Settings: Difference between revisions

Jump to navigation Jump to search

Settings (view source)

Revision as of 07:16, 23 April 2020

3,428 bytes removed ,  23 April 2020
→‎SSH Port Forwarding
No edit summary
Line 368: Line 368:
  });
  });


=== SSH Port Forwarding ===
[[Self-hosted_SSH_proxy]]
 
The Allegro Network Multimeter can be configured to to use SSH Port Forwarding to allow remote access to the device behind a NAT.
The multimeter will create a tunnel to an SSH endpoint and will open a listening port on this SSH server.
This port can now be used to send HTTPS requests to the multimeter.
 
==== Preparing the SSH server ====
 
===== Create a user =====
 
The user on the SSH server does not need any special rights and does not need a login shell. Example:
 
$> useradd -m -s /usr/sbin/nologin mmremote
 
===== Allow SSH access via public key =====
 
The Allegro Network Multimeter uses SSH public key authentication to log in on the SSH server. The public key can be found in the '''SSH public key''' field in the '''SSH Port Forwarding''' settings dialog.
 
$> mkdir /home/mmremote/.ssh
$> chown mmremote: /home/mmremote/.ssh
$> nano /etc/mmremote/.ssh/authorized_keys
 
Paste the line into the file and save/close the file.
There are two options to access the multimeter:
 
'''Option 1: No proxy'''
 
Advantage:
* no additional software required
 
Disadvantage:
* no port < 1024 (as non-root user)
* Default HTTPS port 443 is not possible
 
The SSH server might be configured to allow only local listening ports. This has to be changed to allow listening on any subnet.
 
Edit the SSH configuration file '''/etc/ssh/sshd_config''' and activate the following line:
 
<code>GatewayPorts clientspecified</code>
 
Save and close the configuration file and restart the SSH service.
 
'''Option 2: With HTTPS proxy'''
 
Advantage:
* use default HTTPS port 443
* use several filter mechanisms provided by the proxy software
* use the same SSH server as proxy for several multimeters through SNI routing Disadvantage:
* additional configuration required
 
The following block shows a sample configuration for the '''nginx''' proxy server:
 
server {
        listen 443 ssl;
        listen [::]:443 ssl;
        server_name allegro-mm-1234.mm-remote.company.com;
        ssl_certificate /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/allegro-mm-1234.mm-remote.company.com/privkey.pem;
        location / {
                      proxy_pass        https://localhost:55443; # 55443 =configured listen port on multimeter
                    }
        client_max_body_size 200M; # for firmware uploads
}
server {
        listen 80;
        listen [::]:80;
       
        server_name allegro-mm-1234.mm-remote.company.com;
        return 301 https://$host$request_uri;
}
 
The forwarding to the Allegro Network Multimeter is using the configured server name. In this example, requests to '''allegro-mm-1234.mm-remote.company.com''' will be forwarded to the multimeter.
Ths requires that this hostname is resolved by the DNS server. This could be solved by a wildcard DNS CNAME entry to point at the SSH server.
 
'''Configuration of the multimeter'''
 
In the configuration dialog, insert the parameters to access the SSH server. For example:
 
* SSH Host: '''mm-remote.company.com'''
* SSH Port: '''22'''
* SSH User: '''mmremote'''
* Listening HTTPS Port on SSH Host: '''55443'''
 
The settings have to match the configuration above. '''Every multimeter requires a separate HTTPS listening port..'''
If the '''SSH user''' is not '''root, no port below 1024''' is possible. Otherwise, an error message will appear when trying to connect.


=== Allegro Remote Service ===
=== Allegro Remote Service ===
Ralf
547

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/1978"

Navigation menu