Run internet-pi with SSL enabled #331
Comments
|
I had a quick look and the following enables SSL. I created a ssl key within the initial internet-pi folder: Added the following to the And one more addition to Then just run the ansible-playbook again: Enjoy! |
|
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark issues as stale. |
|
@martinbrose, Unfortunately, I have attempted to make your recommended changes on a RPi 4, with Debian GNU/Linux 11 and the most current version of Internet-Pi (June 11, 2022). However, try as I might -- I can not access the RPi at https://192.168.XXX.XXX:3030 nor https://192.168.XXX.XXX. When I use 'netstat -antp' to see the ports that are being used by the Rpi 4 I see: 9798, 9115, 9100, 9090, 3030 and 22. Furthermore, when you ask to edit config.yml and to add the following lines:
The path: /etc/grafana/provisioning/ does not exist on my RPi 4 with Internet-pi. Those directories appear to be at ~/internet-monitoring/grafana/provisioning It is very likely that I'm missing something obvious, since this is my first crack at Prometheus and Grafana. However, without your recommended changes, I can re-run the playbook and the RPi 4 works with https://192.168.XXX.XXX:3030. I've been running the non-https version for a week (at the time I write this). FYI, personally I am not comfortable logging into a device via cleartext (read: http) where my credentials could potentially be sniffed. Thank you. |
|
This issue is no longer marked for closure. |
|
Hi @KCapwell, I had a look and apparently I made a slight mistake in my instructions. Now corrected above. Because when all the docker containers are being started up, this is the folder that gets mapped to I also noticed that I received a permission error in the startup process of the Grafana container, so had to add chmod above. Don't think it's the most secure approach, but might be alright for the use case. Hope this helps! |
|
Hi @martinbrose, Your recommended changes worked like a charm! Now I can access the site using https://192.168.XXX.XXX:3030. I am well aware that a self signed certificate is inherently less secure than a CA certificate. However, using Internet-Pi as an internal monitoring tool, I do believe that including the self signed certificate is one additional step towards best practices in InfoSec. I wouldn't recommend that typical "end user" get in the habit of blindly accepting a self signed certificate especially for external sites, but technical folks should comprehend the difference. That, along with the additional encryption for the authentication and other account credentials seems wise to yours truly. Thank you! |
|
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark issues as stale. |
|
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. |
|
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution! Please read this blog post to see the reasons why I mark issues as stale. |
|
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details. |
Are there any instructions for adding an SSL cert to the mix so that this could be accessed via https?
The text was updated successfully, but these errors were encountered: