Restrict Access to Raspberry Pi Web Server : 8 Steps - hopkinswiturpred

Introduction: Restrain Access to Raspberry Pi Web Host

This instructable is out of date. I updated information technology at: Two-manner Authentication

My Home Automation projects allow control via a web server over the internet. While internet access is very useful, it is a security measures risk. Reduce this risk by requiring HTTPS, creating a client-side certificate, and restricting access to but those devices that have the certificate installed.

SSL facilitates encryption and trust. Trust allows a browser to validate the authenticity of a site. For this instructable, client-position SSL certificates can embody used to authenticate a cell headphone or laptop to a web server.

A host/guest credentials pair prevents unauthorized users from accessing your home servers. For deterrent example, one of my World Wide Web servers allows the garage door to Be opened and closed from a cell telephone set. For a cell phone to open the garage door, it moldiness have the guest-side security installed.

Step 1: Conglomerate Parts

For this instructable, I am using:

• Raspberry Pi 2 Model B running Raspbian and Apache with working WiFi
• U-verse 2-Telegram Gateway
• MacBook Pro

Step 2: My Instructable Standards

The favorable conventions or standards are used in my instructables:

• I don't deficiency to share my passwords and other individualized data connected the internet. Schoolbook clathrate in clubs, such as, ♣supplant-this♣, should be replaced with your value. Of course, remove the clubs.
• The instructable editor messes with HTTP links converting them to short cuts. If you re-create-and-paste a mastery with a link, then it may not work. So, text enclosed in Black Maria, such equally, ♥re-create-and-paste-link♥, is a link. Copy and paste the overtop and copy-and-paste the link to wont it.
• I have difficulty using the instructable editor to store indisputable types of code, specially, HTML or CSS. Thus, code is stored in github with appropriate links.
• Each instructable has an appendix, which Crataegus oxycantha include:
  • References: Contains links to web pages used or consulted graphic the instructable
  • Updates: I use my instructables and periodically update them. My design is to track my changes and explicate why I made a change
  • Troubleshooting: Either during ontogeny or afterwards, I find issues or others May report problems and I assay to document how to troubleshoot those issues
  • Automated install script: Some of my instructables contain a long name of commands. Since I use the instructable, it is much easier to write a script to implement complete of the commands, rather than copy-and-library paste each bid. Also, the put in book is supposed to fix common errors.
• Most of my complex instructables are based on Raspberry Pi. Instead of including stairs common to many instructables, I reference an instructable for, say, mount up Raspberry Pi and its Operating Arrangement.
• For the most part, information technology doesn't matter which OS you manipulation. Information technology's a in the flesh preference. Almost all of my projects run headless (no GUI). So, I prefer DietPi.
• In general, I prepare the instructable Eastern Samoa I am making the project. Formerly complete, I run direct the instructions once more to endeavor and insure I harbour't forgotten anything.
• I use a MacBook as an alternative of a Windows-based laptop.
• Improvements in the instructable editor look to cause new and insoluble problems. The new format doesn't seem to be able to size images correctly, and just makes them into a mess. This instructable explains they need to live a 4:3 ratio with a canvas size of 600x450

Dance step 3: ​Enable SSL and Generate Certificate (use HTTPS)

Open a terminal window happening the MacBook and login into the Raspberry Principal investigator using its Information processing cover.

$ ssh pi@♣raspberry-pi-informatics♣

login: ♣hoot-pi-password♣

Generate a certificate key for the web host. You'll be asked to enter a pass phrase. This pass phrase can be anything, such As, ♣cert-password♣. Re-put down ♣cert-word♣.

$ sudo openssl genrsa -des3 -forbidden server.Florida key 1024 $ sudo openssl rsa -in server.key -impermissible server.key.insecure            

The following command generates the certificate, and asks several questions (entirely the fully qualified orbit name or FQDN matters):

$ sudo openssl req -new -key server.key -out server.csr  $ sudo openssl x509 -req -days 365 -in waiter.csr -signkey host.key -out server.crt            

Copy the certificate (cert) into the SSL directory

$ sudo cp server.crt /etc/ssl/certs  $ sudo cp server.key /etc/ssl/private            

Enable SSL

$ sudo a2enmod ssl $ sudo a2ensite default-ssl            

Restart apache (I am non sure which one to use. Indeed, I did both)

$ sudo /etc/init.d/apache2 resume  $ sudo service apache2 resume

Open a browser and in the url landing field enter upon:

https://♣raspberry-pi-ip♣

A warning about the certificate not organism from a trusted source will seem.

Press Continue. Wee an elision and it should work.

Stone's throw 4: Creating Server/client Certificate Distich Using OpenSSL

Open a last window on the Mac and login to Razz Pi:

$ ssh protease inhibitor@♣raspberry-pi-ip♣

login: ♣raspberry-operative-password♣

Remove keys made in previous step:

$ sudo rm server.key  $ sudo rm server.CRT  $ sudo rm server.csr  $ sudo rm host.key.insecure            

Generate Certificate Bureau (CA)

Before creating server/client credential, apparatus a someone-signed Certificate Authority (CA), which tail end be wont to sign the server/client certificates. Once created, the CA cert will act as the trusted federal agency for both your host and client certificates (or certs).

$ sudo openssl req -newkey rsa:4096 -keyform PEM -keyout ca.key -x509 -days 3650 -outform PEM -come out ca.cer   pass idiom = ♣cert-password♣            

Generates: ca.CER, ca.key

Generate Apache server SSL key and certification

Generate server.key:

$ sudo openssl genrsa -outer server.key 4096            

Generate a certificate generation request.

$ sudo openssl req -new -key server.key -out server.req            

Use the certificate generation quest and the CA cert to bring forth the server cert

$ sudo openssl x509 -req -in server.req -CA ca.cer -CAkey ca.key -set_serial 100 -extensions server -years 1460 -outform PEM -exterior server.conditioned emotion            

Clean up – now that the cert has been created, we no more ask the request.

$ sudo rm host.req            

Install the server certificate in Apache

Copy the CA cert to a permanent place. We'll need to specify our Calif. cert in Apache since it is a self generated Calcium and non one that is included in operating systems all over.

$ sudo cp ca.cer /etc/ssl/certs/            

Copy the server cert and private key to permanent place.

$ sudo cp server.cer /etc/ssl/certs/server.CRT  $ sudo cp server.key /etc/ssl/private/server.key            

Spark the SSL module in Apache.

$ sudo a2enmod ssl            

Trip the SSL website in Apache

$ sudo a2ensite default-ssl

Disable the HTTP place

$ sudo a2dissite default            

Edit the config charge for the SSL enabled locate

$ sudo nano /etc/apache2/sites-enabled/000-default on-ssl            

and hyperkinetic syndrome the lines below:

SSLCACertificateFile /etc/ssl/certs/ca.conditioned emotion  SSLCertificateFile /etc/ssl/certs/server.cathode-ray tube  SSLCertificateKeyFile /etc/ssl/private/server.key            

Apply the config in Apache.

$ sudo service apache2 restart            

Right directly if you visit your https site, you will get an SSL error similar to "SSL peer was incapable to negotiate an acceptable set of security parameters." That is goody-goody – information technology means your place won't accept a connection unless your browser is exploitation a trustworthy client cert. We'll generate one now.

Generate a client SSL credentials

Get a clubby key for the SSL client.

$ sudo openssl genrsa -out client.paint 4096            

Enjoyment the client's private key to generate a cert postulation.

$ sudo openssl req -new -Florida key client.key -out client.req            

Issue the client certificate using the cert request and the CA cert/key.

$ sudo openssl x509 -req -in customer.req -Calif. ca.conditioned emotional response -CAkey ca.key -set_serial 101 -extensions client -days 365 -outform PEM -out client.cer

Convert the client security and private key to pkcs#12 format for use by browsers.

$ sudo openssl pkcs12 -export -inkey client.key -in client.conditioned emotion -out client.p12

Clean up – take away the client private key, client cert and node request files Eastern Samoa the pkcs12 has everything necessary.

$ sudo rm client.key client.cer customer.req

Abuse 5: Add Guest-side of meat Certificate to Devices

Import the client.p12 file into your web browser.

To copy client.p12 from the Raspberry Pi to a Macintosh, bald a endmost window and enter the statement:

$ pwd /Users/♣your-username♣ $ scp pi@♣raspberry-pi-ip♣:client.p12 /Users/♣your-username♣            

Repeat penetrate the file to import into the operating system's keystore that will glucinium used by Internet Explorer and Chromium-plate.

For Firefox, open the Options → Advanced → Certificates → View Certificates → Your Certificates and importation the credential.

For Humanoid phones, the browser must be Chrome.

Email node.p12 as an adhesion to your device.

Open the email on the Android phone and save the attachment to downloads

Run short to home screen and open Settings → Security → Certification Memory board → Instal from device store → Open the client.p12 file

Enter pass phrase: ♣cert-password♣

For Apple phones, email the cert and double chatter happening it, then follow the directions.

Netmail client.p12 and ca.cer atomic number 3 attachments

Step 6: ​Disable HTTP in Apache

$ sudo nano /etc/apache2/ports.conf

Notice out these lines:

NameVirtualHost *:80 Listen 80

So it looks equivalent:

# NameVirtualHost *:80 # Hear 80 Listen 443 NameVirtualHost *:443 <VirtualHost *:443> 	ServerName ♣bir-pi-hostname♣ 	Redirect permanent https://♣u-verse-gateway-ip♣ </VirtualHost>

Save the charge (CTRL-o, ENTER, CTRL-x)

Restart Apache

$ sudo service apache2 restart

Step 7: Invalid HTTP on U-verse Gateway

HTTPS is secure and uses port 443. HTTP is insecure and uses port 80. My cyberspace inspection and repair provider's (ISP) U-Verse 2-Wire gateway provides a firewall.

Login to U-verse 2-Wire Gateway.

On MacBook, open browser and enter: ♣u-verse-gateway-ip-address♣. My gateway's IP is 192.168.1.254.

Go to: Settings → Firewall → Applications, Pinholes and DMZ

And, choose ♣raspberry-pi-hostname♣

Remove applications that allow porthole 80 through the web host

Keep or sum up port 443 on HTTPS Host

Now, visit your website with the browser where you imported the client certificate. You'll likely be prompted for which client certificate to use – pick out it. Then you'll be echt and allowed in!

Check each device.

If they all work, then you are done!

Step 8: Appendix: References

Be the First to Share

Recommendations

• Anything Goes Repugn 2022

  

Source: https://www.instructables.com/Restrict-Access-to-Raspberry-Pi-Web-Server/

Posted by: hopkinswiturpred.blogspot.com

Share this post