Indigo Security - To have AND have not!

My current Indigo set up has an Apache2 Reverse Proxy in front of it to provide SSL connectivity and ensure that the Indigo username and passwords are not transmitted in clear text between the remote web browser and the server. This works really well and allows me to access the web-app and control pages from where ever I am.

However, the one downside to this set up is that 'local' connections (i.e. connections made within the same network on the same subnet) also prompt for the username and password. This is not so great! Intention is that when connecting externally, Indigo prompts for a username and password. When connecting locally, Indigo does not prompt. I know that this is not a built in capability.

I'm thinking that if I 'offload' the username/password to the Apache2 server and then forward secured, authenticated traffic through to Indigo, but locally connect directly to Indigo, that would work. Just not sure how to do it! Any one else created this scenario or have any pointers?

Thanks,

Jeremy.

Jeremy:

I have a similar setup as you, also utilizing Apache's reverse proxy functionality for SSL support... however, note that Indigo is using digest authentication which never transmits the username/password in plain text. Having said that, utilizing SSL is a good practice as otherwise the communication (even once authenticated) is open to the public so to speak.

In terms of authentication inside your local network, I would highly recommend that you leave this turned on - otherwise it would be super trivial to hop on your wireless network and access your house control system.

If you REALLY decide that you still want to try this, one suggestion to investigate would be to turn off Indigo's authentication and instead authenticate it at the Apache "stop". I have not personally tried this, but I think you could make it work (though goodness knows sometimes configurations take some Apache "magic" to make happen...)

Again, I would highly recommend against a setup such as this as the programmer and sometimes-internal-penetration-tester in me cringes at that setup!

Adam

If you REALLY decide that you still want to try this, one suggestion to investigate would be to turn off Indigo's authentication and instead authenticate it at the Apache "stop". I have not personally tried this, but I think you could make it work (though goodness knows sometimes configurations take some Apache "magic" to make happen...)

I agree that this is not ideal! My target is to enable a simple iPhone 'pinned' web page per room control - effectively creating a group of page links on the iPhone - then allowing anyone in the house to turn these on or off! The scenario would be that my son could have his room controls pinned to his home screen, whilst my daughter has her room pinned to hers ... you get the idea!

Like you, I'm not sure of the Apache configuration required though ...

My target is to enable a simple iPhone 'pinned' web page per room control - effectively creating a group of page links on the iPhone - then allowing anyone in the house to turn these on or off!

You may be able to embed the username/password in the URL... I have not tried this on the iPhone, but I created a test link on desktop Safari and it worked:

http://username:password@ipaddress:8176/

If you could get those credentials in the bookmark on iPhone, it may work seamlessly with security enabled. Just a thought.

Adam