How to enable https on Raspberry Pi 4 running 64bit bookworm

Hello,

I recently installed Anthias on a Raspberry Pi 4 with 4GB RAM running on bookworm lite 64bit OS. I am able to successfully access Anthias on port 80 (http:), but NOT on https: (port 443). I have no firewall on the device.

When I first ran the enable_ssl.sh script, it gave an error saying that ansible was not found. So, I installed ansible (sudo apt install ansible). After which I was able to run the script with the results below:

+ cd /home/pi/screenly/ansible
+ sudo -E ansible-playbook -t enable-ssl site.yml

PLAY [Install Anthias] **********************************************************************************************************************************

TASK [Gathering Facts] **********************************************************************************************************************************
ok: [localhost]

PLAY RECAP **********************************************************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

+ set +x
You should be all set. You should be able to access Anthias' management interface at https://<your IP>
NOTE: If you have the firewall enabled, make sure to open it up for HTTPS (port 443).
Assuming you're running UFW, the command is:
sudo ufw allow 443/tcp

For extra measure, I rebooted the Pi and tried to browse to https://<ip_address> and it resulted in the generic “refused to connect” message on my web browser.

Furthermore, the port on the anthias-nginx docker image still says port 80. This looks peculiar, however, not exactly sure if this means anything.

96b5d27087ab   screenly/anthias-nginx:latest-pi4          "/usr/bin/entry.sh n…"   57 minutes ago   Up 26 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   screenly-anthias-nginx-1

It seems the enable_ssl.sh didn’t do it’s job or, did I miss a step?

Appreciate any suggestions or troubleshooting steps.

Thank you!

-sul.

@sul, efforts on fixing HTTPS for Anthias is still in progress. I’ll keep you posted. However, contributions are always welcome.

@nicomiguelino

ah got it! thank you for clarifying. This is a great product and I wish the developers and community best of luck with an https implementation.

Thank you!

-sul.

Mine work behind a reverse proxy if you need public access to them. I do it for testing but it works over ssl with the reverse proxy. Also consider access by a vpn.

@extremeskillz
Thank you for sharing your setup. I plan to look into doing a reverse proxy and allow access to Anthias from the proxy server only. Would appreciate ideas on how the latter is done within the anthias environment. For example, I came across the below nginx directives example, but not sure where to plug it in:

stream {
    #...
    server {
        listen  80;
        allow   192.168.1.2;
        deny    all;
    }
}

best-

-sul.

@extremeskillz, thank you for sharing your setup. @sul, I haven’t tried it yet, but the following might help. For instance, if your Raspberry Pi has an IP address of 192.168.1.2, your NGINX config will look something like the following:

server {
    listen 443 ssl;
    server_name yourdomain.com;

    ssl_certificate /path/to/your/ssl_certificate.crt;
    ssl_certificate_key /path/to/your/ssl_certificate.key;

    # Redirect all HTTPS requests to HTTP
    return 301 http://$host$request_uri;
}

• Make sure that you have NGINX install on your host (the Raspberry Pi).
• You can generate certificate and key manually. While it’s not a good practice to use self-signed certificates, you can do so to see if HTTPS will work. This could help: How To Create a Self-Signed SSL Certificate for Nginx in Ubuntu | DigitalOcean.
• You can also take a look at this ChatGPT chat for reference.

@nicomiguelino
Thank you again for your contribution. This looks promising. May I ask where I might try to plug in the code above in the current Anthias environment on my Raspberry Pi? (Would it be the /etc/nginx/nginx.conf file inside the anthias-nginx container?) Sorry, I’m a bit of a NOOB, especially when it comes to docker stuff.

Thanks in advance for your patience.

-sul.

@sul, apologies for not having to elaborate that part earlier.

• With the setup mentioned above, you’ll not be needing to touch NGINX files inside the anthias-nginx container.
• You’ll have to do it inside the host OS itself (Raspberry Pi OS Lite).
• For instance, you can use the following reference for installing NGINX on a Raspberry Pi running Raspberry Pi OS Lite: Install NGINX on Raspberry PI
• In NGINX, it’s recommended to create a file inside /etc/nginx/sites-enabled. (Any filename will do, as long as it’s inside the sites-enabled directory).

Please don’t hesitate to ask questions. I’ll be happy to help the best I can.

@nicomiguelino
Thank you for clarifying and for the instructions as well as the links to the posts. With your help, I was able to install nginx on the pi, add a self signed certificate using openssl (to test), edit the /etc/nginx/sites-available/default file with the above directives and remove all “listen” references to port 80. After restarting nginx (sudo systemctl restart nginx.service) I was able to successfully browse to https:// where it redirected to Anthias on http (port 80). This certainly helps in situations where a user manually types “https:” as a prefix on their browser to access Anthias.

Hopefully, Anthias can natively support https in the near future. In the meantime, I am still tinkering with reverse proxy. My current bottleneck is kind of a non-technical one, where I’m working with our company’s IT cybersecurity folks to allow the reverse proxy web server to access port 80 on my subnet.

thank you again!

-sul.