Hi, I want to be able to access the brewpi from anywhere. I want both a private access (full access) and a public access (that enables only viewing, not changing the settings).
I have been trying to follow these instructions on HomeBrewTalk:
They do not work for me and seem to me to be outdated. I am unable to find any other step by step guide to help me setting this up.
I have already set up a static ip address for the Raspberry pi, and opening a port is no problem.
Ok for doing something like this you are going to want to utilize htpasswd. I would suggest you first read up on how htpasswd works and how to set it up before moving any further. An alternative would be to have a VPN server running you can connect into and then jump to your BPi. IMHO the latter is the better option and with a little searching and time can be done pretty easy (your router might even have this built into it).
If you do decide you just want to go the route of using the built in Apache functions you can and there are several posts on this forum about it (I think I even helped some with this). One thing to remember is htpasswd isn’t 100% secure and you will be passing a password in plain text. Anyone that can sniff your traffic could get the password if they really want. This is why I suggest going the VPN route if possible since it will be fully encrypted and allows you even more flexibility.
You can also switch to TLS. It isn’t hard to make your site https instead of http and then protect against the sniffing issue. I am phone posting right now watching football but will post some instructions tomorrow if I remember
I did manage to setup password protection using the instructions I linked to in the OP, having to make some changes due to new file locations.
Ultimately running the command: “sudo service apache2 reload” instead of the suggested “sudo apache2ctl -k graceful” did the trick.
I am still looking at setting up a VPN. But being a noob at this stuff makes it really hard for me to understand how to go about achieving the same goal: two versions of the same website, using VPN.
Ok so let’s see if I can do a better job of explaining things here.
The article on HBT is a bit over the top IMO. Do you really need two websites running? I get the idea, but in the end you are creating yourself a lot more work to maintain things, and if you are green at this it could end with a poor user experience. The reason why I say this is as code is developed and updated for the platform you are going to have to continually update and modify things since this is outside of what will/would get updated via normal channels. Meaning a lot of manual work on your part to make this work consistently.
Both methods @bryan and I have described (VPN and SSL/TLS) are viable options and far better than running and trying to maintain two copies of things. I personally tend to lean towards the VPN solution more than converting your site to https, my reasoning is again without knowing the roadmap for the UI and what it will run in the future or how could lead to frustration. Also setting up a VPN opens a few more doors beyond just simply controlling your BPi remote and secure. With the VPN you can get to anything inside your home network, have a media server running you can hit it without exposing it to the world. Want to have secure traffic on devices while traveling (think public WiFi) connect in and be fully encrypted.
At the end of the day all these methods have their PROS/CONS and you have to decide what’s the best path for you.
I have investigated a few different ways of setting up remote viewing for the brewpi and landed on weaved.com which creates an encrypted connection to the pi which you can access from anywhere. I have two installations of the service (one SSH connection and one http for viewing the brewpi web server). You can get a free weaved account and set it up in less than an hour. Now I can go to their site, log into my account and connect to the pi or view the web server. There is also an app for iOS as well! Really simple solution for someone lime myself who doesn’t love digging through and editing code.
I realize this chain is old, but it’s still a good topic.
Let me preface this as saying that I used to be a network administrator for one of the largest data centers (at that time) in North America. I haven’t done it in more than 12 years, so I’m rusty and things have surely changed, but all of these things we’re talking about existed back then. All of the things people have said in previous posts, but here’s my take on it:
I configured mine by removing the BrewPi logo (Sorry Elco, it’s the only way it would fit quickly) and putting href links for both my 7 gallon and 14 gallon fermenters in both “view” and “admin” versions (this is the view-only page for my 7 gallon):
I actually followed the same guide that the OP posted, but something to realize is that it actually has a hole in it because the files that are called in the admin.php file aren’t including in the .htaccess file to require the htpass. (The actual control panel and temp control .php files.) Again, probably not an issue 99.9% but if you’re REALLY worried about someone getting in, that would have to be added. HINT: I didn’t.
Don’t publicly share your URL; even though it would have been fun to post my URL instead of a screen shot, it’s just opening up potential with it being open for the world to see.
You can sniff the password using the htpasswd method since it’s cleartext, but you’d have to be somewhere in the IP chain meaning linked into one of the routers along the path (and on the same interface’s broadcast area which would only happen at the end or beginning links,) or close enough to sniff the WiFi at your house. But, anyone capable of doing that, can do a lot worse to you than break into your BrewPi and change your beer temp. I realize someone will point out there are easy scripting programs to handle this, but even those require someone who knows how to put the pieces together.
Don’t use the same password for htpass that you use to get into the Pi, that also helps minimize the risk of sniffing. In fact, don’t use a password that you use for anything else to make sure the risk is limited to the BrewPi setup.
VPN would be great, but as someone else mentioned, you can open up other holes into your entire home network, and those are a lot worse than just opening a port from your router to your Raspberry Pi’s IP for port 80. (I also open 22 so I can SSH in.)
You could definitely go secure by creating your own certificate, but all this would do is secure the password from sniffing, and adds a decent amount of setup if you’re not comfortable with commands.
