Continuing the discussion from Persist strategy "everyChange" incl. the last known value before change:
Re. security: I do not run only openHAB on my head-less RPi B but also other stuff. Having nginx in place is usefull - for some apps as a reverse proxy, for the other as a web-server. I can access the services through multiple subdomains directed to a single IP address.
Originally, I had a chroot for each service, later on I played a bit with docker, but then decided to have it all in a single environment. Easier to update and backup, less space occupied, no need to remember the extra stuff I do not use otherwise. A bit weaker from security stand point, so I at least update regularly (Arch Linux).
There is a lot of info re. security hardening on the internet for each service, so I do not do anything special.
My approach is close as many ports possible, allow only LAN clients, manage entry point (Mikrotik: NAT and FW rules), force SSL, and run the services under unprivileged user. Even that OpenVPN runs on RPi too, I do not use it much, because it is inconvenient for mobile devices.
Let’s Encrypt does what it promises: it is fully automatic and also supports multiple domains in a single certificate.
I used to use StartCom Ltd. for free certificates, but that required a manual action once a year, which meant: read, learn, create new certificates and forget again over time .
Self signed certificates are also troublesome, since they trigger warnings in many remote clients or cannot be even used.
I use the “webroot” plugin and letsencrypt does not touch my nginx configuration at all. There is a nice guide for openHAB.
Although I do put my certificate into java keystore used by openHAB’s web server, it is actually more transparent for me to use nginx’s reverse proxy with forced SSL for https.
Later on, I want to look at
-
securing the MQTT messaging (from sensors to openHAB), although I am not sure if the clients on ESP8266, Arduino and alike support SSL.
-
running openHAB as a user w/o privileges and login shell (the packager for Arch Linux AUR repository lets it run with root privileges…).
-
creating users & passwords for external access