Archived Forum

For anyone who's interested, this is the process I took to enable https access for my Raspberry Pi and protect emoncms.

SSL Certficates
SSL certificates can be quite expensive, but StartSSL offer class 1 certificates free, and which on most browsers do not flag up the 'untrusted site' warning. However, I found their website wizard quite difficult to follow, and this guide helped me sort it out
NOTE: ensure that you download the sha256 intermediate certificate, and not the sha1 intermediate certificate as prompted in the StartCom toolbox. (see this article).

Port forwarding
Ensure that port 443 is open in your router

Configuration
Once you have your certificates, edit your SSL Virtual Host file;

sudo nano /etc/apache2/sites-available/default-ssl

In the section <VirtualHost _default_:443>  add 'ServerName yourdomain.co.uk' just under 'ServerAdmin'.
In the section <Directory /> change 'AllowOverride None' to 'AllowOverride All'
In section <Directory /var/www/> change 'AllowOverride None' to 'AllowOverride All'
Further down, enter the name of your 3 certificates against the proposed locations, un-commenting  #SSLCertificateChainFile (the SSLCertificateChainFile is the sub.class1.server.ca.pem certificate that is downloaded from StartSSL).
Save the file, and then copy the respective certificates to the locations specified in the default-ssl file, and chmod both your SSLCertificateFile & SSLCertificateKeyFile to 400 to ensure that they are secure.

So far, none of the changes will be evident to the system because the default-ssl file is not loaded and SSL has not been activated, so to do so;

sudo a2ensite default-ssl
sudo a2enmod ssl
sudo /etc/init.d/apache2 restart

Now navigate to https://yourdomain.co.uk and hopefully you should have https access!

If however, you want to return things back to how they were before the changes above;

sudo a2dissite default-ssl
sudo a2dismod ssl
sudo /etc/init.d/apache2 restart

emoncms & emonhub
Emoncms and emonhub should work under https without any changes to the system, however if you have any pre-existing dashboards with graphs, they will have been saved to the dashboard using the absolute URL that you used when saving the graph (http not https), so you have two options;
Either, edit the graph within the dashboard and save it back (it will then use the https URL), or as I did edit your MYSQL dashboard column, adding a 's' to any http URL's.

Restricting site to https only

sudo nano /etc/apache2/sites-available/default

Add a Rewrite rule within the section <VirtualHost *:80> and underneath 'DocumentRoot', add:

RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteCond %{REMOTE_ADDR} !127\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}
RewriteRule ^(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R=301,L]

..to redirect port 80 requests to https, and yet allow emonhub to communicate via localhost .

Save the 'default' file and restart apache as per above command.

No guarantees! this is my learning curve of adding an extra layer of security to my raspberry pi, if anyone has any suggestions how to improve/add to this, then please add it below or PM me.

Paul