3 releases
0.1.2 | Jul 26, 2020 |
---|---|
0.1.1 | Jul 25, 2020 |
0.1.0 | Jul 24, 2020 |
#688 in Authentication
380KB
1K
SLoC
New Home: Proxy
Supplies a basic proxy for use with the New Home system. Used to make the Core part publicly available with SSL encryption. Enables the New Home UI to be hosted SSL encrypted and built as PWA.
Why?
While you still can run your own UI, I want to have the UI available as PWA. For this however I have to add a Service Worker to it and this on the other hand requires the UI to be served via HTTPS (which still is possible for me). But now the Core has to be reachable as well via HTTPS, and this certificate has to be trusted. This is where I fail. No one will give you a (trusted) SSL certificate for an IP, especially not for a network-internal IP. So I have to get the Core out of your home and available via SSL. So this proxy server will be hosted (with SSL encryption) by me or if you have the know-how by yourself.
How? (Tech part)
The proxy constits of 2 parts:
- The client, which will run on your Raspberry PI
- The server, which will run on my (or your) Server
Additionally, I will provide configuration files, so that you can deploy it straight to Heroku and have this proxy hosted "by yourself". At least so that you know, that I'm not copying data on my server.
How the connection works
Giving the public access to your home is a sensible topic, so it has to be secure. I try my best to make it secure by encrypting all the traffic between your home, the proxy server and the UI (aka your local device). To ensure that not someone else will access your home resources, the client proxy requires a login. The login is not part of the server but on the client (your Raspberry PI).
To get away without any port forwarding in your router, the client connects to the server. By this only the server has to be available in the public and the client is just sitting some where, even behind a firewall. And the even better part is, that the communication runs via websocket connection, so you only need a single port and a single SSL setup for securing the proxy request and the client tunnel.
To secure your home from intruders there are login credentials that has to be sent in a proxy request. They will be forwarded to the client and the client will then validate them. By this you can't be fooled by a manipulated server that is allowing everything.
All of this should prevent someone from breaking into your home. If someone has still concerns please let me know of this, so I can get into it and try to fix this.
Dependencies
~41MB
~1M SLoC