From 278a87d5fdb344ec62ee66e37ab6ae620313613f Mon Sep 17 00:00:00 2001 From: Scott Lamb Date: Thu, 27 Dec 2018 16:29:26 -0600 Subject: [PATCH] tweaks to guide/secure.md after reading the rendered version online --- guide/secure.md | 42 +++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) diff --git a/guide/secure.md b/guide/secure.md index 6805095..49319ea 100644 --- a/guide/secure.md +++ b/guide/secure.md @@ -79,17 +79,17 @@ Noobs](https://ipcamtalk.com/threads/vpn-primer-for-noobs.14601/). 7. Configure the webserver 8. Verify it works -## 1. Install a webserver. +## 1. Install a webserver Moonfire NVR's builtin webserver doesn't yet support `https` (see [issue -\#27](https://github.com/scottlamb/moonfire-nvr/issues/27), so you'll need to +\#27](https://github.com/scottlamb/moonfire-nvr/issues/27)), so you'll need to proxy through a webserver that does. If Moonfire NVR will be sharing an `https` port with anything else, you'll need to set up the webserver to proxy to all of these interfaces as well. I use [nginx](https://https://nginx.com/) as the proxy server. Some folks may -prefer [Apache httpd](https://httpd.apache.org/) or some other webserver. Any -of these will work. I include snippets of a `nginx` config below, so stick +prefer [Apache httpd](https://httpd.apache.org/) or some other webserver. +Anything will work. I include snippets of a `nginx` config below, so stick with that if you're not comfortable adapting it to some other server. I run the proxying webserver on the same machine as Moonfire NVR itself. You @@ -109,9 +109,9 @@ The easiest way to ensure your setup keeps working is to use the "static DHCP lease" option on your home router to give your webserver machine the same address every time it asks for a new lease. -Alternatively, you can configure your webserver to use a static IP address +(Alternatively, you can configure your webserver to use a static IP address instead of asking for a DHCP lease. Ensure the address you choose is outside -the range assigned by the DHCP server, so that there are no conflicts. +the range assigned by the DHCP server, so that there are no conflicts.) Reboot the webserver machine now and ensure it uses the IP address you choose on startup, so you don't have a confusing experience after your next power @@ -122,7 +122,7 @@ failure. In your router's setup, go to the "Port Forwarding" section and tell it to forward TCP requests on the `http` port (80) and the `https` port (443) to your webserver. The `https` port is necessary for secure access, and the -`http` port is necessary for the Let's Encrypt `http` challenge during the +`http` port is necessary for the Let's Encrypt `http-01` challenge during the setup process. Now if you go to your external IP address in a web browser, you should reach @@ -134,11 +134,11 @@ Also in your router's setup, look for "Dynamic DNS" or "DDNS". Configure it to update some DNS name with your home's external IP address. You should then be able to go to this address in a web browser and reach your webserver again. -It's possible to instead set up a dynamic DNS client on the Moonfire NVR +(It's possible to instead set up a dynamic DNS client on the Moonfire NVR machine instead. See [this Ubuntu guide](https://help.ubuntu.com/community/DynamicDNS). One disadvantage is that it may be slower to recognize IP address changes, so there may be a longer -period in which the address is incorrect. +period in which the address is incorrect.) ## 5. Install a TLS certificate @@ -158,8 +158,8 @@ ExecStart=/usr/local/bin/moonfire-nvr run \ --require-auth=false ``` -Change `--require-auth=false` to `--require-auth=true --trust-forward-hdrs` -which has two effects: +Change `--require-auth=false` to `--require-auth=true --trust-forward-hdrs`. +This change has two effects: * `--require-auth=true` means that web users must authenticate. * `--trust-forward-hdrs` means that Moonfire NVR will look for `X-Real-IP` @@ -185,9 +185,10 @@ desired DNS name. Now finalize its configuration: * redirect all `http` traffic to `https` * proxy `https` traffic to Moonfire NVR - * add a `X-Real-IP` header with the original IP address - * add a `X-Forwarded-Proto` header with the original protocol (which should - be `https` if you've configured everything correctly). + * when proxying, add a `X-Real-IP` header with the original IP address + * when proxying, add a `X-Forwarded-Proto` header with the original + protocol (which should be `https` if you've configured everything + correctly). The author's system does this via the following `/etc/nginx/sites-available/nvr.home.slamb.org` file: @@ -245,12 +246,15 @@ Go to `http://your.domain.here/api/request` and verify the following: * the browser redirects from `http` to `https` * the address shown here matches your web browser's public IP address. - (Compare to [https://whatsmyip.com/].) + (Compare to [https://whatsmyip.com/](https://whatsmyip.com/).) * the page says `secure: true` indicating you are using `https`. Then go to `https://your.domain.here/` and you should see the web interface, -including a login form. If you login, you should see your username and -"logout" in the upper-right corner of the web interface. +including a login form. -If it doesn't work as expected, re-read the guide, or open an issue on github -for help. +Login with the credentials you added through `moonfire-nvr config` in the +[previous guide](install.md). You should see your username and "logout" in the +upper-right corner of the web interface. + +If it doesn't work as expected, re-read this guide, then open an issue on +github for help.