Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #61
    I can agree that it would be nice to have the SSL support for the management tool built into the application. Personally, after standing up my reverse proxy I don't know that I would use it. My HTPC system supports HTTPS and I still off-load SSL handling to my reverse proxy. Reverse proxies offer many advantages. for anything else I would use my VPN tunnel to my house. For other non-technical users though it would allow them to work in a more autonomous mode from any cloud hosted service.

    Comment


      #62
      Originally posted by Kerat View Post
      I can agree that it would be nice to have the SSL support for the management tool built into the application. Personally, after standing up my reverse proxy I don't know that I would use it. My HTPC system supports HTTPS and I still off-load SSL handling to my reverse proxy. Reverse proxies offer many advantages. for anything else I would use my VPN tunnel to my house. For other non-technical users though it would allow them to work in a more autonomous mode from any cloud hosted service.
      The reverse proxy sounds like a nice solution, I assume this implements SSL (and HTTPS) for services in your network that don't support it? I'll have to look into a windows implementation of this function. Or perhaps this is a good reason to ditch my old router for a more flexible PFSense box that can handle this natively. VPN is cool, but I know how that would go over explaining that to my wife and kids. It may just be one additional button, but combine that with occasional Android flakiness and it doesn't look good. I have tried using the built-in VPN in Android, and it chokes probably 30% of the time.

      Comment


        #63
        Originally posted by lifespeed View Post
        The reverse proxy sounds like a nice solution, I assume this implements SSL (and HTTPS) for services in your network that don't support it? I'll have to look into a windows implementation of this function. Or perhaps this is a good reason to ditch my old router for a more flexible PFSense box that can handle this natively. VPN is cool, but I know how that would go over explaining that to my wife and kids. It may just be one additional button, but combine that with occasional Android flakiness and it doesn't look good. I have tried using the built-in VPN in Android, and it chokes probably 30% of the time.
        Yes, it can act as the HTTPS SSL offload for both web services that support HTTPS and ones that do not. I believe that Nginx has a windows port. once setup you would open and forward port 443 to your server and set Nginx to listen on port 443. The only other services and resources you would need are:
        1. A registered domain (namecheap and google domains are cheap),
        2. A DDNS client Namecheap gives you one if you purchase a registered domain from them. Google Domains offers an integrated API that allows you to pickup a free client and configure to work with it.
        3. An SSL Certificate. Personally, you could try to setup a Let's Encrypt Acme client on your system and get the cost of a signed SSL certificate down to $0. Alternatively, you could purchase a signed SSL certificate (namecheap uses komodo and they are a solid paid version that is pretty cheap).

        I can't recommend PFSense enough. It is the batman utility belt of firewalls and it does all of it well. The PFSense user community is well developed and the package creators do a really great job of supporting their products. The forum isn't on tapatalk yet would be my only gripe. you can load it on just about any old PC you have laying around, install to network cards, and run through the initial setup. There is a little setup necessary but once it is up it works flawlessly. I have my reverse proxy, Let's encrypt Acme client for SSL management and provisioning, Dynamic DNS client to keep my DDNS and CNAME subdomains up to date, and my VPN hosted on my PFsense firewall.

        Comment


          #64
          How are you implementing HS3 authentication using the RP? Doesn't HS3 see all connections as local and thus bypass auth requests?


          Sent from my iPhone using Tapatalk
          Author of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin

          Comment


            #65
            Originally posted by beerygaz View Post
            How are you implementing HS3 authentication using the RP? Doesn't HS3 see all connections as local and thus bypass auth requests?


            Sent from my iPhone using Tapatalk


            HAproxy has two places that this can be done. The first is a setting (forward for) in the global settings that allows the system to overwrite the header with the end point's IP address. The second is a setting named"transparent client IP" in the back end configuration for the HS3 server. This passes the client IP address in place of the firewall's IP.


            Sent from my iPhone using Tapatalk

            Comment


              #66
              I found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.

              Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.
              Author of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin

              Comment


                #67
                Originally posted by beerygaz View Post
                I found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.

                Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.


                Agreed the forward for didn't seem to work for me. I have enabled the transparent client IP setting on my network and confirmed when I login from work the HS3 log and filter by web server events I see my work public IP address. I will have to check reverse proxy functionality while at home. I suspect that the expected network design for this to work would be a separate DMZ subnet where all back end servers access non DMZ resources through the reverse proxy.


                Sent from my iPhone using Tapatalk

                Comment


                  #68
                  We need native HTTPS support!

                  Originally posted by beerygaz View Post
                  I found setting the "forwarded for" header has no effect in HomeSeer, it doesn't read this header.

                  Using a "tranparent ip" setting would require the Homeseer box to use the reverse proxy as its default gateway making for some really complex routing and IP networking.
                  I have a handful of subdomains that I use for different back end resources.

                  I have a backend setup to access my HS3 server on port 80 using transparent client IP (The backend is named: hs3_80-external). I was already using ACL rules on my front end to determine when the HTTPS request was for my HS3 subdomain.
                  (Ex:
                  Name: hs3_acl
                  Expression: host starts with
                  Value: homeseer

                  I then tied an action to the backend HS3 resource using an action (ex:
                  Action: use backend
                  Condition: hs3_acl
                  Backend hs3_80-external

                  Let's Encrypt does not have access to wildcard SSL certs I use the HTTPS SNI request to determine which SSL cert to match on. If the request is for HS3 then I hand them the HS3 subdomain SSL Cert.

                  I did notice that with this setup my HAProxy system would work appropriately from the public Internet but would not work internally.

                  My local network is pretty locked down. Guest access is locked down to a separate VLAN and wifi and runs on a changing WPA2 key. The guest wifi network is only available during daylight hours, and there are ACL rules that block communication between the guest net and my local LANs. I don't necessarily care to lockout internal clients using the anti-hack tool in HS3. My workaround to get HAProxy to work with HS3 internally was to:
                  1. copy the existing backend configuration for HS3 and deselect transparent client IP.
                  I named this backend: hs3_80-internal.
                  2. Add a new ACL in my port 443 front end that denotes my local intranet subnet
                  (ex:
                  name: local_lan,
                  Expression: source IP matches IP or Alias
                  Value: 10.0.0.0/16).
                  3. Create a new action above my external HS3 action.
                  (Ex:
                  Action: use backend
                  Condition ACL names: local_lan hs3_acl
                  Backend: hs3_80-internal)
                  This action will capture internal network requests for my HS3 subdomain and forward them to the "hs3_80-internal" backend instead.

                  I duplicated the work around for both my internal subnets and found it to work well. Internal network logons to my HS3 environment appear to come from my router's IP address and not from the actual client's ip. Public Internet sourced logons display the public source IP address.


                  Sent from my iPhone using Tapatalk
                  Last edited by Kerat; June 18, 2017, 09:36 AM.

                  Comment


                    #69
                    Originally posted by rjh View Post
                    https is impossible to set up on your own system as you need a certifcate to use properly. So we will probably be removing it in a future build. MyHS uses HTTPS and that is the recommended solution.
                    I do Information Security as part of my job. I require that my own home systems be secured on my home network. My Synology NAS, my APC UPS, my IP Cameras, and even my Raspberry PI NTP server, all support HTTPS. There is no reason that my Home Automation system should do any less. "Defense In Depth" - Accept nothing less.

                    -----

                    It's not only possible, but also fairly straightforward, to get a domain and a certificate:


                    Domain Name Cost: $12/yr.Certificate for above domain name - single fully qualified DNS name (FWDN)
                    Lets Encrypt: Free.
                    NameCheap PositiveSSL (Comodo): $9/yr.
                    https://www.namecheap.com/
                    (Optional) Get a wildcard certificate (unlimited names in the domain) for $99/yr and use it with HomeSeer AND in other places too.You may also need to run something like DNSMasq for your own internal DNS service.

                    -----

                    I agree with other folks' statements that the built-in web server leaves a bit to be desired. How about supporting Ngnix or Apache? Both are open source and fully cross-platform.

                    -----

                    And since we're on the topic, how about supporting HomeSeer as BOTH an Application AND as a Service on Windows?

                    While some folks, including myself, have gotten the Application to run "sort of" like a service on Windows 10 with Task Scheduler, its a poor hack that limits feature/function and isn't as reliable as a true service process. HomeSeer runs my HOUSE. It has to be as secure and reliable as humanly possible - and that means it needs to be a service process. Its time to step up, get past the "its too hard to support" excuse, and just do it.

                    jjason
                    CISSP-ISSAP/ISSMP

                    Comment


                      #70
                      Just to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.


                      Originally posted by jjason View Post
                      I do Information Security as part of my job. I require that my own home systems be secured on my home network. My Synology NAS, my APC UPS, my IP Cameras, and even my Raspberry PI NTP server, all support HTTPS. There is no reason that my Home Automation system should do any less. "Defense In Depth" - Accept nothing less.

                      -----

                      It's not only possible, but also fairly straightforward, to get a domain and a certificate:


                      Domain Name Cost: $12/yr.Certificate for above domain name - single fully qualified DNS name (FWDN)
                      Lets Encrypt: Free.
                      NameCheap PositiveSSL (Comodo): $9/yr.
                      https://www.namecheap.com/
                      (Optional) Get a wildcard certificate (unlimited names in the domain) for $99/yr and use it with HomeSeer AND in other places too.You may also need to run something like DNSMasq for your own internal DNS service.

                      -----

                      I agree with other folks' statements that the built-in web server leaves a bit to be desired. How about supporting Ngnix or Apache? Both are open source and fully cross-platform.

                      -----

                      And since we're on the topic, how about supporting HomeSeer as BOTH an Application AND as a Service on Windows?

                      While some folks, including myself, have gotten the Application to run "sort of" like a service on Windows 10 with Task Scheduler, its a poor hack that limits feature/function and isn't as reliable as a true service process. HomeSeer runs my HOUSE. It has to be as secure and reliable as humanly possible - and that means it needs to be a service process. Its time to step up, get past the "its too hard to support" excuse, and just do it.

                      jjason
                      CISSP-ISSAP/ISSMP
                      💁‍♂️ Support & Customer Service 🙋‍♂️ Sales Questions 🛒 Shop HomeSeer Products

                      Comment


                        #71
                        Originally posted by rjh View Post
                        Just to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.
                        We use HomeSeer because it's not like other HA systems...
                        HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                        Running on Windows 10 (64) virtualized
                        on ESXi (Fujitsu Primergy TX150 S8).
                        WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                        Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                        Comment


                          #72
                          OpenHAB for one supports https out of the box.

                          Using myhs adds 20 seconds or more to load times.

                          Would it be possible for US law enforcement to gain access to my homeseer (security, cctv, lightning, etc) platform via MyHs?


                          Sent from my iPhone using Tapatalk
                          Author of Highpeak Plugins | SMS-Gateway Plugin | Blue Iris Plugin | Paradox (Beta) Plugin | Modbus Plugin | Yamaha Plugin

                          Comment


                            #73
                            Originally posted by rjh View Post
                            Just to be clear, we do support https, just go to https://myhs.homeseer.com. No other HA system supports https directly to thier system. If you use myhs you are encrypted from your browser to your system with SSL that is always kept up to date.


                            I'm afraid that is both:
                            1. Factually incorrect. Example: https://home-assistant.io/blog/2015/...-lets-encrypt/
                            2. A really poor approach to security.

                            Part of the reason I purchased Homeseer is that it can happily do everything while fully disconnected from the cloud. MyHS is a nice option to have, but it should not be a requirement for secure access.

                            As a paying customer, part of what I paid for is to have a secure-able product. Please continue to keep it secure and do not remove HTTPS support.

                            Don't make me WannaCry...
                            https://en.m.wikipedia.org/wiki/Wann...somware_attack

                            Jjason
                            CISSP-ISSAP/ISSMP


                            Sent from my iPhone using Tapatalk

                            Comment


                              #74
                              Secure tunnels to localhost

                              I have not read whole thread but ngrok but I found this solution for any local host server.
                              It's very simple to create a reverse secure tunnel.
                              Just download the exe file, execute it with
                              ngrok http 81 (hs portnumber)
                              It will show you a random https link that you can access from outside.
                              Be aware that it will load hs as local ip so you need to uncheck no password for local network in hs3.
                              Not needed if you create an account on their website. Then you can run
                              ngrok http -auth "myusername:mypassword" 81
                              The program also have a great log/debug of all traffic.
                              Access the live viewer from the same machine as the ngrok is started. http://127.0.0.1:4040
                              There are both free and pricing plans.
                              https://ngrok.com/product#pricing
                              Please excuse any spelling and grammatical errors I may make.
                              --
                              Tasker Plugin / Speech Droid
                              Tonlof | Sweden

                              Comment


                                #75
                                The only legitimate reason I can think of is "it will take too much of our time to make a proper web server to HS". And that's what I'm hearing. Please just say that if it's true.

                                I can understand it, but that doesn't mean I'm happy about it.
                                HSPro 3.0.0.458, Z-NET with Z-wave plugin 3.0.1.190, RFXCOM + 2x RFXtrx433E, HSTouch, Squeezebox plugin, iTach IP/WF2IR & GC-100-6 with UltraGCIR, BLDenon, NetcamStudio, Jon00s Webpage builder, Harmony Hub plugin, SCSIP (with FreePBX), Arduino plugin, IFTTT, Pushalot plugin, Device History plugin.
                                Running on Windows 10 (64) virtualized
                                on ESXi (Fujitsu Primergy TX150 S8).
                                WinSeer (for Win10) - TextSeer - FitbitSeer - HSPI_MoskusSample

                                Are you Norwegian (or Scandinavian) and getting started with HomeSeer? Read the "HomeSeer School"!

                                Comment

                                Working...
                                X