IoT with Edgeberry - Part 2: Setup Edgeberry Device Hub

When people think IoT, they usually imagine a gadget sending data to the cloud. What often gets skipped is the middle piece - the thing that actually knows the devices, secures them, and makes sure data ends up in the right place.

Before we begin

This tutorial walks us through the steps of setting up Edgeberry Device Hub on Virtual Private Server, and testing the setup with an Edgeberry device. For this, we'll need:

• One or more Edgeberry devices, powered by the Raspberry Pi 3B+ or more recent.
• A Virtual Private Server (VPS), preferably running GNU/Linux Ubuntu (this can be a Raspberry Pi on your local network, too) with direct or SSH access
• Access to a TCP/IP network and the internet
• (optional: access to the DNS record of your institution)

Software we're using:

• NginXas a reverse Proxy.
• Edgeberry Device Hubas our IoT device endpoint
• Mosquittoas our MQTT broker.
• Certbotfor managing our HTTPS certificates
• Node-REDfor creating simple cloud-side IoT applications.
• UFWuncomplicated firewall

Now, let's SSH into our server, switch to the root user and jump in!

1) Install Edgeberry Device Hub

The ReadMe in Edgeberry Device Hub's repository describes these commands to install the software:

wget -O install.sh https://github.com/Edgeberry/Edgeberry-Device-Hub/releases/latest/download/install.sh;
chmod +x ./install.sh;
sudo ./install.sh -y;

When the installation process is complete, you can access the Device Hub (http) webinterface on your server's address, at port 3000.

http://146.190.231.65:3000

Security warning: at this point, there is no Secure Socket Layer used. We'll engage this with the reverse proxy in the next step.

2) Install and configure Node-RED

Node-RED is a flow-based, low code, programming tool for wiring together hardware devices, APIs and online services. We’ll use it as the “playground” on the server side. The Edgeberry Project has Node-RED nodes for easily interacting with the Edgeberry Device Hub and Devices.

npm install -g --unsafe-perm node-red

To secure Node-RED, edit the settings.js file in the .nodered/ folder and add these lines:

adminAuth: {
        type: "credentials",
                users: [
                        {
                                username: "admin",
                                password: <hashed password>,
                                permissions: "*"
                        },
                ]
    },

Hash your password, and copy/paste it as the value in the password field:

node-red admin hash-pw

References:

https://nodered.org/docs/getting-started/local
https://nodered.org/docs/user-guide/runtime/securing-node-red

3) Install and configure NginX (with Certbot)

A reverse proxy sits in front of your apps and forwards incoming requests to the right backend. Here, Nginx will

• terminate HTTPS (TLS)
• forward traffic to our Device Hub (port 3000) and Node-RED (port 1880)
• handle Let’s Encrypt certificate renewal via Certbot
  This lets Edgeberry talk to the server securely using normal web URLs like https://devicehub.edgeberry.io.

Install NginX using apt:

apt install nginx

In the folder /etc/nginx/sites-available/ create a file for the configuation file for the Device Hub reverse proxy - for example devicehub.conf.

nano /etc/nginx/sites-available/devicehub.conf

You can copy/paste my configuration file from the attachments.

Create the symlink in the /etc/nginx/sites-enabled/ folder to enable our reverse proxy.

ln -s /etc/nginx/sites-available/devicehub.conf /etc/nginx/sites-enabled/

Install Certbot using snap:

snap install --classic certbot
ln -s /snap/bin/certbot /usr/bin/certbot

Run certbot for our Device Hub and Node-RED reverse proxys.

certbot --nginx

References:

https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/https://docs.nginx.com/nginx/admin-guide/installing-nginx/installing-nginx-open-source/https://certbot.eff.org/instructions?ws=nginx&os=snap

4) Configure Firewall

UFW (Uncomplicated FireWall) gives us a simple, readable wrapper around iptables. We’ll:

• close direct access to internal ports (3000 = Device Hub HTTP, 1880 = Node-RED HTTP)
• only allow them from 127.0.0.1 (so only Nginx can reach them)
• open 8883/TCP for secure MQTT from Edgeberry devices.

ufw deny 3000
ufw deny 1880
ufw allow from 127.0.0.1 to any port 3000
ufw allow from 127.0.0.1 to any port 1880
ufw allow 8883/tcp
ufw --force enable

5) Update DNS record

In your institution's DNS record, you can add an A record pointing to the Device Hub server and the Node-RED instance:

devicehub 10800 IN A 146.190.231.65
nodered 10800 IN A 146.190.231.65

Now you can connect to your Device Hub using your domain and the device hub subdomain. For me that's:

https://devicehub.edgeberry.io

6) Connecting an Edgeberry Device

To test our Device Hub setup, we'll connect our Edgeberry Device. First, whitelist your specific device by adding its hardware ID to your Device hub's whitelist. On your device, get the hardware ID by executing this command:

edgeberry --hardware-id

When your device's ID is added to the Device Hub's whitelist, run the setup on your Edgeberry device:

edgeberry --setup

and provide the setup with the necessary info.

Now your device is connected to your device hub, and ready to use - proving that your setup works correctly and you're ready to proceed with the next steps!