I searched about and I am the only one talking about it, so I want to start a discussion on this and perhaps turn it into a Wiki article and get better proxy support out of Domoticz.
Problem: Provision devices allowed to access Domo with secure credentials that dont require a brute forceable login.. Nobody is going to like typing a big complicated secure password into a mobile device or establishing a VPN link prior to performing tasks.. I want to expose my Domoticz to the internet with the highest level of security available, and not make it a PITA to use.
Solution: Run your own Certificate Authority, generate certificates for each device (laptops, smartphones, desktops, etc), and lock down client devices from physical intrusion (passwords/locking screens/etc). Then hide Domoticz behind a Nginx Proxy that validates certificates before continuing, expose only the Nginx process the dangers of the internet and keep Domoticz transparently hidden behind it.
Any device with a pre-loaded client certificate will be able to open domoticz from anywhere (locally or remotely) securely without ever needing to input login credentials. Any external connections without a certificate you personally signed by you will be denied entry past the edge.
TIPS:
- Certificate Authority: I use XCA for managing my CA easy without a bunch of CLI commands: http://sourceforge.net/projects/xca/
- Never email/dropbox/etc your device a client certificate, plug your phones/tablets into the computer running your CA and transfer them directly.
- WPA-EAP-TLS: I use these same certificates to authenticate these devices with there own WiFi network/vlan, When domoticz detects these devices are on the network (ping) it can be confident the device is who its supposed to be.
- EgiGeoZone for Android supports x509 GeoFencing.
- Run a local firewall so the only external ports exposed are: SSH/HTTP/HTTPS, and then do a remote portscan just to make sure nothing else is exposed externally.
- For Apple iOS Devices you'll probably want to use iPhone Configuration Utility to bundle your device certs with.
- If you have remote domo servers either tunnel over SSH or configure firewall to allow only domo servers to talk directly to domo.
- Same for remote json calls that cant hang with x509, use a SSH tunnel to domoticz over loopback device.
- Configure SSH for key login only and install fail2ban for good measure.
- Use a host OS that can apply nginx/ssh/openssl security updates automatically, quickly and safely (cough, debian)
TODO: Setup revocation file for Nginx incase a device gets lost/stolen.
TODO: Outline creating creating certs and boostraping your x509 system
WISHLIST: Domoticz sub path was configurable or not hardcoded, so if I wanted to proxy https://dispatch.nayr.net/domoticz to http://localhost:8080/ I can without breaking domo.. If going to setup x509 authing proxy there may be other network appliances that need to share that ip/port/cert, such as Sonarr/Plex/ownCloud/UniFi/NZB&Torrent clients/Remote Desktops.. Luckily I have ample static IP's at my disposal, not many can say that.
WISHLIST: User Level Security, We can pass the ID from the client cert along to domoticz in a header if domoticz can extract it and match it to a user..
WISHLIST: 3rd party apps for Android and iOS have support for authenticating with x509, so people whom travel this path are not left out of options.
