The purpose is to reverse proxy from https://domoticz:443 unsecured self signed SSL to an Apache2 web server with a signed SSL certificate on a different port (444) in this case.
The reverse proxy basic authenticates to Domoticz as a defined user making access via the reverse proxy transparent BUT not really because the configuration adds ANOTHER basic authentication in its place.
The idea is that unless the user basic authenticates via Apache2 on the signed ssl, Domoticz is not open to attack externally (this significantly increases security for external Domoticz access).
I've tried to make it as easy to follow as possible, read comments in the below config:
Code: Select all
Listen 444 <VirtualHost *:444> ServerName enteryourdomain.com SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyPreserveHost On ProxyRequests off ProxyPass /favicon.ico ! Alias /favicon.ico "/var/www/domoticz/favicon.ico" ProxyPass / https://domoticzipaddress:443/ ProxyTimeout 5400 Timeout 5400 # We need to specify which user in Domoticz the reverse proxy will connect to and convert it to base64 format using: echo -n "USERNAME:PASSWORD" | base64, it will look something like the sample below: RequestHeader set Authorization "Basic T5345mtrk34534tgfdg==" <Proxy *> Order deny,allow Allow from all Authtype Basic Authname "Password Required" # We need to generate an apache .htaccess password file containing a username and password that will be used for the Apache2 basic authentication using (note you may need to create the domoticz directory in /var/www: htpasswd -c /var/www/domoticz/.htpasswd USERNAMEYOUWANT AuthUserFile /var/www/domoticz/.htpasswd Require valid-user </Proxy> SSLEngine on SSLCACertificateFile /etc/ssl/domain/domain.ca-bundle SSLCertificateFile /etc/ssl/domain/domain.crt SSLCertificateKeyFile /etc/ssl/domain/private.key </VirtualHost>
I've also tested this configuration with the Android Domoticz app and can confirm that it works without issues.
Knowledge of Apache is required, I take no responsibility for the security settings used. You will need to assess on your own if they are suitable for your network environment.