THINGS USED IN THIS PROJECT
Its always been the drea of every maker to develop a cool web service for their IoT products and intercat with it from “THINGS”. But when it comes to accessing the services on a raspberry pi on a local network with the external world, it becomes difficult; YOUR RASPBERRY PI IS NOT ACCCESSIBLE OUTSIDE YOUR HOME NETWORK.
Fortunately this tutorial will cover how to push web service running on your local Raspberry pi outside your home network securely.
When you configure your raspberry pi to connect to the internet, you generally configure the wpa_supplicant file with the details of your wifi routers access details. This in turn allows your raspberry pi to authenticate with your router and get an address provided by your router. This mechanism is called DHCP. you can always assign a static IP to the raspberry pi as well.
However, here is the issue. your raspberry pi will get a address like 192.168.1.x or so from your router and the router sets up what is called a private home network of such connected devices. This IP address is private to your home network cannot be accessed from the outside network; i.e. the INTERNET.
The possible solution:
Developers have generally resorted to a process called NATing where you tell the router that the requests coming at a particular incoming port to the Public adress of your router be routed to a machine inside your routers private network; that is your home network. This is riddled with security issues though and then additionally requires complex firewall, Auth settings to make sure your not compromised.
But these exist that light at the end of the tunnel in the form of service like ngrok and dataplicity.io that help you get your services running on the raspberry pi to the cloud. we will look at both of them and their setup below
Ngrok is; as they put it; “Secure tunnels to localhost”. ngrok pushes the port that you specify in the ngrok config file to the cloud via their online service. The service is free to forward one port and for multiple ports with access control they charge a nominal fee.ngrok has no external dependencies
Fire up your raspberry pi 2 or 3 and run the following commands:
mkdir ngrok_setup cd ngrok_setup wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-arm.zip unzip /path/to/ngrok.zip
Now that you have the application unzipped. lets run the help:
Expose a local web server to the internet
ngrok allows you to expose a web server running on your local machine to the internet. Just tell ngrok what port your web server is listening on.
If you don’t know what port your web server is listening on, it’s probably port 80, the default for HTTP.
./ngrok http 80
This will allow the ngrok services to expose your port 80 to the cloud via a url like this:
ngrok by 2.0/2.0 Web Interface http://127.0.0.1:4040 Forwarding http://xxxxxxxxx.ngrok.io -> localhost:80 Forwarding https://xxxxxxxxx.ngrok.io -> localhost:80 Connnections ttl opn rt1 rt5 p50 p90 0 0 0.00 0.00 0.00 0.00Tunnel Status online Version
if you visit the URL at
https://xxxxxxxxx.ngrok.io you will be able to see the web services hosted by you at port 80
Inspecting your traffic
Ngrok provides a mechanism to view your network traffic at the forwarded port
After you’ve started ngrok, just open http://localhost:4040 in a web browser to inspect request details.
You can Try making a request to your public URL. After you have done so, look back at the Inspection UI. You will see all of the details of the request and response including the time, duration, headers, query parameters and request payload as well as the raw bytes on the wire.
The ngrok configuration file
Sometimes your configuration for ngrok is too complex to be expressed in command line options. ngrok supports an optional, extremely simple YAML configuration file which provides you with the power to run multiple tunnels simultaneously as well as to tweak some of ngrok’s more arcane settings.
Configuration file location
You may pass a path to an explicit configuration file with the
-config option. This is recommended for all production deployments.
Explicitly specify a configuration file location
ngrok http -config=/opt/ngrok/conf/ngrok.yml 8000
You may pass the
-config option more than once. If you do, the first configuration is parsed and each successive configuration is merged on top of it. This allows you to have per-project ngrok configuration files with tunnel definitions but a master configuration file in your home directory with your authtoken and other global settings.
Specify an additional configuration file with project-specific overrides
ngrok start -config ~/ngrok.yml -config ~/projects/example/ngrok.yml demo admin
Default configuration file location
If you don’t specify a location for a configuration file, ngrok tries to read one from the default location
$HOME/.ngrok2/ngrok.yml .The configuration file is optional
In the default path, $HOME is the home directory for the current user as defined by your operating system. It is not the environment variable $HOME, although they are often the same. For major operating systems, if your username is
example the default configuration would likely be found at the following paths:
for Linux is it at /home/<username>/.ngrok2/ngrok.yml
The most common use of the configuration file is to define tunnel configurations. Defining tunnel configurations is useful because you may then start pre-configured tunnels by name from your command line without remembering all of the right arguments every time.
Tunnels are defined as mapping of name -> configuration under the
tunnelsproperty in your configuration file.
Define two tunnels named ‘httpbin’ and ‘demo’
tunnels: httpbin: proto: http addr: 8000 subdomain: alan-httpbin demo: proto: http addr: 9090 hostname: demo.inconshreveable.com inspect: false auth: "demo:secret"
Start the tunnel named ‘httpbin’
ngrok start httpbin
Each tunnel you define is a map of configuration option names to values. The name of a configuration option is usually the same as its corresponding command line switch. Every tunnel must define
addr. Other properties are available and many are protocol-specific.
Dataplicity is a remote terminal for your Pi.
It offers functionality similar to SSH, but it doesn’t need any complex set-up to get it working behind firewalls and NAT.
It’s your Pi, but you see it on your laptop
Open a browser window, and go to www.dataplicity.com (opens in new window).
The web page asks you to:
- ‘Enter your email address’. The sign up process generates a line of code.
- ‘Copy the line of code into your Raspberry Pi terminal to activate your remote shell’.
Next copy the string on the webpage and type it in you Pi.
When you’ve put in the code, Dataplicity updates the system packages (this can take up to 15 minutes), and installs.
While you’re waiting, use your laptop to open the email we’ve just sent you. Hit the button to go to the site.
We give you the code to paste into your terminal again, and there’s a login button.
If you haven’t done it yet, copy the code on the Hello page into the terminal on your Pi to get it going.
When you’re in, click on Home to see the Device list (you may need to wait for the five step installation on your Pi to finish).
You can add more Raspberry Pi computers to your Dataplicity account, and open each from your Device list.
In the Device list click on the link to your Pi. This takes you to your Dataplicity Terminal.
How it works:
Here is how dataplicity works:
Now you can host a service on your reaspberry pi and expose it via the Dataplicity WormHole feature as described here: http://docs.dataplicity.com/docs/host-a-website-from-your-pi
When you switch on Wormhole you are placing the web service hosted on your Pi directly on the wider internet. That’s actually the point, but what it means is that you need to take special care in what you put online.
Just to avoid confusion it’s sensible to close the device port by installing a firewall. Depending on your application you may also wish to enable HTTP basic-authentication from the NGINX configuration, and require a password for website access.
Dataplicity has put together some basic tips for Securing Wormhole. Please go through the same for securing your tunnel.
Hope this tutorial was helpful and will get you started on connecting your very own web-services to the cloud. Keep in mind the raspberry pi is a resource constrained device. Do not use it to host high traffic services.