Domoticz

Posted: **Wednesday 06 January 2016 22:34**

Working Documentation, now at: http://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup

I searched about and I am the only one talking about it, so I want to start a discussion on this and perhaps turn it into a Wiki article and get better proxy support out of Domoticz.

Problem: Provision devices allowed to access Domo with secure credentials that dont require a brute forceable login.. Nobody is going to like typing a big complicated secure password into a mobile device or establishing a VPN link prior to performing tasks.. I want to expose my Domoticz to the internet with the highest level of security available, and not make it a PITA to use.

Solution: Run your own Certificate Authority, generate certificates for each device (laptops, smartphones, desktops, etc), and lock down client devices from physical intrusion (passwords/locking screens/etc). Then hide Domoticz behind a Nginx Proxy that validates certificates before continuing, expose only the Nginx process the dangers of the internet and keep Domoticz transparently hidden behind it.

Any device with a pre-loaded client certificate will be able to open domoticz from anywhere (locally or remotely) securely without ever needing to input login credentials. Any external connections without a certificate you personally signed by you will be denied entry past the edge.

TIPS:

Certificate Authority: I use XCA for managing my CA easy without a bunch of CLI commands: http://sourceforge.net/projects/xca/
Never email/dropbox/etc your device a client certificate, plug your phones/tablets into the computer running your CA and transfer them directly.
WPA-EAP-TLS: I use these same certificates to authenticate these devices with there own WiFi network/vlan, When domoticz detects these devices are on the network (ping) it can be confident the device is who its supposed to be.
EgiGeoZone for Android supports x509 GeoFencing.
Run a local firewall so the only external ports exposed are: SSH/HTTP/HTTPS, and then do a remote portscan just to make sure nothing else is exposed externally.
For Apple iOS Devices you'll probably want to use iPhone Configuration Utility to bundle your device certs with.
If you have remote domo servers either tunnel over SSH or configure firewall to allow only domo servers to talk directly to domo.
Same for remote json calls that cant hang with x509, use a SSH tunnel to domoticz over loopback device.
Configure SSH for key login only and install fail2ban for good measure.
Use a host OS that can apply nginx/ssh/openssl security updates automatically, quickly and safely (cough, debian)

To see a custom auth failed page in action, go ahead.. http://dispatch.nayr.net

TODO: Setup revocation file for Nginx incase a device gets lost/stolen.
TODO: Outline creating creating certs and boostraping your x509 system
WISHLIST: Domoticz sub path was configurable or not hardcoded, so if I wanted to proxy https://dispatch.nayr.net/domoticz to http://localhost:8080/ I can without breaking domo.. If going to setup x509 authing proxy there may be other network appliances that need to share that ip/port/cert, such as Sonarr/Plex/ownCloud/UniFi/NZB&Torrent clients/Remote Desktops.. Luckily I have ample static IP's at my disposal, not many can say that.
WISHLIST: User Level Security, We can pass the ID from the client cert along to domoticz in a header if domoticz can extract it and match it to a user..

WISHLIST: 3rd party apps for Android and iOS have support for authenticating with x509, so people whom travel this path are not left out of options.

Posted: **Friday 08 January 2016 1:39**

found this nice guide on setting up an x509 CA using XCA, just focus really on chapter 3 "PKI Management" to get the fundamentals down.
http://resources.downloads.pandasecurit ... diht14.pdf

Summary:
Step 1: Create CA Cert
Step 2: Create and sign Server Cert (Domoticz)
Step 3: Create, Sign, and install Client Cert (Client Browsers)

only thing I might add is that you should use the biggest keys you can, not what they show

I'd like more users setup like this, imho this should be the defacto secure method of accessing domoticz.. so I am willing to help if anyone wants to give it a shot, its not a hard as it looks.

Posted: **Thursday 14 January 2016 6:48**

Spent some considerable time today rewriting and expanding the "Secure Remote Access" Wiki entry.. it should be of great assistance to anyone interested in x509.

http://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup

Please provide feedback if you give this a shot and succeed or fail, I am trying to make this as easy as possible.

Posted: **Thursday 14 January 2016 8:39**

Thank you @nayr. Very nice instructions. I will give this a go. (probably next week)

Posted: **Thursday 14 January 2016 12:16**

Thanks, good luck and may the force be with you.. lol, its not as complicated as it looks.. if you can build from source you can setup x509

Added screenshots and instructions for using XCA mentioned earlier as an alternative to using the command line to create and manage your certificates.

Please let me know how it goes, I've had all this setup for eons and trying to go back after the fact and correctly document the steps is not the easiest task.

Posted: **Friday 15 January 2016 2:52**

Managed to get x509 SSO working within Domoticz, here is the patch: https://github.com/domoticz/domoticz/pull/344

This feature should work on version 2.4182+

Here is how you use it, when you create your client certificates you set the commonName (CN) to the username. Then in Domoticz User Manager (Setup -> More Options -> Edit Users) you create a User with a Username thats identical to what you put in the CN field on your cert, for the password input the emailAddress you set in your certificate.. Its all case sensitive so make sure they match or it will fail to auth.

Then in Setup -> Settings, set Authentication: Basic-Auth

If you go through the proxy domoticz will sign-on based upon the certificate provided, full user level permissions are active.. if you bypass the proxy and go straight to the domoticz port (8080) you use the Basic-Auth scheme.

If no matching user is found you'll get an offline error message.

Now to update the Wiki Page then start getting more people using this, then I think we can convince the Mobile App devs its worth supporting.

Posted: **Friday 15 January 2016 14:15**

nayr wrote:Managed to get x509 SSO working within Domoticz, here is the patch: https://github.com/domoticz/domoticz/pull/344

This feature should work on version 2.4182+

Here is how you use it, when you create your client certificates you set the commonName (CN) to the username. Then in Domoticz User Manager (Setup -> More Options -> Edit Users) you create a User with a Username thats identical to what you put in the CN field on your cert, for the password input the emailAddress you set in your certificate.. Its all case sensitive so make sure they match or it will fail to auth.

Then in Setup -> Settings, set Authentication: Basic-Auth

If you go through the proxy domoticz will sign-on based upon the certificate provided, full user level permissions are active.. if you bypass the proxy and go straight to the domoticz port (8080) you use the Basic-Auth scheme.

If no matching user is found you'll get an offline error message.

Now to update the Wiki Page then start getting more people using this, then I think we can convince the Mobile App devs its worth supporting.

Nice features

Two questions:

Why we can't use form based authentication if the user has no certifcate
Could this be build in to the Domoticz HTTPS server?

Posted: **Friday 15 January 2016 19:22**

1. because both basic auth and this x509 sso use the same headers to authenticate users.. Domoticz is still sending the username/password dialog to your browser even when you provide a cert, but Nginx is suppressing the dialog and sending your cert credentials to domoticz instead. This is not feasible with form based auth.

2. Theoretically, yes.. the libboost libraries have support for client cert verification, so just needs the code to support them, however I wouldn't use it. here is why:

The whole point of this exercise is to protect the domoticz process from exposure to harsh environment of the internet, while still giving you the ability to access domoticz remotely and securely... If you dont provide a valid cert Nginx rejects you., Domoticz will be completely unaware you attempted to authenticate and failed.

I love domoticz, but I dont really trust it enough to just let any old asshole connect to it.. This is the perfect use for an authenticating edge proxies, this is a very standard way of network engineering.. put your your critical infrastructure in a nice walled garden, and then put some bouncers at the gate (proxies) to screen incoming people.

For example, if you expose your Domoticz HTTPS server to the internet and do a Crypto Security scan on it, the best grade your going to get is a B... if you follow this guide your Nginx HTTPS Server will get an A++ Grade with no issues except broken compatibility with decades old browsers. (IE6)

Nginx powers some of the biggest sites on the internet, historically its had much less security issues than the other web-servers, but in the event it does have a security issue I will have a security patch available immediately, then my OS will happily system perform unattended security upgrades of Nginx without breaking anything. The boost libraries do have native x509 support but they do not have the provenance that Nginx does. If I upgraded domoticz automatically with no user intervention my home automation system would be broken every other week. Does Domoticz have a CERT response team? and whom ports security fixes back to stable versions? nobody, thats who.. and this is why I will never allow Domoticz to be directly exposed to the harsh reality of the internet.

In the end setting up the nginx proxy is the easiest part of this, apt-get install nginx, then slap my config down.. its getting all the certs generated, signed, and transferred and installed on all your devices initially thats the real work, once its running though its very quick and easy.. I spent more time modifying external scripts/apps to use basic-auth after getting SSO working than I did setting up x509.

Posted: **Saturday 16 January 2016 12:28**

Great work!

Thanks for setting up and sharing it, I'm going to try to implement it shortly.

Posted: **Tuesday 19 January 2016 5:16**

Thanks to @proohu01 a few errors have been corrected in the Wiki, other than my editorial mistakes, how's it working out for you?

I recently found out how to install your own CA on the system cert store if you have a rooted android, keeps you from getting a warning about having a user CA installed.. Had I known about this I dont think I'd of ever got a signed cert for my domoticz server.

If anyone wants to know: http://wiki.pcprobleemloos.nl/android/cacert

Posted: **Tuesday 19 January 2016 13:57**

nayr wrote:Thanks to @proohu01 a few errors have been corrected in the Wiki, other than my editorial mistakes, how's it working out for you?

Not great. Not yet anyway. The Nginx redirect and CA seem to work just fine. As soon as I enable the x509 part of the Ngnix config, I am unable to access my proxied site(s). I get prompted to choose my client certificate, that has been created; exported and imported without problems. But when I click ok, I get "ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED" in Chrome.

Clearly some problem with the verification but I haven't found the right answer jet...

This command...
curl -v -s -k --key /etc/ssl/ca/client2.key --cert /etc/ssl/ca/client2.crt https://www.myserver.org

Gives me this result:

Code: Select all

Enter PEM pass phrase:
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS alert, Server hello (2):
* error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter
* Closing connection 0

Posted: **Tuesday 19 January 2016 19:33**

You make your DH_Params file?

Posted: **Tuesday 26 January 2016 23:04**

Hi,

A question on the topic : mutual authentication & IOS 9

I run nginx with both server and client certificate. I almost follow most of the tutorial and run openssl command to compute CA, Server and Client signed with the CA. On Mac OS Firefox, the domoticz works like a charm with https (Port forwarding to 443). When i try the web site on my IOS 9.21 (Iphone current release) i never connect ( message : Web cached browser failed + DomoticZ OFF LINE + Problem with certificate).

Do you have any idea ? it seams i have problem only on IOS 9 with different navigator (Firefox, googlechrome, opera, safari).

regards

Posted: **Wednesday 27 January 2016 3:48**

Did you use the iphone configuration utility to create a .mobileconfig with your certs?

Posted: **Wednesday 27 January 2016 6:49**

hello,

I load the CA cert and the P12 client file. Both are declared all as Trusted/Verified (ticked green) without the s/w mentionned (it appears to be only windows ?).
The only trick is signing algo appeared to be SHA-1 !!.
-Opera/Chrome : connection is not private, Web cached browser failed. Stop on DomoticZ OFF LINE web page.
-Safari : a problem has occured & stop (nothing) ;
-Firefox : The certificate for this server is invalid.... NSURErrorDomain & Stop ;

regards

Posted: **Wednesday 27 January 2016 6:54**

try using XCA, I am suspecting there is something wrong with the OpenSSL commands.. I will have to investigate further.. those commands were already in the wiki and I tried to adopt them, foolishly.

Posted: **Wednesday 27 January 2016 13:19**

nayr wrote:try using XCA, I am suspecting there is something wrong with the OpenSSL commands.. I will have to investigate further.. those commands were already in the wiki and I tried to adopt them, foolishly.

Yes, I agree. For some reasons cli commands are wrong. Had the same issues like others (worked in Firefox, not in Chrome or IE).
I created once again in XCA and it works like a charm.

I would change one thing in instruction.
When you want to enable x509 cert client auth you need to pass correct CA in:
ssl_client_certificate /etc/ssl/ca_new/ca.crt;

but when you are creating certs/keys in XCA way there is nothing about storing CA certificate in above file. There is only note that you should install CA on client machines to avoid security warning.

Thanks for sharing, great work

Posted: **Saturday 30 January 2016 0:31**

hello,

I ran the OpenSSL command but set the CN (when prompt to the server CSR) exactly equal to the string IP of the DomoticZ server (192.168.XX for local IP). The IOS / Iphone connection works like a charm with/ Safari when the loging to https :// CN (192.168.XX.XX) ;
On Safari & IOS : OK
On FireFox & IOS : still some problem.
On FireFox & Mac OS : still some problem until set the exception (Ok at the end).

In my own, there's some problems not strictly related to the principle of OpenSSL command (those described on the wiki...).
The common name (CN) seems to be verified on the IOS/Iphone web browser without been able to set exception while you can set exception on the Mac book.

To follow...

Regards.

Posted: **Saturday 30 January 2016 1:28**

try using XCA to generate certs, I outline generating a server cert with sAMAccountName field.. thats where you put IP's and Alternate Hostnames.

Posted: **Tuesday 02 February 2016 12:10**

I started over with a new Ubuntu server and went for the XCA method instead of the OpenSSL one. Everything is working perfect now. Also the SSO.
Thanks nayr

Domoticz

x509 SSO Authentication

x509 SSO Authentication

Re: x509 Auth

Re: x509 Auth

Re: x509 Auth

Re: x509 Auth

Re: x509 Auth

Re: x509 Auth

Re: x509 Auth

Re: x509 Auth

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication

Re: x509 SSO Authentication