Friday 28 October 2016

Securing Skills

Having got a basic setup working with an Alexa Skill calling to Node-Red on my unRaid server, I was a little worried about the security of this setup long term. I was also unhappy with going through a Lamba function to bypass the HTTPS requirement for Alexa endpoints. I decided to set up better security.

The first step was to set up basic authentication on the proxied URL that I was using to access Node-RED. This turned out to be quite straigtforward following the instructions at LinuxServer.io. I used the linked tool to create a .htaccess file and a .htpasswd file. Don't worry about the requested path as you only need the contents of the .passwd file as this tool is used to hash the passwords. The resultant passwords is added to /config/.htpasswd (I had to create this file).

I ended up with the following default.conf file in Apache (saved in /config/apache/site-confs):

SetEnv proxy-initial-not-pooled 1

<VirtualHost *:80>

ServerName www.mydomain.online

ServerAlias www.mydomain.online    



DocumentRoot /config/www/

    <Directory "/config/www/">

        Options Indexes FollowSymLinks MultiViews

        AllowOverride all

            Order allow,deny

        Allow from all

</Directory> 

</VirtualHost>



<VirtualHost *:80>

ServerName skills.mydomain.online

ServerAlias skills.mydomain.online

<Location /echo>

AuthUserFile /config/.htpasswd

AuthType Basic

AuthName "Skills"

Require user username



ProxyPass http://192.168.XXX.XXX:XXXX/echo

ProxyPassReverse http://192.168.XXX.XXX:XXXXecho

</Location>

</VirtualHost>


This allows me access the Node-RED with a URL similar to this;

http://username:somepassword@skills.mydomain.online/echo

Next step was to add certificates to allow this work on https://

Some reserach revealed that Amazon developer is somewaht fussy when it comes to which certs it will support. For example, startSSL certs don't work so I gave up on securing a free cert and decided it was worth paying the $15 for something that would work. Based on a post from Wolf Paulus, I went with SSLmate. This turned out to be very starightforward. Sign up for an account and follow the directions to generate the cert right from inside the Apache docker. (I used cat /etc/*-release to figure out it was running Ubuntu 14.04. Once I had that info, it was easy to follow the instructions to install the SSLmate software and generate the certs.)

The next step was to configure the secure section of the Apache default.conf file to apply the certs to the reverse proxy;

<VirtualHost *:443>

    ServerName skills.mydomain.online

    SSLEngine on

    SSLCertificateFile "/etc/sslmate/skills.mydomain.online.crt"

    SSLCertificateKeyFile "/etc/sslmate/skills.mydomain.online.key"

    SSLCertificateChainFIle "/etc/sslmate/skills.mydomain.online.chain.crt"

<Location /echo>

 AuthUserFile /config/.htpasswd

 AuthType Basic

 AuthName "Skills"

 Require user Alexa

ProxyPass http://192.168.XXX.XXX:XXXX/echo

ProxyPassReverse http://192.168.XXX.XXX:XXXX/echo

</Location> 

</VirtualHost>

Now, the Node-RED logic can be accesed only with

https://username:somepassword@skills.mydomain.online/echo

Finally, I could configure my Alexa Skill on Amazon Developer to have direct access to my endpoint rather than going through a custom lamda function;



No comments: