x509 SSO Authentication

[AlleyCat]

I am having no success in X.509 certificate logon to Domoticz. The cert was issued by XCA, signed by my own CA. I tested many configurations, and could not get the log on to Domiticz. 1) Logon to Nginx with x.509 works.2) Redirect to SSL works. 3) on error go to Google works. 4) Logon to DOmoticz without authentication works. 5) I enable Login-Page, with the correct credentials the log on works. 6) When I change to Basic-Auth, with a certificate, I am getting an off line error message, logon FAILS. 7) I change credentials at Settings to match the CN and password on cert; the logon FAILS. I add users with Admin rights, the same CN and email that I issue my certs; logon FAILS with off-line error.

My configuration is as follows:
- Domoticz beta 3.6707
- Settings: Basic-Auth, with Uner Name and Password entered in the Settings page.
- Domotics and Nginx are on two different RPi's. 192.168.0.3 is Nginx and 192.168.0.4 is Domoticz. Communication between the RPi's are over SSL.
- For ssl_client_certificate /etc/ssl/ca/MyServert.pem; I copied the server certificate.
- Nginx Config:
## Default all HTTP Traffic to HTTPS
server {
listen 80 default;
server_name my.server.org; # Set to your FQDN
rewrite ^ https://$server_name$request_uri? permanent;
}

## Domoticz Secure Proxy
server {
listen 443 default ssl;
server_name my.server.org; # Set to your FQDN

ssl_certificate /etc/ssl/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
ssl_dhparam /etc/ssl/certs/dhparam2.pem;

ssl_session_timeout 60m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!P$
ssl_prefer_server_ciphers on;

### UNCOMMENT BELOW FOR x509 CLIENT AUTH
ssl_client_certificate /etc/ssl/ca/MyServert_CA.pem;
ssl_verify_client optional;
if ($ssl_client_verify != SUCCESS) {
return 303 http://www.google.com; # Set to your Error Page FQDN.
}

add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

## Domoticz
location / {
proxy_pass https://192.168.0.4;
access_log /var/log/nginx/access.domoticz.log;
error_log /var/log/nginx/error.domoticz.log;
### UNCOMMENT BELOW FOR x509 CLIENT SSO
proxy_set_header Authorization $ssl_client_s_dn;
proxy_hide_header Authorization;
}



How do I troubleshoot the SSO authentication?

[DavidDavid]

What is the difference between doing this and running a VPN server on your network and connecting that way? It sounds like two different ways of doing the same thing (securely accessing Domoticz remotely).

Also, how do you update your PI or whatever that's hosting Domoticz if you ban it from accessing the internet? Or do (should) you have a dedicated Domoticz machine? For example, if i have a PI that's hosting a VPN server and also running Domoticz, should i really get a second PI?

Is there any way to securely access Domoticz (or anything else on your home network) from a public computer? I'm assuming no... But another wild example, if your on a cruise ship and your phone goes overboard. Are you just disconnected from your home in this situation until you actually get home again? Or a more likely scenario, I'm at work and want to access one of my security cameras from my work machine but don't want the boss to know and I'm tired of looking at the video feed on my phone (that's connected via VPN).

Thanks

[Damsee]

Hi,

Just changed my phone and i need to recreate a client certificate for x509 SSO authentication.

The WIKI page "Secure Nginx Proxy Setup" is no more available as an admin had deleted it "19 August 2017 Admin (talk | contribs) deleted page Secure Nginx Proxy Setup (Not needed anymore for more then a year. Native support has been added long time ago. Rest is basic setup of NGINX and belongs on Google)"

That post was really useful as i used it for my setup more than a year ago
Can anyone restore it ? or paste the information into that post in the forum ? or give a clue to recreate the client x509 certificate as my test failed with a bad request from NGINX (i set the common name to my domoticz username set in domoticz).

Thanks