search

maddox / harmony-api

🗼 A simple server allowing you to query/control multiple local Harmony Home Hubs over HTTP or MQTT
MIT License
393 stars 115 forks source link

Securing HTTP requests #52

Open khaimov opened 7 years ago

khaimov commented 7 years ago

Is there a way to secure the HTTP endpoint, so authentication is required? I see the option for mqtt, but not http.

maddox commented 7 years ago

I personally do this with nginx. I have all my stuff behind an nginx proxy.

khaimov commented 7 years ago

@maddox thanks for the superfast response, I have this running on Raspberry Pi, and I guess I can install nginx and reverse proxy into it. What would the Rest Call look like then? I would like to use IFTTT Maker to trigger a call to Harmony-API.

maddox commented 7 years ago

Oh, all i'm doing is BLOCKING traffic from outside the network.

khaimov commented 7 years ago

@maddox I appreciate the response anyway. I think I will use an API Gateway, something like Kong, so this way I can securely broker communication via DMZ.

xac1d commented 7 years ago

anyone mind sharing their nginx config for this? i have it kinda working but i'm missing something.

maddox commented 7 years ago

Here's my config. I'm using nginx as a proxy, and I'm securing it by blocking it outside of of my local network.

# --- + PROXY + ---

# Template variables:
#
# * domain = harmony.domain.com
# * name = harmony
# * type = proxy
# * host = localhost
# * port = 8282

upstream harmony-lb {
    server localhost:8282;
}

server {
   listen 80;
   server_name harmony.domain.com;
   return 301 https://harmony.domain.com$request_uri;
}

server {
    server_name harmony.domain.com;
    listen 443 ssl;

    location / {
        allow 192.168.1.1/24;
        allow 127.0.0.1;
        deny all;

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://harmony-lb;
    }

    ssl_certificate /etc/letsencrypt/live/harmony.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/harmony.domain.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    access_log /var/log/nginx/harmony-access.log;
    error_log  /var/log/nginx/harmony-error.log;
}

# --- - PROXY - ---

Here's the security parts:

        allow 192.168.1.1/24;
        allow 127.0.0.1;
        deny all;