Expose remoteRotator to the Internet
Sometimes we want to control our rotators through the internet. Exposing remoteRotator directly to the internet is not a good idea and should be avoided. The preferred way to make the remoteRotator web interface available to the internet is to put a webserver (reverse proxy) in front of remoteRotator. There are plenty of production-grade, open-source web servers available. Just to name a few: Caddy, lighttpd, nginx,...
This tutorial will use Caddy v2, as it is a lightweight, modern, and easy to use webserver.
Head over to Caddy's download site and fetch a copy of the version needed for your operating system / CPU architecture. For this tutorial, you only need the plain version of Caddy. No additional plugins needed. In this tutorial, we assume that the caddy executable is located in /usr/local/bin/caddy.
Each Caddy instance is configured through a Caddyfile. So let's create a simple caddy file for:
- caddy web server exposed to the internet on port 8080
- one local remoteRotator instance listening on HTTP port 7070 on the same machine
- username & password protection (username: tobias, password: mypasswd)
- using gzip compressing
open a new file with your favorite editor:
$ vim ./CaddyfileAnd copy the following content into the file:
:8080 {
basicauth {
tobias JDJhJDE0JGlSeUtsSGthN2pPdTJMckJkQzEycmVXd3NKN3dJd3ZPZC9YOUpwcVE4dndpTEFVWmZMbTUy
}
reverse_proxy /* localhost:7070
encode gzip
}
Since Caddy v2 does not allow plain passwords anymore, we have to hash the password using the caddy hash-password command. The resulting password hash for user tobias is JDJhJDE0JGlSeUtsSGthN2pPdTJMckJkQzEycmVXd3NKN3dJd3ZPZC9YOUpwcVE4dndpTEFVWmZMbTUy.
Key is that we are using caddy as a reverse proxy and forward the incoming traffic to localhost 7070 on which our remoteRotator instance will be listening.
Now we can execute in one shell our local instance of remoteRotator (adapt to your needs) and in another shell caddy:
$ ./remoteRotator server lan -n "40m Yagi" -t "dummy" -w "0.0.0.0"
no config file found
2018/01/21 18:36:36 added rotator (40m Yagi)
2018/01/21 18:36:36 listening on 0.0.0.0:7070 for HTTP connections$ caddy run --config ./CaddyfileNow you just have to make sure that the port 8080 from your home router is redirected to the machine where Caddy is running on. You will find plenty of tutorials on the internet on how to do this.
With the port forwarding on our router properly configured, we can now access our rotator through the internet. If you don't know the IP which has been assigned to you by your ISP, check out whatismyip.com.
When trying to access our remoteRotator we are prompted to enter our username & password:
After the successful authentication, we can access our rotator. Sweet!
Although the setup above works, it has some flaws which we want to fix:
- Using a proper domain name so that we don't have to use the IP address anymore.
- Use TLS encryption so that our data (incl username & password) are properly encrypted when send over the wire.
There are plenty of tutorials on the internet on how to obtain a domain name. You might want to consider using a dynamic DNS service like no-ip.com. Because most ISPs re-assign you a new IP Address every now and then, a dynDNS service will automatically update the DNS entry to your home network (or wherever caddy & remoteRotator are running). We will assume that you have already a DNS name and the DNS A record pointing to the IP Address where Caddy is running.
The nice thing about caddy is, that it will request & and install automatically a free TLS certificate from Let's encrypt for our webserver. Sweet!
Let's also add another rotator and use remoteRotator's web aggregator.
So let's update our Caddyfile:
rotator.dh1tw.de {
basicauth {
tobias JDJhJDE0JGlSeUtsSGthN2pPdTJMckJkQzEycmVXd3NKN3dJd3ZPZC9YOUpwcVE4dndpTEFVWmZMbTUy
}
reverse_proxy /* localhost:7070
encode gzip
}
For this tutorial, I have created the subdomain rotators.dh1tw.de and pointed the DNS A record to my server's IP address (you do this on the site of your hosting provider). Caddy will listen by default on port 443 (HTTPS). Accessing the lower 1024 ports requires typically privilege escalation. On Linux, the correct way is to give Caddy the permission to bind port 443 without being root. This can be done by using the setcap command.
Let's check where the remoteRotator binary is located:
$ which caddy
/usr/local/bin/caddyAllow caddy to access ports below 1024 without elevated privileges:
$ sudo setcap cap_net_bind_service=+ep /usr/local/bin/caddyNow let's fire up two (dummy) rotators, the web aggregator and caddy each in their own shell:
$ ./remoteRotator server lan -n "40m Yagi" -t "dummy" -w "0.0.0.0"
no config file found
2018/01/21 18:42:33 added rotator (40m Yagi)
2018/01/21 18:42:33 listening on 0.0.0.0:7070 for HTTP connections$ ./remoteRotator server lan -n "20m Yagi" -t "dummy" -w "0.0.0.0" -k 7071
no config file found
2018/01/21 18:42:36 added rotator (20m Yagi)
2018/01/21 18:42:36 listening on 0.0.0.0:7071 for HTTP connections$ ./remoteRotator web
no config file found
2018/01/21 20:43:03 listening on 127.0.0.1:7000 for HTTP connections$ caddy --conf ./CaddyfileWhen browsing to our domain, the connection has now the TLS padlock next to the URL.
