MarkJames Posted July 1, 2016 Posted July 1, 2016 (edited) My home automation webpage is working well now but it polls ISY using the REST interface. I'd like to recode it using websockets. I'll preface this by saying that I can get websockets working - thanks to the help of mWareman - if my site is hosted by the ISY. However I'd like to be able to host my page on a raspberry pi 3 running apache. The reason for this is that I would like my site accessible across the WAN with no VPN but I want access control such as I can get from a php login page or by setting users up with .htaccess. I've not found a way to control access to an ISY based web page without using the cloud module or a VPN. AFAIK the isy webserver doesn't support php (correct me if I'm wrong as tbh I haven't tried) Mwareman was kind enough to backport his apache to my version and make changes to the virtuahosts.conf file which allowed him to subscribe from a server within the LAN but not on the ISY. However my application also uses the REST interface to turn lights on/off. That requires me using isyProxy.php (again, correct me if I'm wrong). With forward and reverse proxy setup in the virtualhosts.conf file and the rewrite rule that curls things through isyproxy.php I can't even load my page - it just stops - likely due to the rewrite rule. Is there a documented way to both subscribe to ISY AND use the REST interface to control it from a non-ISY hosted page? Or a way to control the ISY other than by a method which requires isyproxy.php? Thanks in advance, mark Edited July 1, 2016 by MarkJames
MWareman Posted July 1, 2016 Posted July 1, 2016 (edited) Hi Mark,After our PMs, I've put an example on the Wiki at http://wiki.universal-devices.com/index.php?title=Apache_Reverse_ProxyThere is a name based virtual host config there that proxies everything except one path to the ISY, with the ability to host in that path anything (including a websocket emblazoned JavaScript page) - I have my test websocket page working successfully, served from Apache.You would have to change the names, directories, paths etc to have this work for your own system.I can certainly flip this as well - serve everything from Apache except the REST API (which would be proxied to the ISY). Authentication would be a challenge for this scenario though. Let me know if your interested in the changes for this.Michael. Edited July 2, 2016 by MWareman
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 I'm very much interested. Today is Canada day up here in the great white North and I've had far too many beer to be doing any coding but I'll look into that tomorrow and see if I can make it work. Many thanks, Mark
MWareman Posted July 2, 2016 Posted July 2, 2016 I'm very much interested. Today is Canada day up here in the great white North and I've had far too many beer to be doing any coding but I'll look into that tomorrow and see if I can make it work. Many thanks, Mark This is the example I put on the wiki (it proxies everything to ISY including the websocket subscription - except for the /custom path which is sent to the path /var/www/lights/custom for serving): <IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@lights.domain.com ServerName lights.domain.com DocumentRoot /var/www/lights ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx" ProxyPass /custom ! ProxyPass "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4 ProxyPass / http://192.168.1.2/ CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log SSLEngine on SSLCertificateFile /etc/ssl/certs/wc.domain.com.pem SSLCertificateKeyFile /etc/ssl/private/wc.domain.com.key SSLCertificateChainFile /etc/ssl/AlphaSSLchain.crt </VirtualHost> </IfModule> This example will serve everything from /var/www/lights - EXCEPT for /rest (which will be proxied to the ISY and handle the websocket subscription): <IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@lights.domain.com ServerName lights.domain.com DocumentRoot /var/www/lights ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx" ProxyPass "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4 ProxyPass /rest http://192.168.1.2/ CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log SSLEngine on SSLCertificateFile /etc/ssl/certs/wc.domain.com.pem SSLCertificateKeyFile /etc/ssl/private/wc.domain.com.key SSLCertificateChainFile /etc/ssl/AlphaSSLchain.crt </VirtualHost> </IfModule> As mentioned in the wiki, this requires the mod_proxy_wstunnel and mod_proxy Apache modules. You'll need to customize the Authorization header to be correct for your ISY. You'll need to create a password file (/etc/htpasswd-isy), and you'll need to customize all paths and addresses to be appropriate for your setup. Also, this is an SSL virtual. Change the port to 80, remove the SSL lines and remove the mod_ssl.c check.... Michael.
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 Thanks Michael. Company just left and I'm looking this over. FYI - the wiki is empty - you may want to check that. Is this the contents of virtualhost.conf or .htaccess? The authtype and require-valid-user fields make me think .htaccess but the servername and serveradmin looks like virtualhost.conf. I'm gonna play with this first thing in the morning. I have a couple of questions though. In the first example you say This is the example I put on the wiki (it proxies everything to ISY including the websocket subscription - except for the /custom path which is sent to the path /var/www/lights/custom for serving) What is the purpose of the custom path? My entire site lives in /var/www/html. Do I need to break out the rest or socket portions into a different folder? In the second example you say This example will serve everything from /var/www/lights - EXCEPT for /rest (which will be proxied to the ISY and handle the websocket subscription): This sounds like the more appropriate option for me - but does it mean that I need to keep the rewrite rule and isyproxy? Thanks so much for doing this - I'm sure many will benefit from this down the road. mark
MWareman Posted July 2, 2016 Posted July 2, 2016 These examples are virtual host configs. On the Wiki, there is a .htaccess file as well as both are needed for a complete solution. The auth type and require are to authenticate access to the proxy - not the local content. It's important that both use the same auth source - otherwise it won't work. In my case, I want everything to proxy to the ISY - so I have a single subpath that I don't want to proxy - that's why I have it that way in the first example. The second switches it around - only proxy the /rest subpath and serve everything else from the local Apache. For your case, the second example is what you need. You'll still need the other elements as I describe on the Wiki though. When you say the Wiki is blank, what page do you mean? I tried it again, and the examples are there. Michael.
MWareman Posted July 2, 2016 Posted July 2, 2016 (edited) I've figured out the blank page - it was a typo in the link. Fixed now... sorry! Also - I figured out an error in my second example.... use this one instead... This will server the whole virtual locally - EXCEPT the /rest, /USER and /WEB roots - which will be proxied. This allows UDajax and the default HAD to still work thru the virtual... while also allowing you to have a fully customized root site. <VirtualHost *:80> ServerAdmin webmaster@lights.domain.com ServerName lights.domain.com DocumentRoot /var/www/lights ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxx" ProxyPass "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.1.2/rest/subscribe" retry=4 ProxyPass /rest http://192.168.1.2/rest ProxyPass /WEB http://192.168.1.2/WEB ProxyPass /USER http://192.168.1.2/USER CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log </VirtualHost> I cannot comment on isyProxy - it may be that this is not needed at all once the Apache proxy is set correctly. Michael. Edited July 2, 2016 by MWareman
MWareman Posted July 2, 2016 Posted July 2, 2016 I have completely flipped the example around - since I have realized that most people will want most content served from the local Apache - and only proxy specific functions to the ISY. So - the example now published the whole site thru Apache - and only proxies the /rest, /WEB and /USER virtuals, to allow rest API to work (including websockets), UDajax and HAD also work fine. This WILL NOT work for the admin console or Mobilinc - since they both perform SOAP subscriptions.
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 Just working on this now.... pi@raspberrypi:~ $ dpkg -s apache2 Package: apache2 Status: install ok installed Priority: optional Section: httpd Installed-Size: 348 Maintainer: Debian Apache Maintainers <debian-apache@lists.debian.org> Architecture: armhf Version: 2.4.10-10+deb8u4 Replaces: apache2.2-common, libapache2-mod-macro (<< 1:2.4.6-1~) Provides: httpd, httpd-cgi Looks like the Raspi3 installed 2.4.10 by default. Looking in apache2.conf I see Apache needs to have the following modules enabled: mod_proxy_wstunnel mod_proxy# # Timeout: The number of seconds before receives and sends time out. # Timeout 300 I'm limping along here but I'm hoping that this means that mod_proxy_wstunnel and mod_proxy are both installed and enabled already? I just purchased a certificate and am waiting for it but in the meantime I'm trying to sort out the next step in your instructions about You have a SSL virtualhost (lights.domain.com) that is going to serve as a proxy to your ISY (IP is 192.168.1.2) using HTTP I'll do some googling to figure this out - I'm also not sure how to install the certificate that I get but that should be easily found on the web too. baby steps....
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 (edited) eek - ok - stymied before I even got past getting the certificate... I went to get my certificate and got to this. I have no idea what to do with this and it says that if I get it wrong it can't be changed.... sorry for all the handholding needed Server Information You must have a valid "CSR" (Certificate Signing Request) to configure your SSL Certificate. The CSR is an encrypted piece of text that is generated by the web server where the SSL Certificate will be installed. If you do not already have a CSR, you must generate one or ask your web hosting provider to generate one for you. Also please ensure you enter the correct information as it cannot be changed after the SSL Certificate has been issued. Web Server Type Please choose one... AOL Apache +ModSSL Apache-SSL (Ben-SSL, not Stronghold) C2Net Stronghold and all these that are likely not relevant.... Cobalt Raq Covalent Server Software cPanel / WHM Ensim H-Sphere IBM HTTP Server IBM Internet Connection Server iPlanet Java Web Server (Javasoft / Sun) Lotus Domino Lotus Domino Go! Microsoft IIS 1.x to 4.x Microsoft IIS 5.x and later Netscape Enterprise Server Netscape FastTrack Novell Web Server Oracle Plesk Quid Pro Quo R3 SSL Server Raven SSL RedHat Linux SAP Web Application Server Tomcat Website Professional WebStar 4.x and later WebTen (from Tenon) Zeus Web Server Other (not listed) CSR here it asks for a csr. I imagine I have to generate that on my server but have no idea how. Edited July 2, 2016 by MarkJames
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 I found instructions for installing the certificate - Copy the Certificate files to your server. Download your Intermediate (DigiCertCA.crt) and Primary Certificate (your_domain_name.crt) files from your Customer Area, then copy them to the directory on your server where you will keep your certificate and key files. Make them readable by root only. Find the Apache config file to edit. The location and name of the config file can vary from server to server - especially if you use a special interface to manage your server configuration. Apache's main configuration file is typically named httpd.conf or apache2.conf. Possible locations for this file include /etc/httpd/ or /etc/apache2/. For a comprehensive listing of default installation layouts for Apache HTTPD on various operating systems and distributions, see Httpd Wiki - DistrosDefaultLayout. Often, the SSL Certificate configuration is located in a <VirtualHost> block in a different configuration file. The configuration files may be under a directory like /etc/httpd/vhosts.d/, /etc/httpd/sites/, or in a file called httpd-ssl.conf. One way to locate the SSL Configuration on Linux distributions is to search using grep, as shown in the example below. Type the following command: grep -i -r "SSLCertificateFile" /etc/httpd/ Where "/etc/httpd/" is the base directory for your Apache installation. Identify the SSL <VirtualHost> block to configure. If you need your site to be accessible through both secure (https) and non-secure (http) connections, you will need a virtual host for each type of connection. Make a copy of the existing non-secure virtual host and configure it for SSL as described in step 4. If you only need your site to be accessed securely, configure the existing virtual host for SSL as described in step 4. Configure the <VirtualHost> block for the SSL-enabled site. Below is a very simple example of a virtual host configured for SSL. The parts listed in bold are the parts that must be added for SSL configuration: <VirtualHost 192.168.0.1:443> DocumentRoot /var/www/html2 ServerName www.yourdomain.comSSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt </VirtualHost> Adjust the file names to match your certificate files: SSLCertificateFile should be your DigiCert certificate file (eg. your_domain_name.crt). SSLCertificateKeyFile should be the key file generated when you created the CSR. SSLCertificateChainFile should be the DigiCert intermediate certificate file (DigiCertCA.crt) If the SSLCertificateChainFile directive does not work, try using the SSLCACertificateFile directive instead. Test your Apache config before restarting. It is always best to check your Apache config files for any errors before restarting, because Apache will not start again if your config files have syntax errors. Run the following command: (it is apache2ctl on some systems) apachectl configtest Restart Apache. You can use apachectl commands to stop and start Apache with SSL support: apachectl stop apachectl start Note: If Apache does not start with SSL support, try using "apachectl startssl" instead of "apachectl start". If SSL support only loads with "apachectl startssl" we recommend you adjust the apache startup configuration to include SSL support in the regular "apachectl start" command. Otherwise your server may require that you manually restart Apache using "apachectl startssl" in the event of a server reboot. This usually involves removing the <IfDefine SSL> and </IfDefine> tags that enclose your SSL configuration.
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 I just noticed that I had a choice between a wildcard certificate and a standard one. The price difference was significant so I took a standard one. Was that a mistake? I note your example uses lights.domain.com so I suspect that a standard certificate would not work for just domain.com. makr
MWareman Posted July 2, 2016 Posted July 2, 2016 (edited) I would get this working without the certificate first..... I've updated the examples to not depend on working SSL, as this only deflects from the primary mission here.... There are novels that could be written about SSL... Edited July 2, 2016 by MWareman
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 (edited) Ok - so I copied your virtualhost setup to my /etc/apache2/sites-available/000-default.conf file. I changed the ServerName and the IP's - hopefully those don't matter. Mine looks like this: <VirtualHost *:80> ServerName www.homeonthewater.com ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx" ProxyPass /custom ! ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass / http://192.168.0.171/ CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log SSLEngine on SSLCertificateFile /etc/ssl/certs/wc.domain.com.pem SSLCertificateKeyFile /etc/ssl/private/wc.domain.com.key SSLCertificateChainFile /etc/ssl/AlphaSSLchain.crt </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet I then made the changes to the .htaccess file, removing the rewrite rule so isyProxy.php isn't used. It looks like this AuthType Basic AuthName "Password Protected Area" AuthUserFile "/etc/htpasswd-isy" Require valid-user After making the changes I reboot the RasPI. My website will load from within my LAN but REST calls fail with ERR_CONNECTION_RESET [edit] actually my website will NOT load from within my LAN - CONNECTION_RESET From outside my LAN (my cell phone) I get ERR_CONNECTION_REFUSED I've saved your socket test code from http://forum.universal-devices.com/topic/15248-problems-creating-a-websocket-connection/?p=150499 as socket.htm in both my root folder (/var/www/html) and also in a subfolder (/var/www/html/myapp). I cannot load either of these files from www.homeonthewater.com/socket.htm nor www.homeonthewater.com/myapp/socket.htm. Both return ERR_CONNECTION_RESET Mark Edited July 2, 2016 by MarkJames
mwester Posted July 2, 2016 Posted July 2, 2016 ... There are novels that could be written about SSL... Except that novels tend to be more readable, and a lot shorter! SSL is more like "Finnegans Wake", IMO.
MWareman Posted July 2, 2016 Posted July 2, 2016 (edited) I really hate Tapatalk sometimes.... the quotes get really messed up! Ok - so I copied your virtualhost setup to my /etc/apache2/sites-available/000-default.conf file. I changed the ServerName and the IP's - hopefully those don't matter. Mine looks like this: <VirtualHost *:80> ServerName www.homeonthewater.com ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx" ProxyPass /custom ! ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass / http://192.168.0.171/ CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log SSLEngine on SSLCertificateFile /etc/ssl/certs/wc.domain.com.pem SSLCertificateKeyFile /etc/ssl/private/wc.domain.com.key SSLCertificateChainFile /etc/ssl/AlphaSSLchain.crt </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet I then made the changes to the .htaccess file, removing the rewrite rule so isyProxy.php isn't used. It looks like this AuthType Basic AuthName "Password Protected Area" AuthUserFile "/etc/htpasswd-isy" Require valid-user After making the changes I reboot the RasPI. My website will load from within my LAN but REST calls fail with ERR_CONNECTION_RESET [edit] actually my website will NOT load from within my LAN - CONNECTION_RESET From outside my LAN (my cell phone) I get ERR_CONNECTION_REFUSED I've saved your socket test code from http://forum.universal-devices.com/topic/15248-problems-creating-a-websocket-connection/?p=150499 as socket.htm in both my root folder (/var/www/html) and also in a subfolder (/var/www/html/myapp). I cannot load either of these files from www.homeonthewater.com/socket.htm nor www.homeonthewater.com/myapp/socket.htm. Both return ERR_CONNECTION_RESET Mark OK - lets try a different one.... you used the one that proxies everything except one path. You need to use proxy nothing except the needed paths, as follows (for you): <VirtualHost *:80> ServerName www.homeonthewater.com ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx" ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass /rest http://192.168.0.171/rest ProxyPass /services http://192.168.0.171/services ProxyPass /WEB http://192.168.0.171/WEB ProxyPass /USER http://192.168.0.171/USER CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log </VirtualHost> You cannot change port 443 to port 80 without removing the SSL lines. You don't appear to have fixed this line: RequestHeader set Authorization "Basic xxxxxxxxxxxxxxxxxxxx" xxxxxxxxxxxxxxxxxxxx needs changing to the correct authorization header for your ISY! Otherwise - it won't be able to authenticate to your ISY. Be careful when reposting - you don't want to advertise your ISYs password! Place the socket.htm in /var/www/html. Access it with www.homeonthewater.com/socket.html Michael. Edited July 2, 2016 by MWareman
MWareman Posted July 2, 2016 Posted July 2, 2016 Also - have you created /etc/htpasswd-isy? Use: htpasswd -c /etc/htpasswd-isy user ..then set the password to protect your site... (change 'user' to your desired username).
MWareman Posted July 2, 2016 Posted July 2, 2016 Another thing to consider. If you are not using name based virtual hosts - please remove the 'Servername' line! You are issuing a redirect from 'www.homeonthewater.com' to 'homeonthewater.com' - but the 'ServerName' function will cause this configuration to be ignored - because the hostname does not match. Removing the 'Servername' line will allow the virtual to be used for all hostnames... Michael.
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 (edited) Ok - /etc/apache2/sites-available/000-default.conf now reads like this <VirtualHost *:80> ServerName www.homeonthewater.com ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic xxxxxxxx" ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass /rest http://192.168.0.171/rest ProxyPass /services http://192.168.0.171/services ProxyPass /WEB http://192.168.0.171/WEB ProxyPass /USER http://192.168.0.171/USER CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log </VirtualHost> The actual file contains my password where the xxxxxxxx is I also tried it without the servername directive - no difference I rebooted the Raspi after each set of changes. .htaccess looks like AuthType Basic AuthName "Password Protected Area" AuthUserFile "/etc/htpasswd-isy" Require valid-user I had already created a user - contents of /etc/htpasswd-isy mark:$apr1$Hj3JPcuN$0jOuugXPPG7mrb3ND2CfF/ I don't even get as far as the authentication, though. All I get is connection reset mark Edited July 2, 2016 by MarkJames
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 In the RequestHeader - where you have 'Basic <password>' is 'Basic' in your case the user name? If not then where does the ISY Username fit into this? mark
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 (edited) Could it be that I don't have the necessary apache modules loaded? I ran #sudo a2enmod proxy #sudo a2enmod proxy_wstunnel and those services seemed to start - I rebooted and tried it again ad got #sudo a2enmod proxy Module proxy already enabled #sudo a2enmod proxy_wstunnel Considering dependency proxy for proxy_wstunnel Module proxy already enabled Module proxy_wstunnel already enabled Edited July 2, 2016 by MarkJames
MWareman Posted July 2, 2016 Posted July 2, 2016 In the RequestHeader - where you have 'Basic <password>' is 'Basic' in your case the user name? If not then where does the ISY Username fit into this? mark The 'Authorization' string shouldn't be simply the ISY username OR password. It's needed in a standardized 'Authorization' format ("username:password" then base64 encoded). See https://en.wikipedia.org/wiki/Basic_access_authentication Client side[edit] When the user agent wants to send the server authentication credentials it may use the Authorization field. The Authorization field is constructed as follows: The username and password are combined with a single colon. The resulting string is encoded using the RFC2045-MIME variant of Base64, except not limited to 76 char/line. The authorization method and a space i.e. "Basic " is then put before the encoded string. For example, if the user agent uses Aladdin as the username and OpenSesame as the password then the field is formed as follows: Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
MWareman Posted July 2, 2016 Posted July 2, 2016 (edited) Make sure you've removed the 'ServerName' line! I believe you're not doing name based virtual servers - and this may be messing things up. In the RequestHeader - where you have 'Basic <password>' is 'Basic' in your case the user name? If not then where does the ISY Username fit into this? mark Apache is doing 'pre-auth' - separately authenticating you. This allows you to use a separate credential for your published site. However, in order to present the correct credential to the ISY - ISYs username and password are needed. That's what the header insertion is doing for you. Michael. Edited July 2, 2016 by MWareman
MarkJames Posted July 2, 2016 Author Posted July 2, 2016 Still plugging away - sorry for the hassle but still no love. Here's /etc/apache2/sites-available/000-default.conf For the sake of debugging I made the user admin and the password isypass. I'll change it back after I get this working. I encoded it here https://webnet77.net/cgi-bin/helpers/base-64.pl <VirtualHost *:80> ServerAdmin webmaster@homeonthewater.com DocumentRoot /var/www/html ProxyRequests Off ProxyPreserveHost On KeepAlive On KeepAliveTimeout 5000 ProxyVia Off <Proxy *> AuthName "Authentication Required" AuthType Basic AuthUserFile /etc/htpasswd-isy AuthGroupFile /dev/null require valid-user Order deny,allow Allow from all </Proxy> RequestHeader set Authorization "Basic YWRtaW46aXN5cGFzcw==" ProxyPass "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPassReverse "/rest/subscribe" "ws://192.168.0.171/rest/subscribe" retry=4 ProxyPass /rest http://192.168.0.171/rest ProxyPass /services http://192.168.0.171/services ProxyPass /WEB http://192.168.0.171/WEB ProxyPass /USER http://192.168.0.171/USER CustomLog ${APACHE_LOG_DIR}/access.log combined ErrorLog ${APACHE_LOG_DIR}/error.log </VirtualHost> Still just connection reset..... mark
MWareman Posted July 2, 2016 Posted July 2, 2016 If you're getting 'Connection Reset' to which URL? As an FYI - if the authorization line isn't correct - you will get double prompted for credentials. Since this isn't happening here - this isn't the (immediate) problem. If it's one that doesn't match the ProxyPass lines - it probably means there is a syntax error and Apache isn't listening on the port. Anything is the error files? What happens if you restart Apache - any errors? Michael.
Recommended Posts