HOWTO - Make a BrewPi Fermentation Controller For Cheap

SSBrew - 728
Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum

Help Support Homebrew Talk - Beer, Wine, Mead, & Cider Brewing Discussion Forum:

This site may earn a commission from merchant affiliate links, including eBay, Amazon, and others.
Status
Not open for further replies.
stevereno30 said:
I figured out my htaccess problem! If this happens to anyone else, here is what I did:

In the folder /etc/apache2/mods-available I found a mod called authz_groupfile.load

I moved this to /etc/apache2/mods-enabled then reset my server and it started asking for authentication for my private file! I'm guessing there should be a mod file for every modifier in the .htaccess file, so that would be a great place to start.
Click to expand...

fwiw, I have 28 files in my .../mods-enabled folder out of the 94 in .../mods-available.
All of them were in their respective folders already....

Cheers!
 
Thats awesome, the only 3d printer i have access too is at work and i think they'd frown upon me using it for this lol...ive wanted to make a RepRap forever...some day.
 
KenneBrew said:
That is sweet. How much? 😎


Sent from my iPhone using Home Brew
Click to expand...

I think when I made mine the total material cost ended up being around $8, but that was with Makerbot filament which is sold at extortionist prices!
 
First I just wanted to say thanks for this amazing thread. After finding it I was inspired to purchase and build the brewpi as described (mostly). I just have a few comments to add.

It was very difficult in the hundreds of posts to find the instructions found here to add password protection. Can you link to this post on the original post?

Also, in that post I think it would help to mention that you must enable the allowoverride as seen here.

Next, what I did that may be helpful is rename your custom page to the index.html and configure the .htaccess to point to my private page. This way you don't have to put in the index.php to go to the public page.

Lastly, I modified your page to make the brewpi image a link to my privage page, so I could click there to authenticate and take control. Perhaps a login button would be better. I modified this line in your PublicBeerPanel from

<img src="brewpi_logo.png">
Click to expand...

to

<a href="control.php"><img src="brewpi_logo.png">
Click to expand...

where control.php is the name of my private page with all the controls enabled.
 
lettersnumbers_- said:
First I just wanted to say thanks for this amazing thread. After finding it I was inspired to purchase and build the brewpi as described (mostly). I just have a few comments to add.

It was very difficult in the hundreds of posts to find the instructions found here to add password protection. Can you link to this post on the original post?

Also, in that post I think it would help to mention that you must enable the allowoverride as seen here.

Next, what I did that may be helpful is rename your custom page to the index.html and configure the .htaccess to point to my private page. This way you don't have to put in the index.php to go to the public page.

Lastly, I modified your page to make the brewpi image a link to my privage page, so I could click there to authenticate and take control. Perhaps a login button would be better. I modified this line in your PublicBeerPanel from



to



where control.php is the name of my private page with all the controls enabled.
Click to expand...

Great, glad everything worked out, be sure to take some pictures it gives everyone various ideas how to store it etc...

Its funny you say that though, i actually just added the link to the Private instructions to the bottom of the thread like 2 days ago. :mug:
 
day_trippr said:
Sweet! Do you have any pics of the assembled system?

Cheers!
Click to expand...

Yes I do! Mine looks janky because I originally had to print it text down. I would definitely not recommend this to anyone :p also, now that I think about it, the surface would probably print nicer if the text was extruded instead of cut... Maybe I'll make two versions.

IMG_20140611_220013823.jpg


IMG_20140611_215730310.jpg
 
stevereno30 said:
Yes I do! Mine looks janky because I originally had to print it text down. I would definitely not recommend this to anyone :p also, now that I think about it, the surface would probably print nicer if the text was extruded instead of cut... Maybe I'll make two versions.
Click to expand...

If i send you $10 will you make me one with the extruded letters? Lol i dont know anyone with a 3d printer.
 
Since my working brewpi is almost entirely thanks to you, I would be ok with that :)
 
Maybe this isn't the right place, but the brewpi forum seems dead compared to this one. I'm working on several tweaks to the web interface and nearly have it where I want it. However, this is certainly not my strong suit. To extend on FuzzeWuzze's private vs. public page I want to keep the Maintenance button on the public page and have it link to a public maintenance-panel.php page which only has the ability to show previous beers.

I've been able to acomplish this, with only one small aesthetic issue. I can't get my button to line up properly on the right, as it did before. See screen shot and code excerpt below. What am I missing?

<div id="top-bar" class="ui-widget ui-widget-header ui-corner-all">
<div id="lcd" class="lcddisplay"><span class="lcd-text">
<span class="lcd-line" id="lcd-line-0">Live LCD waiting</span>
<span class="lcd-line" id="lcd-line-1">for update from</span>
<span class="lcd-line" id="lcd-line-2">script...</span>
<span class="lcd-line" id="lcd-line-3"></span>
</div>
<div id="logo-container">
<a href="control.php"><img src="brewpi_logo.png">
<div id=beer-name-container>
<span>Fermenting: </span><?php echo $beerName;?></a>
<span class="data-logging-state"></span>
</div>
<button id="maintenance" class="ui-state-default">Beer Log</button>
</div>
Click to expand...


Here's my public page with the button in the center, instead of top right. I've changed the text to 'Brew Log' instead of 'Maintenance Panel' as that's the only option in the public version.
public page.jpg




Here's the public version of the maintenance panel. Note it works, and only has the button (and code) for the Previous beers.
public maintenance panel.jpg




Here's the private page with the normal, correct button positions.
private.jpg
 
lettersnumbers_- said:
Maybe this isn't the right place, but the brewpi forum seems dead compared to this one. I'm working on several tweaks to the web interface and nearly have it where I want it. However, this is certainly not my strong suit. To extend on FuzzeWuzze's private vs. public page I want to keep the Maintenance button on the public page and have it link to a public maintenance-panel.php page which only has the ability to show previous beers.

I've been able to acomplish this, with only one small aesthetic issue. I can't get my button to line up properly on the right, as it did before. See screen shot and code excerpt below. What am I missing?
Click to expand...

Move the <button> code one level out (so below the next </div> tag)

That'll move it to the right.
 
Thank you, MongooseMan. That was actually the first thing I tried, but I must not have copied the file over correctly...
 
I'll state some maintenence variables that people may want to change after finding some issues with my setup.

In the Control Constants you may want to set the Temperature min and max and send them to the arduino. These are responsible for the min your fridge and or beer can get set to. Keep in mind this is how low it will ever set your fridge, so if your using a freezer it wont make full use of it as it will cap the freezer at not going below 32F..when in reality it can go much colder to cold crash faster if it was set to say 0F.

Im keeping mine at 15F, but may just set it to 0. Same applies for the heat, i just keep mine at 85F, i cant imagine a time where I would ever want to very quickly warm my beer up enough where 85F wouldnt get me there in a few hours.

The other key value i found is the PID: Maximum, this is the max difference your beer temp and fridge temp can have. This caused me trouble when i threw my lager into the chamber at 75F to chill to 50F before pitching. Because my beer temp was 50F and the PID maximum was set to 18, the lowest my fridge would ever go regardless of the Minimum setting above was 32F, obviously it took like 6+ hours to chill the beer to pitching when it should have only taken an hour or two if the freezer had been allowed to run closer to full power and hold 0F.
 
Let's talk web security! I'm nearly done with my modifications, but think there's still some room for improvement on the security front. I'm planning to do a write up of the changes I made in case they help anyone else, although to someone with more web experience than me, I haven't really done anything special. Anyway, before I do, I want to better understand where the flaws in the system are, and how easily some of them can be patched up.

Here's what I've done so far:
  • Added .htaccess file on the private version of the main php page referencing a .htpassword file
  • Added link to brewpi logo to private page, so that you can click and authenticate to private page from the web.
  • Modified FuzzeWuzze's version of the public page to add back in a link to a private version of the maintenance panel
  • Modified the public version of the maintenance panel to only include the previous_beers.php link, so anyone can see previous batches
  • Added robots.txt in root to keep good webcrawlers away, hopefully keeping my page from showing up on the reputable search engines, anyway

I will provide the modified code of each of these pages later for scrutiny, but assuming these modifications are correct, I understand this is all still really security through obscurity, as none of the other files are behind the .htaccess settings for security. It's definitely still fairly trivial to mess with someone's setup, if you are familiar with the project. While this seems somewhat unlikely the consequences could be quite real with a ruined fridge compressor that someone sets to run forever, or worse yet, a ruined beer!

To me, this obvious flaw must be addressed. It seems like modifying the .htaccess file is an easy place to start to block unauthenticated access to more of this stuff. I think what I want to do is something like this, in layman's speak, but I can't figure out the syntax to make it work.

I want to:
  • deny access to all files
  • allow access to all files by localhost
  • allow access to the main public page only with limit, using the password file.

It seems then, that I could go to the main public page, it would be able to get all the files it needs because it has local access (images, previous beers, graphs, etc...) Then If I authenticate to the private page, i can get to everything.

Then, what other flaws might there be in the system? Are there any other relevant improvements to be made on the stock apache install?
 
Seems like public BrewPi pages are the root of all potential evil, and with scant benefit.
I've avoided them for that reason...

Cheers!
 
lettersnumbers_- said:
Let's talk web security! I'm nearly done with my modifications, but think there's still some room for improvement on the security front. I'm planning to do a write up of the changes I made in case they help anyone else, although to someone with more web experience than me, I haven't really done anything special. Anyway, before I do, I want to better understand where the flaws in the system are, and how easily some of them can be patched up.

Here's what I've done so far:
  • Added .htaccess file on the private version of the main php page referencing a .htpassword file
  • Added link to brewpi logo to private page, so that you can click and authenticate to private page from the web.
  • Modified FuzzeWuzze's version of the public page to add back in a link to a private version of the maintenance panel
  • Modified the public version of the maintenance panel to only include the previous_beers.php link, so anyone can see previous batches
  • Added robots.txt in root to keep good webcrawlers away, hopefully keeping my page from showing up on the reputable search engines, anyway

I will provide the modified code of each of these pages later for scrutiny, but assuming these modifications are correct, I understand this is all still really security through obscurity, as none of the other files are behind the .htaccess settings for security. It's definitely still fairly trivial to mess with someone's setup, if you are familiar with the project. While this seems somewhat unlikely the consequences could be quite real with a ruined fridge compressor that someone sets to run forever, or worse yet, a ruined beer!

To me, this obvious flaw must be addressed. It seems like modifying the .htaccess file is an easy place to start to block unauthenticated access to more of this stuff. I think what I want to do is something like this, in layman's speak, but I can't figure out the syntax to make it work.

I want to:
  • deny access to all files
  • allow access to all files by localhost
  • allow access to the main public page only with limit, using the password file.

It seems then, that I could go to the main public page, it would be able to get all the files it needs because it has local access (images, previous beers, graphs, etc...) Then If I authenticate to the private page, i can get to everything.

Then, what other flaws might there be in the system? Are there any other relevant improvements to be made on the stock apache install?
Click to expand...

This will be GREAT! thank you!
 
Ok i believe i have gone through this entire thread and messaged everyone who showed interest or built one, not knowing who actually is using the external page i felt it necessary on my part to make sure anyone using my previous htaccess code knows there is a potential fix, but i would like to remind everyone that you are putting your brewpi on the internet. I cant promise full protection if someone malicious wants to get past and screw with your BrewPi they probably can, so if your not comfortable with that keep it off the internet and just accessible on your LAN.

If someone could try this i think i have it mostly working, its hard to tell though.

<FilesMatch "index.php">
Allow from all
authuserFile /var/www/private/.htpasswd
AuthName "YOUR LOGIN HERE"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
</FilesMatch>
<FilesMatch "beer-panel.php|config.php|configuration.php|control-panel.php|maintenance-panel.php|previous_beers.php|program_arduino.php|save_beer_profile.php|start_script.php">
Order deny,allow
Deny from All
Allow from 192.168.
</FilesMatch>
Click to expand...

You need to update the last allow from to be your local subnet. This should block everything that can harm your brewpi setup from anyone that isnt accessing it via the internal network. This means you cant access some of the stuff unless you are directly accessing it via http://brewpi/index.php, trying to access it via your External DNS name wouldnt work unless you add more allows to allow it from IP ranges you trust. Atleast i think, you can still do a lot of stuff but it wont let you actually access the php files that can do harm unless your local.
 
I see a couple improvements on this, which I've tested and seem to work. In the second filesmatch, you can use regular expressions to save a bit of typing. I've also removed previous_beers, as I want public access to that, and I think that's safe. you have a typo in save_beer_profile as well.

Next, I changed the Allow From 192.168. to Allow From 127.0.0.1, the loopback address, so you don't have to be on your local network, but the raspbery pi itself always has access to the files it needs once you authenticate to your private page. This also makes it generic, so people don't have to replace 192.168 with whatever their private network is, and won't have any issues if that changes. This should allow you to still control from the web, after you login.

<FilesMatch "index.php">
AuthUserFile /var/www/private/.htpasswd
AuthGroupFile /dev/null
AuthName "Your Username Here"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
</FilesMatch>
<FilesMatch "(beer-panel|config|configuration|control-panel|maintenance-panel|program_arduino|save_beer_profile|start_script).php">
Order deny,allow
Deny from All
Allow from 127.0.0.1
</FilesMatch>
Click to expand...

Edit: for some reason it looks like I have a space in start_script when it's shown in the quote bubble, but there isn't, and shouldn't be one.
 
So that should close off access to the php pages, but what about the javascript? Is there any reason to protect those? I'm not really clear on what can be done by accessing them, or how one would access them directly.
 
Improvements on the public and private brewpi pages

Disclaimer: I am by no means an expert at this, and am not very confident that this is extremely secure. If you expose your brewpi to the internet at all there is a risk that someone else will be able to control it, potentially controlling heating and cooling elements in YOUR HOME, which has some real risk to it. Even worse, they could potentially ruin a batch of your beer! Please understand the risks before exposing your brewpi to the internet.

These instructions should work for anyone who's already followed the steps in this post. Please make a backup of your current directory (/var/www) in case something goes wrong, or you lose something you have that you like. I will explain the modifications required to customize it to your setup. Any of these items can be done independently, but may require a bit of tweaking in case I've used file names from the previous step. The below modifications will improve upon the public and private versions of the brewpi web interface in the following ways:
  1. Make public page the default (index.html), so you can go directly to http://example.com to get to the public page, vs entering http://example.com/publicpage.php
  2. Add link from public to private page
  3. Add Previous Beers viewing to public page
  4. Add robots.txt file to keep search engines from finding your brewpi page.
  5. Bonus: setting up port forwarding and a dynamic dns to create a public page without a static IP.

1. Make public page the default (index.html)
This step will swap the filenames of your public and private pages, so that the default page when you go to your url is the private page. You'll need to rename the files themselves, and modify your .htaccess file to protect the proper pages.

First let's swap the files. If you're accessing your directory via an ftp client, you can simply right click on the files and rename, otherwise, here are the linux commands. First you'll rename the current private page to a temporary name. Then you'll rename your public page to index.php, so it becomes the default. Lastly, you'll change the temporary public page to the final name for your private page. Make sure to replace your_public_page.php with whatever the filename of the private page you've setup.

cd /var/www
sudo mv index.php tmpindex.php
sudo mv your_ public_page.php index.php
sudo mv tmpindex.php your_public_page.php
Click to expand...

You'll now want to alter your .htaccess file to open up the public page and block the private page behind authorization. Please note, I'm not blocking the previous_beers.php file in the bottom section, as I want to leave that open to my public page.

Replace your .htaccess file with the data below. Make sure to replace "your_private_page.php", and "YourUserName" with the appropriate values. The quotes are required!


<FilesMatch "your_private_page.php">
AuthUserFile /var/www/private/.htpasswd
AuthGroupFile /dev/null
AuthName "YourUserName"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
</FilesMatch>
<FilesMatch "(beer-panel|config|configuration|control-panel|maintenance-panel|program_arduino|save_beer_profile|start_script).php">
Order deny,allow
Deny from All
Allow from 127.0.0.1
</FilesMatch>
Click to expand...

For some strange reason in the above quote, it is adding a space in 'start_script'. I do not have a space there, and one shouldn't be included. After changing this file, you'll have to restart the apache web server, or the whole raspberry pi for the changes to take effect.

2. Add link from public to private page
For this one, you'll edit the public page (now index.php) to add a link to your private page. Find and edit the public beer panel page you've previously created. FuzzeWuzze's write up has this named PublicBeerPanel.php. Look for this section
<div id="logo-container">
<img src="brewpi_logo.png">
<div id=beer-name-container>
</div>
Click to expand...
and change it to this.
<div id="logo-container">
<a href="control.php"><img src="brewpi_logo.png">
<div id=beer-name-container>
</div>
Click to expand...

3.Add Previous Beers viewing to public page
This update will modify the public page to add back in a link to a modified maintenance panel, so the Previous Beers option is publicly available. We'll modify your public page, and put in a modified copy of the maintenance panel page to do so.

First, open up your public page (if you've followed these instructions it's now index.php) and find the section below.

<div id="beer-panel" class="ui-widget ui-widget-content ui-corner-all">
<?php
include 'PublicBeerPanel.php';
?>
</div>
Click to expand...

and change it to this
<div id="beer-panel" class="ui-widget ui-widget-content ui-corner-all">
<?php
include 'PublicBeerPanel.php';
?>
</div>
<div id="maintenance-panel" style="display:none"> <!--// hide while loading -->
<?php
include 'pub-maintenance-panel.php';
?>
</div>
Click to expand...

Now create a new file called pub-maintenance-panel.php that has the below in it, saved to your web directory (probably /var/www)

<?php
/* Copyright 2012 BrewPi/Elco Jacobs.
* This file is part of BrewPi.

* BrewPi is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.

* BrewPi is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.

* You should have received a copy of the GNU General Public License
* along with BrewPi. If not, see <http://www.gnu.org/licenses/>.
*/
?>

<ul>
<li><a href="previous_beers.php"><span>Previous Beers</span></a></li>
<!--kinda dirty to have buttons in the ul, but the ul is styled as a nice header by jQuery UI -->
</ul>
Click to expand...


4.Adding robots.txt
By adding a robots.txt file to the main directory of your webpage, considerate web crawlers will not index your site. This should keep your page from showing up on google and such, which I believe adds a little bit of security. Since you're hosting this traffic on your raspberry pi and your ISP I can't imagine you want the extra traffic or attention of anyone except for people you provide the link to. However, this step is not neccessary if you don't care about that. This is also not any sort of real security, as using robots.txt is purely voluntary by webcrawlers, and any malicious ones will just ignore it anyway.

The steps are pretty simple. create a file called robots.txt and copy in the following text. Save this to your folder with your brewpi web interface (most likely /var/www).
User-agent: *
Disallow: /
Click to expand...
Bonus: setting up port forwarding and dns forwarding to create a public page

I don't think this has been described so far in this thread, so I'll give it a go. The details will very based on your network hardware and the service you choose, this will merely point you in the right direction. There are PLENTY of resources on the web if you have any trouble, and you're probably better served looking elsewhere if you have any issues with this. You'll need to do a few things. Set up an account with a dynamic dns service. Set up your raspberry pi to update that dynamic dns service. Open port forwarding on your router to allow web traffic to flow through to your raspberry pi.

There are several dynamic dns services, such as noip and duckdns. Go to one of these sites, or another of your choosing and set up an account and choose a URL. I personally chose duckdns.

If you do the same, you can follow their instructions after clicking 'Install' and 'linux cron' on their site, so that your raspberry pi will update the service frequently with the information needed to route to your raspberry pi from anywhere on the web. If you use another service, you'll have to follow their instructions to set this up.

You'll now need to set up port forwarding on your router to allow web traffic on port 80 to your raspberry pi. You can use Portforward.com, select your router make, and then model, and then Apache as the application for instructions. These instructions suggest opening both ports 80 and 443, but you can restrict this to just port 80 for our purposes, and to be a bit more secure.
 
I haven't had my raspberry pi ever lock up, but I haven't kept it on for more than a day straight so far. However, this looks like an easy hardware based solution to auto reboot your pi if it gets hung up. Seems like a no brainer, right?
 
I don't really see the point. With SSH and FTP you can do everything you want without a gui. I don't really want a gui for my raspberry pi, at least not this one. If, however you do, want a gui without hooking up keyboard/mouse/monitor, look into this instead. I'd rather have one more piece of software on my pc, than start bloating up that poor little pi.
 
lettersnumbers_- said:
So that should close off access to the php pages, but what about the javascript? Is there any reason to protect those? I'm not really clear on what can be done by accessing them, or how one would access them directly.
Click to expand...

I haven't gone through your final answer thoroughly yet, so I'm not sure if you answered this question.

I'd suggest looking at this:
http://stackoverflow.com/questions/3466802/deny-ajax-file-access-using-htaccess
The "good" part of the first answer should contain everything you need to secure the .js files from being maliciously called.
 
True enough, your probably just fine with SSH because the RPI is just a terminal. Dont know that VNC is necessary.
 
Fantastic job FuzzeWuzze and the rest of the guys in this thread. Thanks very much for your smarts. I have been following this for a while and have been having a lot of fun building a box based on your instructions.
I managed to build a brewpi on an old laptop by loading Debian wheezy and have built a box and have it hooked up to an old fridge that i will use as a chamber.
I have been testing it and it seems like its working great.
A couple of things i added to the build were a small board with header pins that connect it to the arduino and the use of 3.5mm stereo pins and sockets for the probes.
I must admit that if you are after some fantastic temperature control I cant help but give a plug to the Brewpi site as well. If you a a bit more techie and want to have a go yourself , Fuzze has done a fantastic job here.
Next job is to put down a brew.
Cheers from Newcastle Australia

Arduinobuild (1).jpg


Arduinobuild (2).jpg


Arduinobuild (7).jpg


Arduinobuild (4).jpg


Arduinobuild (3).jpg


Arduinobuild (5).jpg
 
Hmm.. My .htaccess solution seems to have a problem. It makes it impossible to save new or modified beer profiles... Removing save-beer-profiles from the .htaccess seems to fix it.
 
Great job, gezzanet. I just finished up my arduino sheild this morning. I love the ministereo solution! I'm going to steal that for my enclosure. Don't you need switches on those outlets in Australia? Have a Tim Tam for me.
 
atoughram said:
So... Are the filenames control.php and public.php intermingled but the same? I'm all cornfused [sic]..

Also - For some reason my public.php --> now index.php doesnt work no matter what I do - the graphs dont render.

http://clovercreekbrewery.us/brewpi/index.php
Click to expand...

Why do you have special characters in your name, that could be screwing it up..%20 stands for an ASCII space, but i have no idea what happens if you try to turn that into a file name, i doubt its writing the log file properly so it cant graph.
 
Status
Not open for further replies.

Similar threads

K
Help With Wiring of AC Side of BrewPi?
Replies
7
Views
2K
day_trippr
day_trippr
T
Sold Free* BrewPi-ESP8266 Temperature Controller
Replies
3
Views
1K
Thorrak
T
D
Unable to install devices on BrewPi Remix
Replies
5
Views
1K
day_trippr
day_trippr
rkhanso
For Sale Completed/tested BrewPiLess-32 Controllers for sale. $40, shipping included
Replies
9
Views
2K
rkhanso
rkhanso
D
Controlling a glycol chiller
Replies
19
Views
2K
Dland
Dland
Williams Brewing 300

Latest posts

Back
Top