Rpi nginx reverse proxy for HTTPS

I have Rpi running Nginx reverse proxy with https. I don’t normally run it like this and use openvpn. Like this it keeps asking for the admin password over and over when messing with graphs. Like I say I don’t use this and the link may or may not work because I mess with stuff a lot.

If the status is updating, it’s probably working. The password issue, while no doubt related, can be resolved by removing the passwords. Can you see if works with the reverse proxy and no password?

Thanks.

I removed the password. Will leave it for a little while. click the link and have a look around. Graphs both new and old messed up. I don’t want to leave it like this long cause someone could screw up my config. Its backed up.

If you describe how to setup the nginx reverse proxy, I can try it and then maybe look at what’s happening with the authorization.

Another thing you might look into is whitelisting the IPs that can connect from outside. I have one installation where I can port forward in but I can only do it from my IP. Might be a better solution until the password issue can be resolved.

Rpi configured as a Nginx reverse proxy with HTTPS: Takes about 10 minutes.

Start with a fresh install of Rasbian (Buster) lite and follow instructions on this first page. https://engineerworkshop.com/2019/01/16/setup-an-nginx-reverse-proxy-on-a-raspberry-pi-or-any-other-debian-os/

Make sure to configure the sites-available/sites-enabled before proceeding and certbot will modify the config for HTTPS

You can install certbot with “sudo apt install certbot python-certbot-nginx”.

With the certbot cli now available we can request a certificate for our Nginx server:

Specifiy the -d <domain.com> flag if you want to skip the wizard and directly sign 1 domain

sudo certbot --nginx --email "myemail@domain.com" #match server/domain setting in the sites-enabled config of nginx.

Certbot will read the vhosts set up in /etc/nginx/sites-available and let you choose a domain (or multiple) from the list. Note that as a final question it will ask you if you want to reroute this domain to HTTPS by default (by returning an HTTP 301 to https://publicdomain.com). (I chose not to reroute.)

This will get you up and running. I believe the problem with the graphs and maybe the authorization can be found understanding the way the proxy server hands over the packet header to the iotawatt. Here is a good resource explaining. Scroll down to Understanding how Nginx processes headers.

1 Like

I just moved this discussion from another thread because this has been on my to-do list for a long time. There’s a related issue with passwords, but this is about using the Rpi and nginx to convert traffic between your IoTaWatt on the LAN using HTTP (unencrypted) to HTTPS (encrypted). I’ll be trying this out over the next few weeks, but anyone else is encouraged to jump in and share experience.

IoTaWatt doesn’t have enough heap space or horsepower to do HTTPS, and so relies on the local LAN security. With this bridge, traffic outside the LAN can be secure. I don’t know for sure, but I think the Rpi could also connect to the IoTaWatt exclusively in AP mode so there is no exposure to other users or devices on a local LAN.

Frequent visitors will know that Rpi and these communications issues are not my strong point. My goal is to plod through it to get a cookbook solution for others in my situation.

Below is my working “server block” config for Nginx for the Iotawatt. Change the “server_name” to yours and the “proxy_pass” to your iotawatt ip. After you link this to sites-enabled per instructions in the above post run sudo nginx -t. If it returns successful proceed to install and run certbot to apply https. Let me know if anyone need further help.

server {
listen 80;
listen [::]:80;
server_name iotawatt.blitzville.hopto.org;

location / {
proxy_pass http://192.168.0.21:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

}

1 Like

As I look into this more, I sense that Nginx on a RPi may be capable of solving a multitude of issues beyond basic HTTPS for posting to servers. @blitz1986 created this thread because the password authorization in IoTaWatt doesn’t seem to work through the proxy. I haven’t gotten so far yet to verify that, but as I look at what Nginx can do, it seems a user/password file can be created for Nginx and used to authorize access to upstream servers like IotaWatt. Seems like using that, along with HTTPS, could make for an efficient secure interface to the internet.

As an aside, while I’m hoping the reverse proxy can be accomplished with a Pi-zero, an ethernet capable model could also serve as an ethernet gateway.

I’ve got a lot to learn about this, so it may take awhile to put together a turnkey solution. In the meantime, if others are doing similar things, or have the knowledge to do so, please jump in with your ideas and solutions.

I’ve used nginx a lot to get SSL connections from outside networks to local services inside my home network, protected by nginx basic or digest authentication. Works great.

I made this Docker image to do both reverse proxy and redirects (not relevant here). It’s typically run in combination with another Docker image, Traefik, that takes care of SSL via Let’s Encrypt. But you might find the nginx config examples useful.

My nginx-proxy-redirect Docker image takes a simplified YAML configuration and renders the necessary nginx config. I can provide an example docker-compose.yml config for Traefik with Let’s Encrypt integration if anyone is interested.

I made a video installing nginx reverse proxy with https on a Rpi3. It might help someone get up and going. 45 MB. Its a Mp4. Is there a place to upload? I show where the password isn’t a problem after removing the user password and only using the admin password. Shows a couple problems with the graphs. This isn’t a problem for me at all. Just messing around. I use openvpn to access and not worried about an https connection.

would be nice to post that. If you can put it on youtube and link, that would be best. Otherwise, I enabled MP4 for now but will not leave that enabled indefinitely. Thanks.

Just try this link and download it. says file to large when I upload.

bit.ly/37EnvXq

Seems to require your credentials to log in.

FTP Username: iotawatt@acs-ohio.com
FTP server: ftp.acs-ohio.com
FTP & explicit FTPS port: 21
password iotawatt

If you use your browser to access ftp://ftp.acs-ohio.com and it will ask for user name iotawatt@acs-ohio.com and password iotawatt

Hi @blitz1986

Pretty busy over Thanksgiving and just now getting to this. I viewed the video, very straightforward, thank you. Would you mind if I put it up on YouTube for the benefit of others?

Moving forward, I had some help over the weekend and now also have a RPi with Nginx as a secure gateway to one of my iotawatt. There are some differences in how it was done, but basically the same idea. Looking now at moving the authentication to Nginx and also at outbound HTTPS for sending data to servers like influxDB and PVoutput.

In the process, of course I also tripped over the issues with graph not working. The problem is in some HTTP:// hard coded and also with file pathnames incompatible. I have it working. There may be more changes, but if you would like, this version of graph2.js should make Graph+ work:

graph2.js (50.3 KB)

Instructions for uploading are here.

Would be great to have the video show Graph+ working.
Thanks

I don’t mind at all if you put it on YouTube and you can add any comments to it you think will help. I just wanted to help get you or anyone pointed in the right direction.