Domoticz

nayr wrote:ah, I see.. well I dont trust domoticz that much, I'd rather expose nginx as its powering some massive sites and sure to be on top of security.

I dont think you'll get an A+ rating using only the built in HTTPS without modifying the built in webserver code to harden it, I dont see any configuration options for chiper suits or anything.. Going to have to drop all the old weak crypto out of the client options.

Same thing goes for me!

But I hope that I can help making Domoticz better for the more average users in the future (if Domoticz will become an widely used product).
On top of that I think that it will be easier to change it now while there is a lot programming going on and hopefully the changes can be made without to much trouble, then when we have to change it when it is a full blown solution and changes get harder and harder.

im all for native https, and it should be the easy option.. but its not the only one, and if you want A+ level security out of it then you may be asking too much.

documentation imo should cover both possibilities, I just saw a pull request for myDomoticz that will finally allow us to run multiple domoticz sites behind a proxy, mixed with other sites all behind a single IP/Port/Certificate..

for example: https://yoursite.com/domoticz/

now you can buy a secure cert for https://yoursite.com, and put something else entirely here, then just proxy /domoticz/ to your domoticz (even using https between proxy and domo if you want)

I think you should create a server and a client certificate to make the connection to domoticz.
You can easily create a certificate pair by using putty key generator.
Not sure if you can require this by connecting to domoticz though.

mrcage wrote:I think you should create a server and a client certificate to make the connection to domoticz.
You can easily create a certificate pair by using putty key generator.
Not sure if you can require this by connecting to domoticz though.

Actually you can, I just finished up documentation and getting SSO support committed to the core.. see: viewtopic.php?f=21&t=9799

Its just more of an advanced configuration, I cannot see any easy way to simplify for the masses beyond documenting it well.. would be a huge undertaking to implement a built in key manager correctly and securely.. there is a good reason advanced authentication mechanisms are usually offloaded to external programs.

Let's encrypt is now out of beta... I would really like Domoticz to support this native (even on Windows).

bizziebis wrote:I'm going to try it later today. You need a client to generate the certificate from your system. You don't create it from their website as far as I know.

It will at least save me from importing certificates to every device to ge domoticz secure

edit: Got it up and running, not so difficult

I followed this website: https://coolaj86.com/articles/lets-encr ... pberry-pi/

Then I created the server_cert.pem with the following content:
-privkey.pem
-cert.pem
-chain.pem

Schermopname (19).jpg

Where did you put those files?

With this method are you able to setup public and private keys for devices (such as iPhone, PC etc.)?

Or is NGINX the preferred method for this, it's just that at the NGINX wiki page https://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup at the top it says "Please note! Domoticz now has native HTTPS / SSL support since Version 2.2563 (June 14th 2015)"

Calzor Suzay wrote:With this method are you able to setup public and private keys for devices (such as iPhone, PC etc.)?

Or is NGINX the preferred method for this, it's just that at the NGINX wiki page https://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup at the top it says "Please note! Domoticz now has native HTTPS / SSL support since Version 2.2563 (June 14th 2015)"

I never understood those lines in the Wiki as well. If I use the 443 port and forward that in my router, how much more safe is this, compared to the standard http? What is the actual risk with hacking when I use the login page and the password has sufficient quality, together with the https?

Using the https always gives me a read 'failed update browser cache' on my pc at work.

I am looking for the same wiki for windows but no way to find it , any suggestions please ?