I can agree that it would be nice to have the SSL support for the management tool built into the application. Personally, after standing up my reverse proxy I don't know that I would use it. My HTPC system supports HTTPS and I still off-load SSL handling to my reverse proxy. Reverse proxies offer many advantages. for anything else I would use my VPN tunnel to my house. For other non-technical users though it would allow them to work in a more autonomous mode from any cloud hosted service.
Announcement
Collapse
No announcement yet.
We need native HTTPS support!
Collapse
X
-
Originally posted by Kerat View PostI can agree that it would be nice to have the SSL support for the management tool built into the application. Personally, after standing up my reverse proxy I don't know that I would use it. My HTPC system supports HTTPS and I still off-load SSL handling to my reverse proxy. Reverse proxies offer many advantages. for anything else I would use my VPN tunnel to my house. For other non-technical users though it would allow them to work in a more autonomous mode from any cloud hosted service.
Comment
-
Originally posted by lifespeed View PostThe reverse proxy sounds like a nice solution, I assume this implements SSL (and HTTPS) for services in your network that don't support it? I'll have to look into a windows implementation of this function. Or perhaps this is a good reason to ditch my old router for a more flexible PFSense box that can handle this natively. VPN is cool, but I know how that would go over explaining that to my wife and kids. It may just be one additional button, but combine that with occasional Android flakiness and it doesn't look good. I have tried using the built-in VPN in Android, and it chokes probably 30% of the time.
1. A registered domain (namecheap and google domains are cheap),
2. A DDNS client Namecheap gives you one if you purchase a registered domain from them. Google Domains offers an integrated API that allows you to pickup a free client and configure to work with it.
3. An SSL Certificate. Personally, you could try to setup a Let's Encrypt Acme client on your system and get the cost of a signed SSL certificate down to $0. Alternatively, you could purchase a signed SSL certificate (namecheap uses komodo and they are a solid paid version that is pretty cheap).
I can't recommend PFSense enough. It is the batman utility belt of firewalls and it does all of it well. The PFSense user community is well developed and the package creators do a really great job of supporting their products. The forum isn't on tapatalk yet would be my only gripe. you can load it on just about any old PC you have laying around, install to network cards, and run through the initial setup. There is a little setup necessary but once it is up it works flawlessly. I have my reverse proxy, Let's encrypt Acme client for SSL management and provisioning, Dynamic DNS client to keep my DDNS and CNAME subdomains up to date, and my VPN hosted on my PFsense firewall.
Comment
-
Originally posted by beerygaz View PostHow are you implementing HS3 authentication using the RP? Doesn't HS3 see all connections as local and thus bypass auth requests?
Sent from my iPhone using Tapatalk
HAproxy has two places that this can be done. The first is a setting (forward for) in the global settings that allows the system to overwrite the header with the end point's IP address. The second is a setting named"transparent client IP" in the back end configuration for the HS3 server. This passes the client IP address in place of the firewall's IP.
Sent from my iPhone using Tapatalk
Comment
-
I found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.
Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.Author of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin
Comment
-
Originally posted by beerygaz View PostI found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.
Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.
Agreed the forward for didn't seem to work for me. I have enabled the transparent client IP setting on my network and confirmed when I login from work the HS3 log and filter by web server events I see my work public IP address. I will have to check reverse proxy functionality while at home. I suspect that the expected network design for this to work would be a separate DMZ subnet where all back end servers access non DMZ resources through the reverse proxy.
Sent from my iPhone using Tapatalk
Comment
-
We need native HTTPS support!
Originally posted by beerygaz View PostI found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.
Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.
I have a backend setup to access my HS3 server on port 80 using transparent client IP (The backend is named: hs3_80-external). I was already using ACL rules on my front end to determine when the HTTPS request was for my HS3 subdomain.
(Ex:
Name: hs3_acl
Expression: host starts with
Value: homeseer
I then tied an action to the backend HS3 resource using an action (ex:
Action: use backend
Condition: hs3_acl
Backend hs3_80-external
Let's Encrypt does not have access to wildcard SSL certs I use the HTTPS SNI request to determine which SSL cert to match on. If the request is for HS3 then I hand them the HS3 subdomain SSL Cert.
I did notice that with this setup my HAProxy system would work appropriately from the public Internet but would not work internally.
My local network is pretty locked down. Guest access is locked down to a separate VLAN and wifi and runs on a changing WPA2 key. The guest wifi network is only available during daylight hours, and there are ACL rules that block communication between the guest net and my local LANs. I don't necessarily care to lockout internal clients using the anti-hack tool in HS3. My workaround to get HAProxy to work with HS3 internally was to:
1. copy the existing backend configuration for HS3 and deselect transparent client IP.
I named this backend: hs3_80-internal.
2. Add a new ACL in my port 443 front end that denotes my local intranet subnet
(ex:
name: local_lan,
Expression: source IP matches IP or Alias
Value: 10.0.0.0/16).
3. Create a new action above my external HS3 action.
(Ex:
Action: use backend
Condition ACL names: local_lan hs3_acl
Backend: hs3_80-internal)
This action will capture internal network requests for my HS3 subdomain and forward them to the "hs3_80-internal" backend instead.
I duplicated the work around for both my internal subnets and found it to work well. Internal network logons to my HS3 environment appear to come from my router's IP address and not from the actual client's ip. Public Internet sourced logons display the public source IP address.
Sent from my iPhone using TapatalkLast edited by Kerat; June 18, 2017, 09:36 AM.
Comment
-
Originally posted by rjh View Posthttps is impossible to set up on your own system as you need a certifcate to use properly. So we will probably be removing it in a future build. MyHS uses HTTPS and that is the recommended solution.
-----
It's not only possible, but also fairly straightforward, to get a domain and a certificate:
Domain Name Cost: $12/yr.Certificate for above domain name - single fully qualified DNS name (FWDN)(Optional) Get a wildcard certificate (unlimited names in the domain) for $99/yr and use it with HomeSeer AND in other places too.You may also need to run something like DNSMasq for your own internal DNS service.
-----
I agree with other folks' statements that the built-in web server leaves a bit to be desired. How about supporting Ngnix or Apache? Both are open source and fully cross-platform.
-----
And since we're on the topic, how about supporting HomeSeer as BOTH an Application AND as a Service on Windows?
While some folks, including myself, have gotten the Application to run "sort of" like a service on Windows 10 with Task Scheduler, its a poor hack that limits feature/function and isn't as reliable as a true service process. HomeSeer runs my HOUSE. It has to be as secure and reliable as humanly possible - and that means it needs to be a service process. Its time to step up, get past the "its too hard to support" excuse, and just do it.
jjason
CISSP-ISSAP/ISSMP
Comment
-
Just to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.
Originally posted by jjason View PostI do Information Security as part of my job. I require that my own home systems be secured on my home network. My Synology NAS, my APC UPS, my IP Cameras, and even my Raspberry PI NTP server, all support HTTPS. There is no reason that my Home Automation system should do any less. "Defense In Depth" - Accept nothing less.
-----
It's not only possible, but also fairly straightforward, to get a domain and a certificate:
Domain Name Cost: $12/yr.Certificate for above domain name - single fully qualified DNS name (FWDN)(Optional) Get a wildcard certificate (unlimited names in the domain) for $99/yr and use it with HomeSeer AND in other places too.You may also need to run something like DNSMasq for your own internal DNS service.
-----
I agree with other folks' statements that the built-in web server leaves a bit to be desired. How about supporting Ngnix or Apache? Both are open source and fully cross-platform.
-----
And since we're on the topic, how about supporting HomeSeer as BOTH an Application AND as a Service on Windows?
While some folks, including myself, have gotten the Application to run "sort of" like a service on Windows 10 with Task Scheduler, its a poor hack that limits feature/function and isn't as reliable as a true service process. HomeSeer runs my HOUSE. It has to be as secure and reliable as humanly possible - and that means it needs to be a service process. Its time to step up, get past the "its too hard to support" excuse, and just do it.
jjason
CISSP-ISSAP/ISSMP
Comment
-
Originally posted by rjh View PostJust to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
Running on Windows 10 (64) virtualized on ESXi (Fujitsu Primergy TX150 S8).
WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample
Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!
Comment
-
OpenHAB for one supports https out of the box.
Using myhs adds 20 seconds or more to load times.
Would it be possible for US law enforcement to gain access to my homeseer (security, cctv, lightning, etc) platform via MyHs?
Sent from my iPhone using TapatalkAuthor of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin
Comment
-
Originally posted by rjh View PostJust to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.
I'm afraid that is both:
1. Factually incorrect. Example: https://home-assistant.io/blog/2015/...-lets-encrypt/
2. A really poor approach to security.
Part of the reason I purchased Homeseer is that it can happily do everything while fully disconnected from the cloud. MyHS is a nice option to have, but it should not be a requirement for secure access.
As a paying customer, part of what I paid for is to have a secure-able product. Please continue to keep it secure and do not remove HTTPS support.
Don't make me WannaCry...
https://en.m.wikipedia.org/wiki/Wann...somware_attack
Jjason
CISSP-ISSAP/ISSMP
Sent from my iPhone using Tapatalk
Comment
-
Secure tunnels to localhost
I have not read whole thread but ngrok but I found this solution for any local host server.
It's very simple to create a reverse secure tunnel.
Just download the exe file, execute it with
ngrok http 81 (hs portnumber)
It will show you a random https link that you can access from outside.
Be aware that it will load hs as local ip so you need to uncheck no password for local network in hs3.
Not needed if you create an account on their website. Then you can run
ngrok http -auth "myusername:mypassword" 81
The program also have a great log/debug of all traffic.
Access the live viewer from the same machine as the ngrok is started. http://127.0.0.1:4040
There are both free and pricing plans.
https://ngrok.com/product#pricingPlease excuse any spelling and grammatical errors I may make.
--
Tasker Plugin / Speech Droid
Tonlof | Sweden
Comment
-
The only legitimate reason I can think of is "it will take too much of our time to make a proper web server to HS". And that's what I'm hearing. Please just say that if it's true.
I can understand it, but that doesn't mean I'm happy about it.HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
Running on Windows 10 (64) virtualized on ESXi (Fujitsu Primergy TX150 S8).
WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample
Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!
Comment
Comment