I recently installed a fresh version of Domoticz on my Raspberry pi.
I want to access Domoticz secured from outside but I get errors in my current setup.
Current Setup:
On my main Router, a Mini PC with pfSense (192.168.1.1), I run 2 plug-ins:
- HAproxy
- ACME, which generates the certs for the Backend of HAproxy
HAproxy Frontend Setup:
HAproxy Backend Setup:
The backend of HAproxy to Domoticz is setup to the HTTP server on port 9090
And I copied PEM file which ACME has created, to the domoticz folder and renamed it to server_cert.pem
So when I run domoticz from outside my network: https:/mydomain, I get a login page but also when I login from my local network.
Because I don't want to login to domoticz when I am in my local network, I set in Domoticz the local networks to 192.168.1.*
This causes that the Login page also disappears when anyone enters my domain from outside.
So when I took a closer look what went wrong I started Domoticz with:
Code: Select all
./domoticz -www 9090 -sslwww 443 -log "/var/log/domoticz.log" -loglevel all -debuglevel auth,hardware,received,webserver
Code: Select all
pi@Domotica-Pi:~/domoticz $ ./domoticz -www 9090 -sslwww 443 -log "/var/log/domoticz.log" -loglevel all -debuglevel auth,hardware,received,webserver
2023-01-03 15:05:50.944 Status: Domoticz V2022.2 (build 14905) (c)2012-2023 GizMoCuz
2023-01-03 15:05:50.944 Status: Build Hash: 2406d20b1, Date: 2023-01-01 11:41:36
2023-01-03 15:05:50.944 Status: Startup Path: /home/pi/domoticz/
2023-01-03 15:05:50.972 Sunrise: 08:47:00 SunSet: 16:42:00
2023-01-03 15:05:50.972 Day length: 07:56:00 Sun at south: 12:45:00
2023-01-03 15:05:50.972 Civil twilight start: 08:07:00 Civil twilight end: 17:22:00
2023-01-03 15:05:50.972 Nautical twilight start: 07:24:00 Nautical twilight end: 18:05:00
2023-01-03 15:05:50.972 Astronomical twilight start: 06:43:00 Astronomical twilight end: 18:46:00
2023-01-03 15:05:51.090 Status: PluginSystem: Started, Python version '3.7.3', 2 plugin definitions loaded.
2023-01-03 15:05:51.092 Debug: : MQTT PublishSchema 1 (1), Retain 0
2023-01-03 15:05:51.098 Active notification Subsystems: telegram (1/13)
2023-01-03 15:05:51.098 Debug: CWebServer::StartServer() : settings : 'server_settings[is_secure_=false, www_root='/home/pi/domoticz/www', listening_address='::', listening_port='9090', vhostname='', php_cgi_path='']'
2023-01-03 15:05:51.099 Status: WebServer(HTTP) started on address: :: with port 9090
2023-01-03 15:05:51.102 Debug: CWebServer::StartServer() : settings : ssl_server_settings['server_settings[is_secure_=true, www_root='/home/pi/domoticz/www', listening_address='::', listening_port='443', vhostname='', php_cgi_path='']', ssl_method='tls', certificate_chain_file_path='./server_cert.pem', ca_cert_file_path='./server_cert.pem', cert_file_path=./server_cert.pem', private_key_file_path='./server_cert.pem', private_key_pass_phrase='', ssl_options='single_dh_use', tmp_dh_file_path='./server_cert.pem', verify_peer=false, verify_fail_if_no_peer_cert=false, verify_file_path='']
2023-01-03 15:05:51.109 Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 15:05:51.111 Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 15:05:51.112 Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying ::
2023-01-03 15:05:51.113 Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 15:05:51.115 Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 15:05:51.115 Status: WebServer(SSL) startup failed on address :: with port: 443: bind: Permission denied [system:13], trying 0.0.0.0
2023-01-03 15:05:51.116 Debug: [web:443] Enabled ciphers (TLSv1.2) ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
2023-01-03 15:05:51.118 Error: [web:443] missing SSL DH parameters from file ./server_cert.pem
2023-01-03 15:05:51.119 Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: bind: Permission denied [system:13]
2023-01-03 15:05:51.119 Error: WebServer(SSL) check privileges for opening ports below 1024
2023-01-03 15:05:51.121 Starting shared server on: :::6144
2023-01-03 15:05:51.121 Status: TCPServer: shared server started...
2023-01-03 15:05:51.122 Status: RxQueue: queue worker started...
2023-01-03 15:05:51.418 Debug: [web:9090] Host:192.168.1.1 Uri:/
2023-01-03 15:05:51.418 Debug: [web:9090] Request Headers:
content-length: 0
2023-01-03 15:05:51.418 Debug: Web ACLF: 192.168.1.1 - - [03/Jan/2023:15:05:51.418 +0100] "OPTIONS / HTTP/1" 200 0 - -
2023-01-03 15:05:52.464 Debug: [web:9090] Host:192.168.1.1 Uri:/
2023-01-03 15:05:52.464 Debug: [web:9090] Request Headers:
content-length: 0
2023-01-03 15:05:52.465 Debug: Web ACLF: 192.168.1.1 - - [03/Jan/2023:15:05:52.464 +0100] "OPTIONS / HTTP/1" 200 0 - -