WX ESP8266 Forwarding to WWW and Protecting Setting Pages
Shawna
Posts: 508
in Propeller 1
I just got my ESP8266 module. It is great and i am having fun messing with it!
I would like to access it from outside my internal network. I have the server forwarded but, is there anyway to password protect or turn off the settings pages so any random Joe can't screw with them?
Is there a way to change the port from to something other than 80?
Thanks
Shawn
I would like to access it from outside my internal network. I have the server forwarded but, is there anyway to password protect or turn off the settings pages so any random Joe can't screw with them?
Is there a way to change the port from to something other than 80?
Thanks
Shawn
Comments
I wasn't thinking https, just the ability to change the port.
Does it require sdk to alter the Github files?
Nice Job by the way!
My interest is for accessing it from outside my local network, but I am not real savvy on these things. Even if I never figure it out, having the ability to program and monitor my projects remotely is priceless! Everyone should have one of these modules, they are pretty reasonably priced.
Thanks
It would keep the average idiot out of the settings file, and make the average clueless person like me feel more secure. LOL
I don't plan on having anything real critical attached, but I wonder if someone could brick the module easily with access to the setting pages.
I personally think that anything can be hacked given motivation and time! I maybe wrong!
Thanks for the info on the SDK, I will download it and see if I can interpret anything.
Here:https://forums.parallax.com/discussion/169250/parallaxwx-esp8266-raspberrypi-debian-esp-open-sdk-simpleide-openspin-proploader-devel/p1
As you will see, on the first page, I include a warning that these devices are NOT secure.
Currently the only way to secure them is to modify the server code (which as @"David Betz" says, might be a feat due to the limits of the esp8266 chip.
However, I think its possible to spoof the interfaces using a router port that translates to an internal port on your LAN, which points to the the Parallax-ESP module.
Depending on your router, you can setup some pretty complicated tunneling and vpn connections between your pc and the parallax-esp module.
I haven't tried it myself, but many routers now run the custom router software DDWRT, which includes ways to make what you are doing more secure.
I don't know how I would go about doing this, but to really do it proper, you would probably need two ddwrt routers on each end of the tunnel, and then you setup each one to use a ssh tunnel between eachother, which then translate that tunnel into the desired ports on the lan side of the router.
So the router connects to the other router on a password protected encrypted SSH connection, and each router is configured to NAT the ssh data to a specific lan side IP address.
This is some pretty deep networking, so I hope you want to learn... because you will need to.
Again, I don't know if this is possible or easy, or exactly how to do it, but i think a secure tunnel configured between two routers is the way to go here.
Bricking the wifi device isn't really a concern as its easy to recover them, the ISSUE that i would be concerned about is the ability to inject harmful code into the ParallaxWX device which would possible act like a relay for the attacker to gain access to your internal network using it as a relay. Because no password is used to upload firm ware, anyone with access to the interface of the Parallax-ESP device, this could be done pretty eaisly if they know the device and code.
https://www.enterprisenetworkingplanet.com/netsp/article.php/3624566/Networking-101-Understanding-Tunneling.htm
Perhaps someone here can point you to better instructional that will help you setup your connections.
Again, this is easier to do with a router that can run DDWRT.
I would go buy two identical routers and install them at each end, and them make a encrypted ssh tunnel between them which are setup to reroute my ParallaxESP's ports to the tunnel.
Again, I have never done this .. yet...
I am sure others here do exactly this with their own routers, and perhaps they will make post here and offer some advice.
The html is encrypted ALREADY, before uploading them to the ESP.
The data would be sent to you encrypted, and then you would need to do local side decryption/re-encryption.
https://www.maxlaumeister.com/clientside-html-password/
I don't know if these will work, they use java, and I am not sure if its server side java, it says it client side java, so it might just work.
https://jjssoftware.github.io/secure-your-esp8266/
https://www.wikihow.com/Password-Protect-a-Web-Page
https://www.mtopsoft.com/htmllock/iframe.htm
I might try one of these methods myself, because I have wanted this also.
WIFI, the internet WILL ALWAYS BE INSECURE!!!!
NO, YOU SHOULDN'T ATTACH YOUR PACEMAKER TO THE INTERNET! Or YOUR NUKES, OR YOUR CAR, ETC.... https://hackaday.com/2017/10/16/oh-great-wpa2-is-broken/
A REAL POINT TO MAKE ABOUT OPENSOURCE, SECURITY, AND PARALLAX'S CHOICE TO REMAIN OPEN. Scary huh? Hey wifi product makers, its time, for opensource. YOU CANNOT KEEP UP ALONE. PERIOD.
The Esspressif code for newer version is rarely integrated into these custom use firmware used on the esp devices.
Opensource lets end users who are gifted enough to know how to grind this update...
https://github.com/espressif/ESP8266_NONOS_SDK
Into their 8266 devices custom code, it requires changing the source EVEN MORE than possibly just figuring out a way to implement https or encrypt the whole code/ server?
Start using https://www.eff.org/https-everywhere
You can go to their website and look at the list of supported routers.
Attached image is the OPENVPN server/client page of the DDWRT router if it was running on your router.
What would be wrong with interposing a minimalist Linux box running Apache between the web and your ESP8266? You could link to your device via a webpage on Apache, protected by an .htaccess file.
-Phil
I recently bought an Asus router, I think it runs something comparable to DDWRT. I did manage to set up an openvpn server on it.
Thanks
Shwawn
https://maxlaumeister.com/clientside-html-password/
I managed to modify the code so it doesn't have to go out to github for the .js files.
I loaded a test page and the .js files to the WX module and it seems to work. I am not sure how secure this method is, but its good enough for me. There is nothing real special on my network.
I am going to try and figure out how to open up the WX api pack and then apply this password method to all 4 setting html's on the WX Wifi module.
thanks
Shawn
So I am struggling trying to find the software Espressif SDK and the GCC toolchain.
Is this the right Espressif SDK?
https://github.com/espressif/ESP8266_NONOS_SDK
If so, it looks like it can only run on linux. Is that correct or am I missing something?
I found this GCC Toolchain link. And I downloaded this file. esp8266-gcc5.2.0-r15.exe
gnutoolchains.com/download/
Is this the right GCC Toolchain?
Thanks
Shawn
I switched to linux because it was eaiser to do compiling and find solutions.
What are you trying to do?
This is what I am in visioning.
I want to modify the default html setting pages and add 2 .js files to the WX.
I want to add the password protection to the html setting pages as outlined in the link you posted above.
https://maxlaumeister.com/clientside-html-password/
I think this should be doable, I just can't figure out where to find them in the "32420-Parallax-ESP-2016-11-02-1804-e.zip" file.
So what I picture is that I need to open up the ota file with the sdk modify the files and recompile, but I have no idea where to start.
I am not sure which SDK file to download or how to install it, and I am also not sure which Gcc Toolchain to download or how the two work together. This will be the first time i have messed with a sdk program.
I personally think that a login should be added.
At the same time though, must people may not need or want it, and I don't want to be a nag.
I feel that I should be able to do this with a little guidance. I have the html code and the javascript code I want to add to it, if I could just figure out how to modify files and rebuild them.
At this point it has kind of turned into an obsession, which has led down a rabbit trail away from what I was originally doing. LOL
Edit: The code I have is not suitable for distribution, its kind of bastardized.
https://github.com/parallaxinc/Parallax-ESP
I HIGHLY suggest you start here: https://forums.parallax.com/discussion/comment/1452980/#Comment_1452980
And follow the steps till you reach the point where you have modified the NAME of the wx device.
Then you can edit the files in this location.---> /Parallax-ESP/html/
All the ParallaxWX pages are in that folder.
But you need to follow the instruction to get to that point, where you have the tool chain built and the files downloaded and you did a test compile.
Then you can modify the html files to suit your needs.
Make sure you have the ParallaxESP device ready to re-flash with a direct serial connection, because if you mess up the OTA upload page in your quest, you won't be able to fix the html using the ota page. That info is also farther down the thread also.
I'm sure that can be done, but I'm not that clever.
Even if David can do it and push the commit now, shawn, you would still need to know how to compile the chain and parallaxesp code.
I think its a good idea David. (but don't commit the change, the Last 2 ParallaxESP commits broke the chain.)
I'd give it a shot if you have any test code.
I have the chain ready to go.
Oh, I have never tried it using any other method.
I want to change it to something like "Password ESP Settings HTML Pages" zip file.
The password is in the folder under password.
This is very crude, and the password cannot be changed without loading new html files, thats why I say it would not be good for distribution purposes. If I could figure out how to compile the chain I would try it.
I made it to the "make" section of your thread and got an error, I'm not sure what caused it any suggestions?
It looks like you forgot the / at the end. Run this again.
This lets the ParallaxESP compilers SEE the xtensa toolkit.
The output of the make should have been...
That solved the error.
While reading through your thread again, I noticed that I did not do this portion.
Is this required?
No, its extra information on what they say about the use of their tools. I was thinking of just removing it.
But it helps advanced users get deeper.