Set Up Self Signed Cert for External Access (Google Assistant or Alexa and IFTTT Integration)

Credit to this article for providing details on setting up self signed certificates in nginx. (https://www.humankode.com/ssl/create-a-selfsigned-certificate-for-nginx-in-5-minutes)

Optionally, you may want to be able to control the speaker selection via Google Assistant or via the IFTTT WebHooks. I have setup an API interface to allow HTTPS calls to control the speaker settings. The nginx reverse proxy will allow HTTPS (port 443) calls to be sent to the /extapi application route only. To avoid having to obtain a certificate from an certificate authority (and potentially have to purchase a domain), I'm providing instructions here how to self-sign a certificate that can be used in conjunction with the nginx webserver. Because the self-signed certificate is only good enough to encrypt traffic between IFTTT and the application, and not to confirm the correct identity of the requester, a shared API key secret must be provided by the service to perform any actions.

In order to properly use this, you must provide a certificate for nginx to use (see the nginx setup above, where this should be taken care of by default) so that a secure connection can be created between the client and server. Additionally, an API key should be generated and stored by going to the admin page of the application, and enabling the API interface.

Additionally, the router must be configured to redirect from an external port (preferably a random port number) to the IP of your speaker-select raspberry pi, and port 443. This setup will vary from router to router, but this is usually in NAT configuration or Port Forwarding.

Also, since most of us are on residential internet service, and have IP addresses that are assigned dynamically to our modems, you may want to setup a Dynamic DNS service which assign a simple URL to forward web requests to your IP, and update the IP when it changes. I won't cover how this works in this guide, however I would recommend that you do some web searches for dynamic DNS. I would also recommend DuckDNS who provide a completely free service for dynamic IP addresses. It's more bare-bones than something like DynDNS, but free is a pretty good price.

Once this is setup, you'll want to configure an applet in IFTTT call your API, with your API key and the actions you want to take. Ensure your IFTTT call is using the HTTPS protocol to protect your API key in transit. The application should not respond to non-SSL based requests and should only work properly with the correct API key. No other interfaces are accessible via this API.

Your API Key can be enabled in the Admin settings page. You can also regenerate a new key if you'd like by clicking the "Generate New API Key" button.

Setting up IFTTT to work with Speaker Select External Access

Go to https://IFTTT.com and add a new applet.

Select Google Assistant and select "Say a simple phrase and trigger an action"

You will want to use the phrase that you'd like to trigger an action like "Turn on all the speakers." or "Hey Google, Turn off the Kitchen Speakers".

For the THEN action, select WebHooks and fill in as below:

Use the URL that you registered on your dynamic DNS service (for example DuckDNS mentioned above). Use the port and your API key as generated by the application in the admin screen.

• URL: If you are using a dynamic DNS service or if you are using a doman that you have already registered, you can simply use this to point to your instance. Example: https://yoursite.duckdns.org:34534/extapi/AbCdEfGHiJkLMnOPqrSTuVwXyZ012345 Note that the HTTPS portion of the URL is very important - since regular unsecure HTTP calls will be rejected by this app.

• Method: POST

• Content Type: application/x-www-form-urlencoded

• Body: This can be any combination of speaker settings either on or off, separated by an ampersand ‘&'. For example: spkrs_01=on&spkrs_02=on&spkrs_03=off which would turn Speakers 1 & 2 on and Speakers 3 off.

Additional Notes on Accessing the Application from Outside your Local Network

Please take the utmost care in considering options for exposing this application outside of your home network. Given that this application has very limited security built-in, anyone that is able to gain access to it directly or indirectly, may be able to control your hardware which could result in damage to your property or even potentially physical harm to someone nearby.

If you want to have access to this application outside of your home network, and I haven't already convinced you not to do this, then I would recommend setting up a VPN for your local network. This would allow you to tunnel to your home network and access all of your local equipment with some level of security. A good, low cost, and dead simple VPN project I would recommend is PiVPN.