Http request - password

IanR · December 20, 2017, 1:15pm

Hello
When I am sending a request (eg switch on a light) from another unit (eg Arduino) using http://hg_address/api/HomeAutomation.ArduinoDemo/3/Control.On this works OK but if I turn on the password on HG so I have to use a password to log in every time, the link stops working. How do I change this link so it works again?
I like the idea of a more secure HG unit but I need to communicate to it.

Any ideas please.
IanR

raptorjr · December 20, 2017, 7:20pm

Don’t know if this is what you are looking for?

But I don’t know how much more secure it is since I guess the username and password is sent in plain text? Have never used it but since it is not https I think it is how it works. But if someone knows how secure/unsecure it is please post.

David_Wallis · December 21, 2017, 2:11pm

I kind of got around this by putting an nginx reverse proxy on that and configuring basic auth in nginx (with letsencrypt SSL) I then excluded auth on a very specific program API that I wanted to expose to IFTTT

Claton · December 25, 2017, 9:34pm

I just tried this on IFTTT and it works.

http://admin:yourpassword@yourdomain:port#/api/HomeAutomation.X10/A6/Control.Off
port number is only required if different than 80

Glad to have found this post. Although I operate on a different port than 80 that kind of “hides” this activity I really like having password protection from the outside. I will be updating my mass of IFTTT applets right away.

Thanks raptorjr for the link!!

David_Wallis · January 2, 2018, 9:48am

I would recommend you get a certificate on there, as using basic auth the password is sent in clear text (Base64 Encoded)

I would also seriously recommend people don’t HG for home security if the box is exposed to the internet… (personally I wouldn’t advise using HG as an Alarm system either as your insurance company might not like it, but that’s another post for another day!)

DaniMail · January 3, 2018, 9:19am

I am interresting to setup nginx. Can you give us a tutorial on how to install that solution on RaspiHG ? Thank’s and happy new year.

David_Wallis · January 3, 2018, 10:42am

I posted it on the old forum, but I cant browse that from here unfortunatley…

Bounz · January 3, 2018, 3:03pm

Hi, folks.
I found the place that should be uncommented so authentication works.
But it is related to the MIG library and my previous PR is hanging for about 2 months already.

I don’t want to create another PR and I’m thinking about creating a hard fork of these projects to be able to maintain them.

Meanwhile, if you want to test basic auth by yourself you can replace MIG.dll in your HomeGenie installation folder with this one MIG.dll (73.5 KB).

To protect yourself against man-in-the-middle attack I would recommend you to access your HG installation over https. You can achieve this either by using any kind of web-server in front of your HG or use Cloudflare.

P.S. Discovered that Home Genie Plus application on Android doesn’t support basic authentication

IanR · January 5, 2018, 9:18am

Hello Bounz
Sorry I have been busy during the holidays.
Thank you for the dll file, I have checked it on my test unit and the Basic Authentication works.
I am hoping to negate the man-in-the-middle attack as I am only looking to use this on my own network, and all remote connections to use a VPN.
info: I have some Arduinos that are on my network that I wanted to connect to HG, and keep HG password protected and this looks to be the solution.

Thanks for the help
IanR

David_Wallis · January 8, 2018, 2:14pm

id be interested in using the basic auth too annoying if we have to go for a fork, but if thats what works then…

David_Wallis · January 8, 2018, 2:16pm

It depends on what you are trying to protect against

What is the risk or issue you are protecting against?

IanR · January 8, 2018, 5:21pm

Hello David_Wallis
The password is the HG password that protects HG from miss use, just by using the built in password/username the one in the maintenance/setup section of HG.
At the moment I don’t use HG over the internet but that is a goal at some point and I hope to be using a VPN conation and HG’s login (password). But when I use the login (password) on HG then I could not get data to HG from the Arduinos over http.
With the Mig.dll file from Bounz I can now get data into a password protected HG setup.
I am not looking at a specific threat just looking at HG’s inbuilt security.
IanR

David_Wallis · January 9, 2018, 11:48am

Ahh ok

How are you getting data into hg from the arduino? I am using mqtt on mine

IanR · January 9, 2018, 4:20pm

Hello David_Wallis.
I am using HG’s Http ability eg http:// < ipaddress >/api/HomeAutomation.ArduinoDemo/1/Contrail.on,
I created Arduino and HG demo programs in the old forum, sorry I cant open the old forum at the moment to give you link.
There is some info on HG’s Http ability in the HG docs on the HG website as well.
If you want I can try and find the code and repost it but it may take a day or 2.
IanR

David_Wallis · January 9, 2018, 4:56pm

dont worry about it

IanR · March 5, 2018, 11:28am

Hello
Sorry for delay I found I can now access the old forum.
The demo is at: old forum :two led control with 2 switch module using HomeGenie and arduino .
If it helps any one.
IanR