How would I go about setting up the influxdb webserver to use SSL/https?
Is it still the case that secure communication isn’t an option?
Not from the ESP8266. There’s not enough heap memory to process the certs and/or handle the handshake buffers required. Also, although they released a nice BearSSL implementation for ESP8266, it is a blocking client, so not compatible with time critical power sampling.
You can use a proxy server like nginx to forward the HTTP as HTTPS. Some have done it. I have one setup to go the other way - it accepts inbound connections with HTTPS and forwards to IoTaWatt as HTTP.
Hmm, I’ll have to ponder my setup now.
Currently the iotawatt sits on my IOT vlan with only a narrow firewall rule allowing it to send influx data back. I’ve been adding SSL to any service I can on my network and was just locking down influx.
In this case it is tricky to solve, as I can’t really get the proxy close enough to the iotawatt. At some point it has to send out the username/password in clear text. And of course it is sitting on my dirty IOT vlan with other devices I don’t trust (no offense).
I suppose I could at least use an HTTP connection to my traefik container, so I can close the direct port to the influxdb server.
Also, you’re already doing checking on a ‘good’ url. You should not allow someone to set https. It wouldn’t be the worst to just pull the port setting into a new field, just so people know that 8086 is getting tacked onto the end.
As a webserver, IoTaWatt supports digest authentication, which is actually pretty good. Passwords are only sent in plaintext in a single transaction when the password is set. The password is not saved in the IoTaWatt, only a cryptographic hash. Transactions send an authorization digest based on a challenge from the IoTaWatt. It’s pretty secure. The message payload is not encrypted, so it can be viewed, but the URL cannot be altered.
Influx does not support digest authentication. TLS largely made it obsolete in most cases. However looking at their documentation, it think it supports JWT, which is more or less the same idea with a little less overhead. If you are interested in that, take a look and see if it’s something that would work. It would require a shared secret between the IoTaWatt and influxDB. If the tools are available, I probably could add that level of authorization.