffic to your pi-star.


In either case I would always strongly suggest that you put any device you allow internet access to in a separate network than your other systems, typically this would called DMZ. You should then secure the DMZ network so it's not able to access your home network systems. This way should they get compromised then they can't get deeper into your world.

Many domestic DSL routers allow a basic form of DMZ. But I would suggest checking out pfSense as a great firewall and will run on almost any hardware (not Pi), using an old laptop offers a great compact solution with a UPS built in. I have my pfsense connected directly to my BT fibre and handling the PPOE authentication as I had when using copper. No BT homeHub in site.
-----------------------------
DMR Help: https://help.m0guy.com
Personal web: https://m0guy.com
K6JM
Posts: 8
Joined: Wed Sep 05, 2018 8:04 am

Re: SSL Support

Post by K6JM »

KN6KKI - excellent starting info to add SSL support to the Nginx configuration.

Do your changes survive normal Pi-Star updates? I imagine they might not for a major version update (e.g. v 4.x to v 5.x), but I am hoping regular updates will not affect your Nginx changes?

Jim - K6JM
KN6KKI
Posts: 3
Joined: Sun Sep 27, 2020 1:31 am

Re: SSL Support

Post by KN6KKI »

I guess I've been away a bit..

only about 6 months..

just powered it back up after listening to the hoseline which is nice to check if anything is going on.

fired up unit and rebooted a few times but all up and running.
after it ran - it self updated to https:2096
updated to Pi-Star:4.1.6 / Dashboard: 20220220

5.x would be interesting - figure I might try to flash nextion from within the pi itself next we'll see how that goes..
Post Reply