MarkJames

You're the guy who understands this stuff! I'm the guy who follows along and hopes things will work out. I'll do my job - you do yours I'll wait to see what you come up with and be the 'patient zero' (or near zero) tester. Thanks! mark

I'm inclined to go SSL if for nothing but the 'geek' quotient. You have to bear in mind that I *did* give you the password to get past .htaccess, though. At the moment each of my family members has one but the general public doesn't. While a cleartext password like .htaccess uses is easily susceptible to a man-in-the-middle or other attack it's probably plenty secure for my purposes. I could also go PHP with an encrypted password stored outside the web structure to start a session and be reasonably secure.... I'll wait and see what you post in this regard. I'll likely go along - at least for a year - to see how it works. IFTTT looks like it could be cool, too. mark

Thanks for your ongoing embellishment on this, Mike. Can you elaborate a bit on this for me? And if this is OT then we can do this in PM instead. Having gone through my life with 'security through obscurity' for these many years I'm not sure what to do here. What would need to change so far as my Apache webserver if I choose to go with SSL? I assume I'd need to change the port from 80 to 443. would there need to be changes to httpd.conf? Would it be possible to have both a secure and non-secure route to the website? Would I need to buy a certificate and if so would it be a standard certificate or a wildcard one? Bearing in mind that my site is a single page and wouldn't lend itself to separating out into a secure/non secure area. The cost at Garrison of a standard certificate was $15 a year - $45 for wildcard. It's not a big expenditure but it bears thinking about. What would be the benefit over, say, a PHP or .htaccess login. Other than the plaintext transmission of the password which, though serious for e-commerce doesn't really concern me much for my own uses. Sorry for the noob questions but .... I'm a noob makr

That's exactly what I'm doing at the moment. I think that in the next week or so it should be where I'm content with it. If you're still looking for a solution I can link you to what I've done and if you want to use it you're welcome to the source. I'm not a programmer either but used to be - it's not too hard. The code I've written is simple enough to change - just change the addresses of the nodes, the names of the devices, and the id's of the web elements and it takes care of itself. mark

Does ISY show a message in the admin console event viewer when your dsc alarm changes? Those messages all seem to go via the infostring element to the websocket interface. So far as I can tell all node changes go to the websocket interface. There's documentation for it in the UDI developer area here https://www.universal-devices.com/isy-developers/ mark

I noticed that when a websocket is first established it dumps all the device statuses. This is a great feature as it eliminates the need - in a custom application - to poll all device statuses at startup. Is there a way to force a dump of all variable values as well? Elk statuses would be great to get on startup too. mark PS - I LOVE the websocket interface. Thanks for the great work on it!

Sounds good generating the base64 in-house. All I had in mind was that it be mentioned in the wiki what information was requested in the authentication directive - it's not intuitively obvious (at least it wasn't for me). I did notice that there was a data dump at first - there was also an undefined element that was problematic at first - I dealt with that with just a try{}. At the moment I don't update my devices singly - I update every one of the devices, programs, and variables that I track. Ultimately I'll probably change it but so far it all happens so quickly that It's on the back burner. Because of this I had to ignore the initial dump. Here's the code I've been using so far. var parseDisabled = true; // don't parse for the first 2 seconds $(document).ready(function() { setTimeout(function() { parseDisabled = false; }, 2000); var urlvalue; var socket; var isy_host = window.location.host; var x = location.protocol; if (x == "https:") { var ws_host = "wss://" + isy_host } else { var ws_host = "ws://" + isy_host } urlvalue = ws_host + "/rest/subscribe"; socket = new WebSocket(urlvalue, "ISYSUB"); socket.addEventListener("message", function(event) { isyParse(event.data); }); . . . rest of the document.ready function // then this is the beginning of my parse routine to determine what kind of message it is and how to deal with it. There are a lot of messages and I'm only just beginning // so far it just looks for "ST" and triggers an update of all the elements on my page as a proof of concept. // the parseDisabled variable is just a 2 second delay from initial page load so I don't do an updateStatusAll() on every single one of the items // in the initial dump // Once the update routine does individual elements I'll be able to ditch that function isyParse(data) { if (parseDisabled) { return; } var parser = new DOMParser(); data = parser.parseFromString(data, "text/xml"); try { var elementID = data.getElementsByTagName("control")[0]; var nodeID = data.getElementsByTagName("node")[0]; var status = data.getElementsByTagName("action")[0]; if (elementID.childNodes[0].nodeValue=="ST") { var node=nodeID.childNodes[0].nodeValue; var action = status.childNodes[0].nodeValue; updateStatusAll();// this is the routine that updates all my colors, icons, and text console.log(node+" turned "+(action == 0 ? "off" : "on")); } }catch(exc) { } }

Great stuff. I already have my socket connected and the listener is updating my device statuses in real time. This is very cool. I'm just going to go through the wiki to find what all the actions, eventinfo, nodes, etc. are in the string that comes from the subscription. Oh - you may want to add a line about the userid:password needing to be base64 encoded in the wiki entry. There are numerous online sites to do the encoding. Once again - thanks Michael - your expertise and willingness to share it is very much appreciated. mark

Thanks! As you're putting it in the wiki I won't rewrite what you're already doing. I'll add the following comments, though. On the Raspberry Pi 3 the virtual hosts file is located at /etc/apache2/sites-available/000-default.conf - be sure to back this up before changing it. There are a few modules that need to be enabled #sudo a2enmod authz_groupfile #sudo a2enmod proxy_http #sudo a2enmod proxy_html sudo a2enmod headers Better go hang out with my wife for a bit - she's giving me the evil eye. Thanks so much! I'm excited - I just have to find some documentation on the xml that's getting passed from the subscription now. mark Don't forget the a2enmod on the authz_groupfile and the

I'm an idiot. My son (Jordan) had put some stuff in there and I took it out for debugging. I took out the js folder by mistake Your last changes.... . . . . . . . . WORKED!!!!!! Thank you ever so much! I'm going to compile the process into a separate thread for those who may follow. Thanks, Michael - I would NEVER have gotten this working without your help! mark

With the new Proxypass settings I can't load the javascript files from the .js folder anymore

Yes - that's all correct. The error log reads as follows [sat Jul 02 14:57:49.343951 2016] [proxy:warn] [pid 646] [client 192.168.0.1:53965] AH01144: No protocol handler was valid for the URL /rest/elk/get/status. If you are using a DSO version of mod_proxy, make $ [sat Jul 02 14:57:49.351229 2016] [proxy:warn] [pid 640] [client 192.168.0.1:53970] AH01144: No protocol handler was valid for the URL /rest/elk/get/status. If you are using a DSO version of mod_proxy, make $ [sat Jul 02 14:57:52.322729 2016] [proxy:warn] [pid 645] [client 192.168.0.1:53971] AH01144: No protocol handler was valid for the URL /rest/elk/get/status. If you are using a DSO version of mod_proxy, make $ [sat Jul 02 14:57:52.331430 2016] [proxy:warn] [pid 642] [client 192.168.0.1:53972] AH01144: No protocol handler was valid for the URL /rest/elk/get/status. If you are using a DSO version of mod_proxy, make $ [sat Jul 02 14:57:52.566785 2016] [proxy:warn] [pid 646] [client 192.168.0.1:57505] AH01144: No protocol handler was valid for the URL /rest/status/7 2F 2F 1. If you are using a DSO version of mod_proxy, and so on...

I tried putting the rewrite rule back into .htaccess but that didn't help either.

<VirtualHost *:80> ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxx" ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass "/rest" "http://192.168.0.171/rest" ProxyPass "/services" "http://192.168.0.171/services" ProxyPass "/WEB" "http://192.168.0.171/WEB" ProxyPass "/USER" "http://192.168.0.171/USER" CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log </VirtualHost> Still not working though - still internal server error 500 Jul 2 14:11:07 raspberrypi systemd[1]: Starting LSB: Apache2 web server... Jul 2 14:11:07 raspberrypi apache2[3311]: Starting web server: apache2AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directiv$ Jul 2 14:11:08 raspberrypi apache2[3311]: . I don't think that matters, though. Apache starts fine - the only message in syslog is about the fqdn asking me to put ServerName directive in - but I don't think that matters. I

<VirtualHost *:80> ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxx" ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass /rest http://192.168.0.171/rest ProxyPass /services http://192.168.0.171/services ProxyPass /WEB http://192.168.0.171/WEB ProxyPass /USER http://192.168.0.171/USER CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log </VirtualHost>

that link does not work - lol - I just realized that you can see that too. The user/pass is currently mark:mark mark http://homeonthewater.com/socket.htm - is, indeed, working!

I think I needed headers and authz_groupfile enabled - which I did now. restarting apache now succeeds! Getting closer... Socket now CONNECTS! woo hoo! I owe you a bottle of single malt! REST interface calls do not work - http://homeonthewater.com/rest/vars/get/1/45 Failed to load resource: the server responded with a status of 500 (Internal Server Error) mark

whoa - ok - it loads now...

pi@raspberrypi:/var/log $ sudo a2enmod headers Enabling module headers. To activate the new configuration, you need to run: service apache2 restart pi@raspberrypi:/var/log $ systemctl status apache2.service ● apache2.service - LSB: Apache2 web server Loaded: loaded (/etc/init.d/apache2) Active: failed (Result: exit-code) since Sat 2016-07-02 13:35:50 PDT; 3min 23s ago Process: 1913 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS) Process: 2152 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE) pi@raspberrypi:/var/log $

#sudo a2enmod authz_groupfile Considering dependency authz_core for authz_groupfile: Module authz_core already enabled Enabling module authz_groupfile. To activate the new configuration, you need to run: service apache2 restart pi@raspberrypi:/var/log $ sudo service apache2 restart Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details. pi@raspberrypi:/var/log $ #systemctl status apache2.service ● apache2.service - LSB: Apache2 web server Loaded: loaded (/etc/init.d/apache2) Active: failed (Result: exit-code) since Sat 2016-07-02 13:35:50 PDT; 8s ago Process: 1913 ExecStop=/etc/init.d/apache2 stop (code=exited, status=0/SUCCESS) Process: 2152 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

#apachectl configtest AH00526: Syntax error on line 14 of /etc/apache2/sites-enabled/000-default.conf: Invalid command 'AuthGroupFile', perhaps misspelled or defined by a module not included in the server configuration Action 'configtest' failed. The Apache error log may have more information. syslog shows the same error information

FYI - If I put the backup of 000-default.conf back the .htaccess works properly and my site loads.

This was my original <VirtualHost *:80> # The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined # For most configuration files from conf-available/, which are # enabled or disabled at a global level, it is possible to # include a line for only one particular virtual host. For example the # following line enables the CGI configuration for this host only # after it has been globally disabled with "a2disconf". #Include conf-available/serve-cgi-bin.conf </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet I edited my previous post but I'll repost it here #sudo service apache2 restart gives me an error Job for apache2.service failed. See systemctl status apache2.service' and 'journalctl -xn' for details #systemctl status apache2.service gives me apache2.service - LSB: Apache2 web server Loaded: loaded (/etc/init.d/apache2) Active: failed (Result: exit-code) since Sat 2016-07-02 13:13:01 PDT; 1min 28s ago Process: 1390 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

I get connection reset even on local access. The Raspi is 192.168.0.233 - If I browse to that I get connection reset - diagnostics show connection refused. The difference between homeonthewater.com and www.homeonthewater.com was a leftover dns url forward from when I moved the site from my ReadyNAS to the Raspi. I've deleted it now but it will take a while for the global DNS cache to update None of the logs in /var/log/apache2 have a timestamp later than 6:25 am today #sudo service apache2 restart gives me an error Job for apache2.service failed. See systemctl status apache2.service' and 'jornalctl -xn' for details #systemctl status apache2.service gives me apache2.service - LSB: Apache2 web server Loaded: loaded (/etc/init.d/apache2) Active: failed (Result: exit-code) since Sat 2016-07-02 13:13:01 PDT; 1min 28s ago Process: 1390 ExecStart=/etc/init.d/apache2 start (code=exited, status=1/FAILURE)

Still plugging away - sorry for the hassle but still no love. Here's /etc/apache2/sites-available/000-default.conf For the sake of debugging I made the user admin and the password isypass. I'll change it back after I get this working. I encoded it here https://webnet77.net/cgi-bin/helpers/base-64.pl <VirtualHost *:80> ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic YWRtaW46aXN5cGFzcw==" ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass /rest http://192.168.0.171/rest ProxyPass /services http://192.168.0.171/services ProxyPass /WEB http://192.168.0.171/WEB ProxyPass /USER http://192.168.0.171/USER CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log </VirtualHost> Still just connection reset..... mark