Skip to main content Skip to footer

Local configuration

Environment variables

How to set?

Docker

Environment variables can be set in the shell where you start the Crosser node, in the docker-compose.yml file or in a separate file referenced from docker-compose.yml, e.g edgenode.env.

Windows

On Windows you need to set the environment variables from PowerShell, before starting the Crosser service:

$env:some_variable = some_value

Available environment variables

Security

See Node Installation for information on when to set each setting.

Variable Value Description
SecurityConfiguration__Registration__Key Key from cloud.crosser.io The global registration key created at cloud.crosser.io
SecurityConfiguration__Registration__Name Unique Node name A unique name to use when registering the Node. Not needed if auto-generated names are configured in Crosser Cloud.

SecurityConfiguration__Registration__Name

   
SecurityConfiguration__Credentials__NodeId

ID from cloud.crosser.io

ID to use when registering a single Node. (set by the installer on Windows)
SecurityConfiguration__Credentials__AccessKey Key from cloud.crosser.io Key to use when registering a single Node. (set by the installer on Windows)
EdgeNodeConfiguration__RestApi__AllowKillHostFromApi false or (true) If true the host can be terminated through the node API or web UI.
EdgeNodeConfiguration__RestApi__AllowKillProcessFromApi

false or (true)

If true flows can be terminated through the node API or web UI.
EdgeNodeConfiguration__RestApi__Allow
KillRemoteSessionProcessFromApi

false or (true)

If true remote sessions can be terminated through the node API or web UI.

General

Variable

Default

Description

EdgeNodeConfiguration__LogLevel

Information

The level to use when logging to the local log file (Verbose, Debug, Information, Warning, Error, Fatal).

EdgeNodeConfiguration__ReportStatusIntervalInSeconds

10

The interval in seconds to report Node status to cloud.crosser.io.

EndpointsConfiguration__RemoteSessionTransport

Automatic

When setting up a remote session the node will try with a websocket connection. If that fails it will try a regular HTTP (long polling) connection. Set to HTTP to disable websocket attempts.

Proxy settings: Nodes version 2.6+

Variable

Value

Description

http_proxy

user:pw@IPorHost:port

Connectivity details for HTTP proxy. User and password only needed if required by the proxy server.

https_proxy

user:pw@IPorHost:port

Connectivity details for HTTPS proxy. User and password only needed if required by the proxy server.

Example edgenode.env with proxy settings:

# Proxy Section
>https_proxy=user:pw@192.168.102.10:1234

Proxy settings: Nodes version < 2.6

Variable

Value

Description

https_proxy

IPorHost:port

IP/host and port to the HTTPS proxy.

https_user

user

User to connect with (if required by the proxy server).

https_password

password

Password to connect with (if required by the proxy server).

https_proxy_certificate

certificate.cer

Name of certificate to use (located in data/certificates on the node).

http_proxy

IPorHost:port

IP/host and port to the HTTP proxy.

http_user

user

User to connect with (if required by the proxy server).

http_password

password

Password to connect with (if required by the proxy server).

Example edgenode.env with proxy settings:

# Proxy Section
https_user=user
https_password=password
https_proxy_certificate=certificate.cer

Securing HTTP and MQTT endpoints

By default the integrated HTTP server and MQTT broker in the Node use unencrypted communication without authentication. In this article we will explain how you can configure your nodes with encryption and/or authentication.

TLS & Certificates

To enable encrypted communication (TLS) you need a certificate file that can be used by the node.

Good links for reading about certs

Create certificates for test

In a production environment we recommend using a trusted certificate. For testing purposes you can create a self-signed certificate by following the below steps.

A great tool for creating test certificates is openssl:

# Generate a private key and self-signed certificate for edgenode.local

openssl req -x509 -out edgenode.crt -keyout edgenode.key   -newkey rsa:2048 -nodes -sha256   -subj '/CN=edgenode.local' -extensions EXT -config <( \
printf "[dn]\nCN=edgenode.local\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:edgenode.local\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth")

# Generate a edgenode.pfx cert

openssl pkcs12 -export -in edgenode.crt -inkey edgenode.key -out edgenode.pfx

Register the cert

On the clients attaching to the node you should add the edgenode.crt file as a root cert in your cert store and change the cert to always be trusted.

Edit hosts

Edit your hosts file so that egdenode.local targets 127.0.0.1.

Configure Cert for HTTPS/MQTT

Note: We show HTTP here, but MQTT works the same way.

When starting the server all files will be created with default values, so make sure you have done that. Under the data/ folder you will find all configuration files. The httpconfiguration.json/mqttconfiguration.json files will look something like:

{
  "HttpConfiguration": {
    "HttpEndpoints": [
      {
        "Address": "0.0.0.0",
        "Port": 9090,
        "Name": "---",
        "AuthenticationType": "None",
        "AuthenticationEncryption": "MD5",
        "AuthenticationFolder": "authentication",
        "AuthenticationFile": "httpAccess9090.config",
        "CertificateType": "None",
       "StoreCertificate": {
          "Subject": "",
          "StoreName": "My",
          "StoreLocation": "LocalMachine",
          "AllowValidOnly": true,
          "SslProtocols": "Tls12"
        },
        "FileCertificate": {
          "CertificatePath": "",
          "CertificatePassword": "",
          "SslProtocols": "Tls12"
        }
      }
    ]
  }
}
Use cert from file

Below we have changed to configuration to have:

  • CertificateType = FileCertificate
  • FileCertificate.CertififcatePath = edgenode.pfx
  • FileCertificate.CertififcatePassword = !4U2know

The certificate must be stored in /data/certificates. If the folder does not exist, create it on your own. CertificatePassword should be whatever you used as password when creating the cert.

{
  "HttpConfiguration": {
    "HttpEndpoints": [
      {
        "Address": "0.0.0.0",
        "Port": 9090,
        "Name": "---",
        "AuthenticationType": "None",
        "AuthenticationEncryption": "MD5",
        "AuthenticationFolder": "authentication",
        "AuthenticationFile": "httpAccess9090.config",
        "CertificateType": "FileCertificate",
        "StoreCertificate": {
          "Subject": "",
          "StoreName": "My",
          "StoreLocation": "LocalMachine",
          "AllowValidOnly": true,
          "SslProtocols": "Tls12"
        },
        "FileCertificate": {
          "CertificatePath": "edgenode.pfx",
          "CertificatePassword": "!4U2know",
          "SslProtocols": "Tls12"
        }
      }
    ]
  }
}

 

Start the Node, then open a browser and navigate to https://edgenode.local:9090. The certificate should be valid and you are now accessing the Node over HTTPS with a file certificate.

Users

When the server is started it will create default configuration files for HTTP and MQTT if they do not exist: httpconfiguration.json and mqttconfiguration.json

Each file contains an array of endpoints to start and each endpoint can have its own security settings. The files will be located in the data folder.

Configuration Example

{
  "MqttConfiguration": {
    "MqttEndpoints": [
      {
        "Address": "0.0.0.0", // The address to bind to
        "Port": 1883, // The port to use
        "Name": "---", // A custom name for the endpoint (optional)
        "AuthenticationType": "Basic", // None or Basic are current options
        "AuthenticationEncryption": "MD5", // None or MD5 are current options
        "AuthenticationFolder": "authentication", // folder to store access config in
        "AuthenticationFile": "mqttAccess1883.config" // the name of the access file for the endpoint
      }
    ]
  }
}

 

By default the AuthenticationType is set to Nonebut if we change to Basic and restart the server we will see that we get new files in the folder data/authentication. We will see 2 files if we change the configuration above to use Basic authentication.

  • mqttAccess1883.config - Contains all encrypted passwords. Do not edit this file.
  • new_mqttAccess1883.config - Enter new users into this file in the format username:password in clear text. Separate users with new lines

When the server is started it will encrypt the password using the AuthenticationEncryption chosen in the endpoint configuration.

Example

If you enter uffe:foo into the file new_mqttAccess1883.config the server will encrypt the password into something like

uffe:$MD5$eTtZYr8vuDnBnQL/o2IM2ayZRnvhGC3lChmi8X98N2QOhzdNDII8mGhrv9bUZIPu1+pclAYohitAY9FpfY5IB+TsZiH79yCTxLpHr+z91jgacfA3YiOP8PZpcFTy1PIRLbMcOnTChzsdYYOlhMWv3LYm/iobDxq6ccX3uEL5+lo=$ITVf94re52wCB2lQqF2NeQ==

and store the information in the mqttAccess1883.config file. The content that was saved in clear text in new_mqttAccess1883.config will be removed.

 

Note that if you use Noneas AuthenticationEncryption the password will be stored in clear text.

 

Usage

When using MQTT you can use the Username/Pasword feature of the protocol. So that you can connect to the Crosser MQTT Broker with client credentials.

When using HTTP you can use this to get Basic Authentication. ​

Example for encryption and user authentication with docker-compose file

If you prefer to specify the endpoint configuration within your docker-compose file, you can use the example for MQTT below.

Keep in mind that all requirements still apply:

  • Certificates for endpoint must be available in ./data/certificates

  • edgenode.local 127.0.0.1 must be added to /etc/hosts (depending on the Operating System)

  • file which holds the new users, in this case new_mqttAccess8883.config, must be available in ./data/authentication/

Note: You could specify multiple MQTT endpoints, therefore you have to specify the index __0__

version: '3.5'
services:
  edgenode:
    image: docker.crosser.io/crosser/edgenode:latest
    container_name: crosser-edgenode
    restart: always
    environment:
      - SecurityConfiguration__Credentials__NodeId=ENTER-YOUR-NODEID-HERE
      - SecurityConfiguration__Credentials__AccessKey=ENTER-YOUR-ACCESS-KEY-HERE
      - MqttConfiguration__MqttEndpoints__0__Address=0.0.0.0
      - MqttConfiguration__MqttEndpoints__0__Port=8883
      - MqttConfiguration__MqttEndpoints__0__AuthenticationType=Basic
      - MqttConfiguration__MqttEndpoints__0__AuthenticationEncryption=MD5
      - MqttConfiguration__MqttEndpoints__0__AuthenticationFolder=authentication
      - MqttConfiguration__MqttEndpoints__0__AuthenticationFile=mqttAccess8883.config
      - MqttConfiguration__MqttEndpoints__0__CertificateType=FileCertificate
      - MqttConfiguration__MqttEndpoints__0__clientCertificateRequired=false
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__StoreName=My
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__StoreLocation=LocalMachine
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__AllowValidOnly=true
      - MqttConfiguration__MqttEndpoints__0__StoreCertificate__SslProtocols=Tls12
      - MqttConfiguration__MqttEndpoints__0__FileCertificate__CertificatePath=edgenode.pfx
      - MqttConfiguration__MqttEndpoints__0__FileCertificate__CertificatePassword=ENTER-YOUR-CERTIFICATE-PASSWORD-HERE
      - MqttConfiguration__MqttEndpoints__0__FileCertificate__SslProtocols=Tls12
    ports:
      - 9090:9090
      - 9191:9191
      - 8883:8883
    volumes:
      - "./data:/application/data"
    logging:
      driver: json-file
      options:
        max-size: "50m"
        max-file: "2"
 

Limitations

  • You should only use one settings file per endpoint. Do not try to use one file for several endpoints

  • Only Basic authentication is currently supported.