ESP8266 Community Forum

- Sat Feb 20, 2016 12:57 pm #41523 It's a pity there's not much discussion on this to be had here (of all places!)

For a couple of years now I've been operating in the Electric Imp ecosystem but finally abandoned it because it doesn't offer enough local support for the device such that an Imp powered gadget could serve its own interactive web page when offline. What it clearly does get right though is having an Agent in the cloud working in tandem with each local device - protecting and nurturing the little bit of WiFi enabled hardware. The fully featured Imp Agent can be extremely useful but it's not always required, really the only functionality I would say was absolutely necessary was the ability to take in external connections so that things like IFTTT can push events to the ESP8266 over a websocket or long-polled HTTP connection.

I'm inevitably repeating myself because it's seems like a binary choice with only half a bit - open a port and use a DNS service to get a URL to my home network.

- Thu Mar 10, 2016 12:12 pm #42837 I'm finally getting somewhere after a little bit of expenditure (and a lot of learning!). So I've rented a Droplet on Digital Ocean for £3.50/month and written a node.js agent application that implements a RESTful API acting as a go-between for my ESP8266 modules and the big scary internet.

The Droplet is basically a bare Ubuntu machine on which I've configured Nginx to act as a reverse proxy to my node.js agent application. This app uses express to create routes for my incoming connections to any number of ESP8266's which can each establish a long-polling HTTP GET on which to receive aysnc. data. Everything is standard HTTP port 80 traffic so the ESP8266 can sit behind any firewall yet be accessible from the outside e.g. POST http://my_droplet/my_encrypted_ESP8266_device_ID

So now if I want IFTTT to make devices on my LAN do something, I can now create recipes that POST JSON to the droplet and that data gets routed to the right device. This obviously involves each ESP8266 identifying itself when it communicates with the agent - which validates the request on the basis of an encrypted device ID in the GET. The same validation performed on POST requests before they are routed to the device.

Much happier now

- Thu Mar 10, 2016 7:24 pm #42862

Out there on the internet I have wonderful, free services - like IFTTT which could make my tiny micro-controller do great things like light lights, open garage doors, water plants... So long as I drill a hole in the firewall of my Router and forward a port into my LAN, and make my Router accessible to everything on the internet with a Dynamic DNS service.

What's the problem with using a Dynamic DNS service and forwarding a port to your microcontroller? I don't understand how that makes your router accessible to hackers. I guess if they knew (1) what you had connected and (2) where you live, (3) your domain, (4) which DDNS service you use, (5) the port and (6) proper command, and (7) in spite of being so clever they were desperate to steal your weedwhacker, (8) unscrupulous, (9) undeterred by possible imprisonment, and (10) lived near enough to make it profitable, they could open your garage door.

- Fri Mar 11, 2016 5:12 am #42886

What's the problem with using a Dynamic DNS service and forwarding a port to your microcontroller? I don't understand how that makes your router accessible to hackers.

Hi Douglas, I'm no great expert on network security but I do know that there are plenty of people with the spare time and tools, e.g. SubBrute, EyeWitness etc, that make that a possibility. Sure, anything I design is protected by an extra layer of obscurity but that's not security and it's the potential vulnerability of branded goods that also sit behind my router firewall that I'm most concerned about.

However, security is only one aspect that drives me to look for an agent based solution. I have a number of portable ESP8266 based projects that connect to more than one router depending on where they are taken. It would be awkward if not impossible to configure every router as I'm only connected as a guest on some WiFi Hotspots.

Also, some of my designs are in (very low!) low-volume production and can be used by friends etc. who only have to connect to the Station AP and enter their SSID & Password and away they go. This is just about as much configuration the average Joe will put up with and anything more is a real barrier to IoT IMO.