Secure Remote Gateway Access

I would like to host an Ignition Gateway on my own local server and want external internet clients to access it. What's the preferred method for doing this securely. I basically want to make a local "cloud" server.

The most common approach would be a proxy server running on a public IP address, with registered domain name and SSL certificate, handing off specific traffic through a VPN to the site-local Ignition gateway. The DNS for the local site would typically be configured to override requests for the public name to serve it directly from the local gateway instead of bouncing through the proxy.

A quick and dirty way of doing this securely is using a Cloudflare tunnel. You need a domain name and DNS hosted through Cloudflare (you can also just buy your domain through them as well). Then you set up a tunnel by installing the tunnel software on any PC in the network, then once connected you can specify a domain like "ignition.mycompany.com" to the internal IP and port of your Ignition server, and it pretty much just works. Even encrypts the communication using a trusted certificate.

This works well, but I could never get the Perspective mobile app to work with a tunnel

I've used a tunnel with the perspective app multiple times and never had an issue. Just make sure you're entering the full URL likehttps://ignition.mycompany.com and it should just work.

Should have mentioned, tunnel with authentication does not work. Straight tunnel is fine.

If you want to make it public, then this possible limitation does not apply

That makes more sense. I never use the authentication of the tunnels as I leave the authentication up to Ignition.

In fact, I wouldn't expect it to work with Cloudflare's authentication at all because it's essentially injecting itself in the middle of the app's "flow" of selecting a project, etc.

All interesting ideas. Thank you all for your input. It seems that there is no "best" practice. I'm also coming to the point where I should just use the actual cloud server install on AWS or Azure for the extra cost. Although, for a small system that just wants a few outside client connections, these are still good things to play with.

Well, there is: use SSL.

Unfortunately, the bulk of the work to do that is outside Ignition. You need a publicly reachable server with domain name, certificate for that domain name, and if not running Ignition right there, proxy routing to the real Ignition server. There's all kinds of resources for doing all of that, with near infinite variety, all of it outside Ignition.

I completely understand that this is apart from Ignition, and that’s fine. It’s getting into somewhat unfamiliar territory that I need to research. I don’t suppose you’d have a good resource you could point me to?

Thank you.

I recommend studying these tools:

• NGiNX for your public website.

• OpenVPN for tying your public site to your local site (path for proxying).

• Let's Encrypt for automated, free, public SSL certificates.

• DNSmasq for local site DNS name overrides.

There are many other tools that can do this--these are just the simplest ones (IMO). Unfortunately, not really all that simple. There's a bunch of fundamentals of the web that will need to be absorbed.

I’m always up for learning. Thank you very much.

If you want the quick and dirty that still keeps your system secure but somewhat automates a lot of this, there's many videos on YouTube about Cloudflare Tunnels, and none probably specific on using one with Ignition, but one guy who usually describes things well and tries to keep things "fun" is Network Chuck.

His video is older and uses Google Domains (which doesn't exist anymore).

Here's a more recent video and you'd just need to buy a domain name through Cloudflare and it would make things really easy.

When you set up the tunnel you'll need to follow the instructions on Cloudflare for your OS (or find a video showing you based on your OS).

@pturmel's suggestions are good to learn all the ins and outs of how this works as you'll get to play and learn all the building blocks. There are some other tools you could try as stepping stones to bridge the gap between a complete DIY and the Cloudflare tunnels too.

Nginx Proxy Manager (NPM) if you know Docker and want a more GUI interface for setting up Nginx with support for LetsEncrypt SSL certificates built-in: https://nginxproxymanager.com

Another reverse proxy that works on Windows even with LetsEncrypt support built-in that I recently played with (and worked well in my testing) is Zoraxy: https://zoraxy.arozos.com

For the reverse proxy, Phil suggested Nginx, and I'm a big fan of HAProxy. They're configured differently, but Nginx is primarly a web server that can also do reverse proxying, but HAProxy is really only a reverse proxy and load balancer: https://www.haproxy.org

Using these without a VPN connected to a publicly exposed server in the cloud will require you to open/forward port 443 (and possibly 80 depending on how you use LetsEncrypt verification), but definitely explore your options and learn. Ask questions. Don't open/forward 8088 or 8043 directly to Ignition.

Even though this thread is a few months old, just wanted to add my experience to this.
I have a 'sandbox' gateway for developing and testing in a local environment. My gateway is a standard configuration in a docker container. I use Cloudflare and Nginx for public access to the gateway.

• Cloudflare routes my domain name to my public IP. I have an 'A' type record of 'scada', so 'scada.mydomain.com' points to my public IP.
• Scada.mydomain.com is forwarded through my router to nginx instance.
• Nginx receives 'scada.mydomain.com' and routes it to the external port of the scada docker container.
• My Ignition gateway only has a single user configured, gateway and project access are limited to this user, and the password is fairly long and complicated.

One tip if you're setting this up; I could initially only access the gateway and designer, and couldn't access the project via web browser or desktop/mobile apps. Enabling 'Websockets Support' in Nginx corrected this, and I can access the project and apps normally now.

That's another way. You might check out the cloudflare tunnel method as it let's you set up a single tunnel for your entire network and once it's up, you don't need open firewall ports or nginx anymore and can point a subdomain to the internal URL of the server and cloudflare automatically puts encryption on the connection and tunnels it for you. You can set up new servers for testing in a few clicks auth automatic encryption. Super simple plus more secure.

I'm using a zero-trust tunnel to access my Home Assistant VM on the same server, I really don't know why I decided to try out Nginx for the apps running in Docker. Different day, different mindset I guess. I'll have to try the tunnel out again. Thanks!