weewx server?
386 views
Skip to first unread message
John W. Springman III
Jan 3, 2023, 12:23:59 PM1/3/23
to weewx-user
I was able to get the local network page of my weewx station but how do you see this from the public ip?
.png?part=0.1&view=1)
vince
Jan 3, 2023, 4:46:12 PM1/3/23
to weewx-user
If you're asking that question, you really shouldn't do it for security reasons. There are soooo many bots and automated scanners out there looking for victim sites that you'd be massively attacked within literally a minute or two. Please don't. Really.
But to answer - you'd need to alter your home firewall to permit incoming web traffic to 'only' that computer and tcp/ip port. Ideally you would have your webserver also running 'only' https (a bit hard on a LAN to do), have lots of logging (syslog), blocking typical attacks (fail2ban) and hopefully even alerting that attacks are even happening. You should also segment your network so it's on an isolated VLAN so it can't be used as a jumping off point to attack your other home network devices. That requires special network hardware usually, and some additional level of expertise. It's a big lift to do correctly.
Simpler answer is to spend a few bucks/month and spin up a AWS Lightsail VM and use weewx's RSYNC uploader to update the Internet webserver with the weewx-generated data automatically. Lightsail is free for 3 months trial, then $3.50/month. Small price to pay for peace of mind.
You'd still have to harden your Lightsail VM, but that's far easier to learn how to do. Get a lets-encrypt ssl certificate to use only https. Use the Lightsail console to let 'just' https in. Install fail2ban. Very doable. Lots of guides out there for how to do so if you google a bit.
Doug Jenkins
Jan 4, 2023, 2:41:01 AM1/4/23
to weewx...@googlegroups.com
If you are willing to roll up your sleeves and get technical, serving your website at home can be done safely and securely without changing your firewall. There are some steps to do, but at the end it will save you money and it will give you some real-world IT experience.
So to self-host your WeeWX website, I would do the following
NOTE: This is a high-level checklist. there are lot of steps for each item.
1. Get a domain name. Porkbun.com is cheap, but Google Domains works too.
2. You need to have a NameServer Service to tell the internet where your website is. My checklist will use CloudFlare (free). They have a bunch of services that we are going to use to make this happen.
So to self-host your WeeWX website, I would do the following
NOTE: This is a high-level checklist. there are lot of steps for each item.
1. Get a domain name. Porkbun.com is cheap, but Google Domains works too.
2. You need to have a NameServer Service to tell the internet where your website is. My checklist will use CloudFlare (free). They have a bunch of services that we are going to use to make this happen.
3. Once you buy your domain name, you will need to point it to Cloudflare's Servers. Cloudflare's setup will walk you through it. This will take 4 - 24 hours to propagate across the internet (your response may vary).
4. Once it is propagated (Cloudflare sends an email to you), You will setup your website inside the tool. We are going to setup "Zero Trust" tunnel that will create a secure tunnel between cloudflare and your server. I have a video that walks this whole process through (including configuring cloudflare)
https://youtu.be/eojWaJQvqiw
This tunnel is the KEY. This tunnel will encrypt the traffic coming to your domain, secure your domain with an SSL Certificate, and essentially expose it directly on your server. Again this service is free for small domains (like weather station sites!) and does not expose your network to the internet directly.
5. Within the tool you will configure your Server name and the port (80) that your webserver is now hosting your WeeWX site. You will have to install a package from Cloudflare to act as the broker for the connection. The video goes over a container-approach, but in Cloudflare's documentation, they cover a linux server install.
The benefits of doing this approach are:
1. Site gets a free SSL certificate (https:) that is handled by Cloudflare
2. Cloudflare acts as a reverse proxy to broker your connection from the internet to your server and port.
3. connection between Cloudflare and your server is secure. You do not need to open a port for this.
https://youtu.be/eojWaJQvqiw
This tunnel is the KEY. This tunnel will encrypt the traffic coming to your domain, secure your domain with an SSL Certificate, and essentially expose it directly on your server. Again this service is free for small domains (like weather station sites!) and does not expose your network to the internet directly.
5. Within the tool you will configure your Server name and the port (80) that your webserver is now hosting your WeeWX site. You will have to install a package from Cloudflare to act as the broker for the connection. The video goes over a container-approach, but in Cloudflare's documentation, they cover a linux server install.
The benefits of doing this approach are:
1. Site gets a free SSL certificate (https:) that is handled by Cloudflare
2. Cloudflare acts as a reverse proxy to broker your connection from the internet to your server and port.
3. connection between Cloudflare and your server is secure. You do not need to open a port for this.
4. You get website statistics and other security features for your website for free from cloudflare.
Check out the video and let me know if this helps. There are other resources on the internet that can help on this setup.
Check out the video and let me know if this helps. There are other resources on the internet that can help on this setup.
Doug Jenkins
--
You received this message because you are subscribed to the Google Groups "weewx-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/4a1e2ea1-74c3-4f08-ac28-2267cb1148f5n%40googlegroups.com.
Tom Keffer
Jan 4, 2023, 12:17:48 PM1/4/23
to weewx...@googlegroups.com
Pretty cool. I had no idea Cloudflare offered this.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/CACC0i0wiy_rGYdZWohX1Z%3D9BJ%3DEFCbmGKg3Wh4%3D%2BBMRzYxtKPQ%40mail.gmail.com.
gary....@gmail.com
Jan 4, 2023, 2:13:21 PM1/4/23
to weewx-user
Thanks for this. I have a use case for the tunnels and had no idea this existed.
Chuck Rhode
Jan 4, 2023, 4:31:44 PM1/4/23
to weewx...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, 3 Jan 2023 21:40:43 -0500
Doug Jenkins <do...@dougjenkins.com> wrote:
> My checklist will use CloudFlare (free). They have a bunch of
> services that we are going to use to make this happen.
I have a "burr under my tail" about CloudFlare. This four-year-old
blog entry echos my objections.
- - Walsh, Ray. "How CloudFlare and ReCaptcha Are Ruining the Net (and
What to Do)." Blog. 8 Nov. 2018. ProPrivacy. 4 Jan. 2023
<https://proprivacy.com/privacy-news/cloudflare-recaptcha-nightmare>.
> Everyone has suffered that annoying moment when CloudFlare serves
> them a Google reCaptcha. Often, the captcha can be a little tricky —
> resulting in failure and multiple attempts. If you are particularly
> unlucky, you could be asked to click images of traffic lights,
> street signs, or zebra crossings — up to five times — before
> Google’s reCaptcha finally accepts that you are human. This is
> totally infuriating and a massive waste of time.
I know this isn't WeeWX-related, but it has to be said wherever
CloudFlare is being promoted.
Basically, CloudFlare does not serve Web pages such as your weather
site equally to all comers. In the name of squelching nefarious 'bot
traffic, CloudFlare insists that some requesters submit to Turing
tests to assess their humanity before serving results. In an ideal
Internet world, all requesters would be treated equally, but
CloudFlare feels it is their mission to treat some more equally than
others. In particular CloudFlare singles out blocks of IP addresses
from certain Internet Service Providers (ISPs) domestically and over
seas for special treatment — not Google, of course — because, in
CloudFlare's sole judgment, CloudFlare deems them to be sources of
spam or hacking activity.
The wall of text posted by commenter Irma Dalakanitzkova is more
specific. In part it reads:
> Unfortunately, using proxy servers, The Onion Browser (TOR), or a
> VPN will NOT DIMINISH but INCREASE the number of CloudFlare's
> reCaptchas!
> <snip> [A] simple comparison of IP addresses is easy to do and
> spells a curse of doom for users of the TOR browser: One gets
> bombarded with that reCaptcha crap — first to access the site, then
> to view links, later to post a comment — SEVERAL TIMES on the same
> page. Furthermore, it's not just two or three pages of stamp-sized
> grainy pictures, but up to a dozen per set. Even if the check-mark is
> placed, after clicking the button, it may very well disappear, and
> the same harassment begins again — up to three to five times. My
> personal record so far were 27 pages of «try again» crosswalks,
> traffic lights, parking meters ... and the time can be up to 10 — 15
> minutes, because each individual little square on each page of a
> sequence of pages takes a painstakingly slow 3 — 5 seconds to change
> from one picture to the next.
> <snip> CloudFlare goes to great lengths to make life for their users
> impossible under the pretext of «bad things are usually being done
> using proxies or VPNs». Guess what, idiots, somebody who has really
> devious intentions will go through the hassle anyway, but, for
> hundreds of millions of ordinary users, this bullshit is a
> curse. CloudFlare's & Google's unholy alliance, forcing educated
> grown-ups to waste hours per week clicking on hardly decipherable,
> grainy, tiny thumbnails, is a perfect example of a cure that's worse
> than the disease. Especially for merely passive use of websites
> (reading, following a link, looking at graphics/pictures).
Ask yourself what you have that a 'bot or a hacker would want to
purloin or interfere with. If you can afford to block readers from
accessing your weather page from an arbitrary but long list of VPNs
around the world, by all means, go ahead then and patronize
CloudFlare. You won't have any trouble from 'bots and hackers.
- --
.. Be Seeing You,
.. Chuck Rhode, Sheboygan, WI, USA
.. Weather: http://LacusVeris.com/WX
.. 38° — Wind SW 9 mph
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQT+MY/5I/LMPSswTbVg2/xipKOWUgUCY7Wp6QAKCRBg2/xipKOW
UsrKAJ9rgfaIU9VkMEMeMQBGoUtO1arosgCfYpciCWGNyF3KS9RXhNWrlI2VQyU=
=T7HW
-----END PGP SIGNATURE-----
Hash: SHA1
On Tue, 3 Jan 2023 21:40:43 -0500
Doug Jenkins <do...@dougjenkins.com> wrote:
> My checklist will use CloudFlare (free). They have a bunch of
> services that we are going to use to make this happen.
blog entry echos my objections.
- - Walsh, Ray. "How CloudFlare and ReCaptcha Are Ruining the Net (and
What to Do)." Blog. 8 Nov. 2018. ProPrivacy. 4 Jan. 2023
<https://proprivacy.com/privacy-news/cloudflare-recaptcha-nightmare>.
> Everyone has suffered that annoying moment when CloudFlare serves
> them a Google reCaptcha. Often, the captcha can be a little tricky —
> resulting in failure and multiple attempts. If you are particularly
> unlucky, you could be asked to click images of traffic lights,
> street signs, or zebra crossings — up to five times — before
> Google’s reCaptcha finally accepts that you are human. This is
> totally infuriating and a massive waste of time.
I know this isn't WeeWX-related, but it has to be said wherever
CloudFlare is being promoted.
Basically, CloudFlare does not serve Web pages such as your weather
site equally to all comers. In the name of squelching nefarious 'bot
traffic, CloudFlare insists that some requesters submit to Turing
tests to assess their humanity before serving results. In an ideal
Internet world, all requesters would be treated equally, but
CloudFlare feels it is their mission to treat some more equally than
others. In particular CloudFlare singles out blocks of IP addresses
from certain Internet Service Providers (ISPs) domestically and over
seas for special treatment — not Google, of course — because, in
CloudFlare's sole judgment, CloudFlare deems them to be sources of
spam or hacking activity.
The wall of text posted by commenter Irma Dalakanitzkova is more
specific. In part it reads:
> Unfortunately, using proxy servers, The Onion Browser (TOR), or a
> VPN will NOT DIMINISH but INCREASE the number of CloudFlare's
> reCaptchas!
> <snip> [A] simple comparison of IP addresses is easy to do and
> spells a curse of doom for users of the TOR browser: One gets
> bombarded with that reCaptcha crap — first to access the site, then
> to view links, later to post a comment — SEVERAL TIMES on the same
> page. Furthermore, it's not just two or three pages of stamp-sized
> grainy pictures, but up to a dozen per set. Even if the check-mark is
> placed, after clicking the button, it may very well disappear, and
> the same harassment begins again — up to three to five times. My
> personal record so far were 27 pages of «try again» crosswalks,
> traffic lights, parking meters ... and the time can be up to 10 — 15
> minutes, because each individual little square on each page of a
> sequence of pages takes a painstakingly slow 3 — 5 seconds to change
> from one picture to the next.
> <snip> CloudFlare goes to great lengths to make life for their users
> impossible under the pretext of «bad things are usually being done
> using proxies or VPNs». Guess what, idiots, somebody who has really
> devious intentions will go through the hassle anyway, but, for
> hundreds of millions of ordinary users, this bullshit is a
> curse. CloudFlare's & Google's unholy alliance, forcing educated
> grown-ups to waste hours per week clicking on hardly decipherable,
> grainy, tiny thumbnails, is a perfect example of a cure that's worse
> than the disease. Especially for merely passive use of websites
> (reading, following a link, looking at graphics/pictures).
Ask yourself what you have that a 'bot or a hacker would want to
purloin or interfere with. If you can afford to block readers from
accessing your weather page from an arbitrary but long list of VPNs
around the world, by all means, go ahead then and patronize
CloudFlare. You won't have any trouble from 'bots and hackers.
- --
.. Be Seeing You,
.. Chuck Rhode, Sheboygan, WI, USA
.. Weather: http://LacusVeris.com/WX
.. 38° — Wind SW 9 mph
-----BEGIN PGP SIGNATURE-----
iF0EARECAB0WIQT+MY/5I/LMPSswTbVg2/xipKOWUgUCY7Wp6QAKCRBg2/xipKOW
UsrKAJ9rgfaIU9VkMEMeMQBGoUtO1arosgCfYpciCWGNyF3KS9RXhNWrlI2VQyU=
=T7HW
-----END PGP SIGNATURE-----
Warren Gill
Jan 4, 2023, 5:47:40 PM1/4/23
to weewx-user
For something completely different, you can get a free dashboard at adafruit.io and just send them data. I have a crontab running on my weewx box that sends the last readings to the feeds, and their dashboard does the rest.
vince
Jan 4, 2023, 5:48:59 PM1/4/23
to weewx-user
On Tuesday, January 3, 2023 at 6:41:01 PM UTC-8 do...@dougjenkins.com wrote:
If you are willing to roll up your sleeves and get technical, serving your website at home can be done safely and securely without changing your firewall. There are some steps to do, but at the end it will save you money and it will give you some real-world IT experience.
Very cool - thanks for the pointer to the video. I hadn't previously figured out the Zero Trust terminology enough to try the tunnel stuff. I'll have to try the tunnel thing too !!!!
For the original poster, Doug's steps 1-3 are very easy. I'd previously done that using Google Domains ($12/year).
Note - you probably still want to possibly harden your weewx webserver a bit. There are zillions of bots trying to attack web servers 'especially' all things WordPress. If you go just with a vanilla weewx setup you're likely in very good shape straight out of the box. Cool cheap option for sure.
Doug Jenkins
Jan 4, 2023, 6:11:49 PM1/4/23
to weewx...@googlegroups.com
Glad some of you find this useful.
I have been using this method since it came out this summer (July 2022). I run my infrastructure (Web Server, WeeWX, MQTT, MariaDB) as containers in one stack in its own network all in Docker. I do this to limit what the cloudflare tunnel can access on my network (just WeeWx stuff). All of this works in docker in one stack and one YAML file!
Like Tom Lawerence mentioned in the video I attached, you have to put Cloudflare in your "circle of trust" as you are depending on them for both the client and server/edge side of the tunnel. You have to make that determination on your own if you are comfortable with that.
As other methods mentioned here, they are all great alternatives. I was not aware adafriut offered a dashboard to present your data. That can be a good alternative than going through the hassle of hosting a full website for your station.
If I get a free moment in a few weeks, I can post a step-by-step article on onboarding your WeeWX weather station as a public website using Cloudflare. I think it can help a lot of users who struggle with the network & security setup.
Like Tom Lawerence mentioned in the video I attached, you have to put Cloudflare in your "circle of trust" as you are depending on them for both the client and server/edge side of the tunnel. You have to make that determination on your own if you are comfortable with that.
As other methods mentioned here, they are all great alternatives. I was not aware adafriut offered a dashboard to present your data. That can be a good alternative than going through the hassle of hosting a full website for your station.
If I get a free moment in a few weeks, I can post a step-by-step article on onboarding your WeeWX weather station as a public website using Cloudflare. I think it can help a lot of users who struggle with the network & security setup.
DDJ
--
You received this message because you are subscribed to the Google Groups "weewx-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to weewx-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/weewx-user/56afd382-a9ba-49e7-831f-2813872d6db0n%40googlegroups.com.
pannetron
Jan 5, 2023, 5:13:20 PM1/5/23
to weewx-user
If you host a public website from a personal Linux server, as I do, look into using fail2ban as a way to detect and block some bad actor bots. My implementation currently has about 2500 IPs blocked because they were looking for typical webserver security flaws.
John W. Springman III
Jan 6, 2023, 8:35:21 AM1/6/23
to weewx-user
Lots of info. Thanks. I have a website domain already and use a raspberry pi for this. I apparently just can't seem to get it to show other than on the local network.
Cameron D
Jan 6, 2023, 1:25:18 PM1/6/23
to weewx-user
Are you saying that you have a registered domain name (and that is as far as you have gone), or that you have a web server that is already successfully serving other pages to the public internet?
What exactly is that raspberry pi doing? If it is serving web pages, is it the same machine that is running weewx?
John W. Springman III
Jan 7, 2023, 9:45:45 AM1/7/23
to weewx-user
I have a couple domain names from google domains for the couple websites I have. The raspberry pi just runs weewx to upload my weather station to some of the options on there and the pi also has a broadcastify scanner feed that I have on there.
Reply all
Reply to author
Forward
Message has been deleted
Message has been deleted
0 new messages