Jump to content

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


[FEATURE REQUEST] Use my own reverse proxy for remote access


Guest niko34

Recommended Posts

Guest niko34

Fibaro proxy for remote access does not always work well. I'm obviously not the only one. I did configured my own reverse proxy at home with a secure connexion. I can access my house HC2 from WAN with a secure HTTPS connexion on a specific port. My ISP change my wan ip from time to time. So, i also created a noip domain.

From a browser, i can now access my HC2 from ouside my home using this kind of https url : https://[my domain]:[port number]

My problem is about the iOS Fibaro app. If i set this URL in the IP field, it does not changes anything. The app will use the fibaro remote access and will ignore my URL.

Could you make a change to the mobile app : When a user configure an URL to access his HC2 (not an ip), use this URL instead of using the fibaro remote Access ? (maybe a second field?)

You would make a lot of users very happy

Please login or register to see this image.

/emoticons/default_wink.png" alt=";)" srcset="https://forum.fibaro.com/uploads/emoticons/[email protected] 2x" width="20" height="20" />

Link to comment
Share on other sites

the app does not support https; try with http.

That works for me.

Link to comment
Share on other sites

Guest JBs
  • Topic Author
  • +1

    I asked for HTTPS support in addition to HTTP in the event of pubishing in a more secured way the HC2.

    Please login or register to see this link.

    So far no nothing...

    Link to comment
    Share on other sites

    Guest niko34
  • Topic Author
  • @sve http is not secure. You send your login and password over the internet without encryption. Anyone on the same public network will be able to catch this informations. This is why i would like to see https support in the mobile app.

    @JBs

    I wonder if supporting https within the mobile app will force fibaro to support https in the HC2. Using a reverse proxy, it works this way : mobile app ---- HTTPS ------ reverse proxy ------ HTTP ---- HC2 box. The reverse proxy and the HC2 are on the same network (at home behind a firewall). I'm not sure at all about what fiber would need to change in order to support that...

    Overall, if the HC2 does really not support https, how do they do to secure the connexion between the fibaro proxy and our HC2s..... Really curious about an official answer !

    Link to comment
    Share on other sites

    I agree with you; however I don't want to use fibaro remote. So the only option I have is to use a non-SSL connection and change my password every so many days...

    I hope that Fibaro builds in SSL support in the near future.

    Link to comment
    Share on other sites

    @sve http is not secure. You send your login and password over the internet without encryption. Anyone on the same public network will be able to catch this informations. This is why i would like to see https support in the mobile app.

    @JBs

    I wonder if supporting https within the mobile app will force fibaro to support https in the HC2. Using a reverse proxy, it works this way : mobile app ---- HTTPS ------ reverse proxy ------ HTTP ---- HC2 box. The reverse proxy and the HC2 are on the same network (at home behind a firewall). I'm not sure at all about what fiber would need to change in order to support that...

    Overall, if the HC2 does really not support https, how do they do to secure the connexion between the fibaro proxy and our HC2s..... Really curious about an official answer !

    I would expect Fibaro to do nothing if you add a very small bit of code on the server that handles the https connection.

    Link to comment
    Share on other sites

    Ditch HTTPS reverse proxy and use VPN. Mikrotik routers or routers flashed with dd-wrt (e.g. some D-Link or Netgear or Linksys models) or some routers such as Cisco RV042, RV220W etc. support PPTP (not very secure but well-supported natively on both Android and iOS) or OpenVPN (you can find 3rd-party clients for Android and iOS).

    OR if you have a NAS such as Synology DiskStation, you can run PPTP or OpenVPN server on that, too.

    Link to comment
    Share on other sites

    Guest Lode
  • Topic Author
  • Ditch HTTPS reverse proxy and use VPN. Mikrotik routers or routers flashed with dd-wrt (e.g. some D-Link or Netgear or Linksys models) or some routers such as Cisco RV042, RV220W etc. support PPTP (not very secure but well-supported natively on both Android and iOS) or OpenVPN (you can find 3rd-party clients for Android and iOS).

    OR if you have a NAS such as Synology DiskStation, you can run PPTP or OpenVPN server on that, too.

    I do have a Synology and installed the VPN server package but from there i don't know what to do.

    If somebody could me explain step by step i would be very happy and thankfull.....

    Link to comment
    Share on other sites

    Guest JBs
  • Topic Author
  • Ditch HTTPS reverse proxy and use VPN. Mikrotik routers or routers flashed with dd-wrt (e.g. some D-Link or Netgear or Linksys models) or some routers such as Cisco RV042, RV220W etc. support PPTP (not very secure but well-supported natively on both Android and iOS) or OpenVPN (you can find 3rd-party clients for Android and iOS).

    OR if you have a NAS such as Synology DiskStation, you can run PPTP or OpenVPN server on that, too.

    Having to establish a VPN session just to access your box's GUI is a hassle....

    Especially considering not all the connections are unfiltered and allow PPTP connections.

    Link to comment
    Share on other sites

    Guest niko34
  • Topic Author
  • I have a dd-wrt at home and it would be easy to setup a VPN. But i think i will have to enable the vpn on my phone each time i need to launch fibaro mobile app and then disable the vpn if i want to use any other app? If this is the way it works, it is not a user friendly solution.

    Link to comment
    Share on other sites

    There's one exception to having to enable VPN all the time, which is using openVPN. The openVPN app will automatically connect when disconnected. Mayor drawback is that it will draw a lot of power from you battery.

    I'm interesting in this reverse proxy configuration. Can you tell me what that basically does? I'm trying to find out if that's something I can use in combination with the GeoFancy app. I use VPN now, which is working fine for me for using Fibaro remotely, even despite the fact that I have to enable VPN when I want to use it (beats all other non-secure options like port forwarding, and remote acces through a third party (which will always be able to man in the middle you)). Geofancy will not work however, if there's no http or https connection possible withouht vpn.

    Link to comment
    Share on other sites

    Guest niko34
  • Topic Author
  • The reverse proxy i've configured let me use a https connection to access my HC2 when i'm not at home.

    As i said, it works only with a browser because of the fibaro mobile app limitations.

    This proxy is installed on a raspberry on my home network. I use nginx software. It is a webserver that can act as a reverse proxy. It is configured to accept only https connections on a specific port and forward all the requests to the HC2 using http. Http will only be used inside your own network, so it is secured. My router is configured this a nat port forward. I also use noip (dyndns like) to use a domain instead of my modem ip.

    So, let say i use my browser when i'm ouside my home.

    1. I type the following url in my browser :

    Please login or register to see this link.

    2. My router at home get this request. The nat configuration tell to forward the requests for the port 1600 to my raspberry

    3. Nginx get the https request on port 1600 and forward it to my hc2. It can forward the request to a completely different url (http or https)

    4 the hc2 receive the request

    Please login or register to see this link.

    [my hc2 ip]/...

    You can find informations about nginx reverse proxy configuration here :

    Please login or register to see this link.

    Hope this help you

    Link to comment
    Share on other sites

    Great, thanks a lot!

    I thought about OpenVPN again, but I wonder if the OpenVPN app will keep the connection alive when the device is in standby, which it probably doesn't. When I unlock my phone, the connection is re-established, not sure if that's also the case when some app wants to connect to some Internet address.

    Meanwhile, this does not solve your problem ofc. Maybe you can proxy your Fibaro connection with something like this:

    Please login or register to see this link.

    ? I haven't got any experience with that, and it looks like it's a per-wifi-connection based solution, but came across the web page and thought I'd mention it anyway.

    Link to comment
    Share on other sites

    Guest niko34
  • Topic Author
  • the proxy conf on iOS could be a solution. I read the website you gave me and try to play with my phone to see what i can do with it. It seems, like you said, a per wifi setting... Too bad, it could have been a solution if i could have set this for all connections...

    I'm currently starting the development of my own native iOS app to access my HC2... A very simple one, but it can use a https thru my rapsberry. It's long way before having something that works with complete features but let see where i will go with that. Maybe i won't finish this little project... But i guess there is something to do with mobile clients for Fibaro for someone who have the time to work on it.

    Maybe we'll see the guys from imperihome do something for the fibaro box. They say they are working on an iOS version of their app...

    Link to comment
    Share on other sites

    • 4 months later...

    Old post, but in regards to a remote setup. I have used a remote proxy in conjunction with a free Cloudflare setup. You can get a free ssl cert. So it will be ssl up to your doorstep but http inside. (Or ssl too, if you use the reverse proxy correctly) this way i can even mask the ip since its behind Cloudflare.

     

    My apache config:

     

    <VirtualHost *:443>                                   

    RequestHeader set X-Forwarded-Proto "https"            

    ServerName fibaro.yourdomain.nl                            

    SSLengine ON                                           

    ErrorDocument 403 "/webdefault/error.html"             

    ErrorDocument 404 "/webdefault/error.html"             

    ErrorDocument 500 "/webdefault/error.html"             

    #Only required if you don't have it on already

    #SSLEngine on                                          

    #Only required if you redirect from ssl

    #SSLProxyEngine on                                     

    ProxyPreserveHost On                                   

    ProxyPass  /

    Please login or register to see this link.

                     

    ProxyPassReverse    /

    Please login or register to see this link.

             

    </VirtualHost>

     

    But i've noticed that in the end a vpn connection is still faster.. so i need to make a vpn server which uses certificates because only then can you use vpn on demand in things ilke openvpn server. But you need to make a profile with the ios toolset for your iphone .. nasty stuff.

    Link to comment
    Share on other sites

    Old post, but in regards to a remote setup. I have used a remote proxy in conjunction with a free Cloudflare setup. You can get a free ssl cert. So it will be ssl up to your doorstep but http inside. (Or ssl too, if you use the reverse proxy correctly) this way i can even mask the ip since its behind Cloudflare.

     

    My apache config:

     

    <VirtualHost *:443>                                   

    RequestHeader set X-Forwarded-Proto "https"            

    ServerName fibaro.yourdomain.nl                            

    SSLengine ON                                           

    ErrorDocument 403 "/webdefault/error.html"             

    ErrorDocument 404 "/webdefault/error.html"             

    ErrorDocument 500 "/webdefault/error.html"             

    #Only required if you don't have it on already

    #SSLEngine on                                          

    #Only required if you redirect from ssl

    #SSLProxyEngine on                                     

    ProxyPreserveHost On                                   

    ProxyPass  /

    Please login or register to see this link.

                     

    ProxyPassReverse    /

    Please login or register to see this link.

             

    </VirtualHost>

     

    But i've noticed that in the end a vpn connection is still faster.. so i need to make a vpn server which uses certificates because only then can you use vpn on demand in things ilke openvpn server. But you need to make a profile with the ios toolset for your iphone .. nasty stuff.

     

     

    It isn't that hard. You can almost use the standard config that will be created by the OpenVPN software, the only thing you have to change is to add the keys in the file (standard is a file location).

    Link to comment
    Share on other sites

    • 2 years later...

    Hi are you still using nginx for remote access? I have been trying to configure it because since 4.140 the direct connectivity to my HC2 (via NAT) goes in timeout (I have only an ADSL line) due to some heavy css script, as explained here

    So my idea is placing the raspberry-pi with nginx where I have a better connectivity (and a VPN to the home with ADSL) and configure caching in nginx. But all the attempts I have made to cache the css files have failed..

     

    So I was wondering if you have found a solution, by using nginx.

     

    Thanks

    Riccardo

    Link to comment
    Share on other sites

    Hi, I agree with the topic-starter

    Android and iOS apps should be able to connect HC* ip directly as option.

    I prefer my HC* login details remain on my side only and not on fibaro servers.

    Currently the mobile app connects fibaro proxy, which uses forwarder by HC* TCP port to connect.

    Link to comment
    Share on other sites

    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.

    Guest
    Reply to this topic...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×
    ×
    • Create New...