With the introduction of VenusOS v3.50, a new "secured" network profile mode has been added which automatically adds support for HTTPS (using a self-signed certificate). This breaks support for some MFD's that expect to access resources over HTTP and/or without having to support cookie sessions or authentication.
From the release notes:
It is no longer necessary to enable MQTT when using the Marine MFD HTML5 App. Instead, the Network Security Profile setting needs to be set to Unsecured for that App to work on an MFD.
This is unfortunate, as keeping this setting "Unsecured" means it is accessible to anyone connected to the same network as your GX device (think when your your GX device is connected to your marina's wifi so you can remotely monitor your systems).
Luckily, the GX device must be connected to the Garmin MFD via Ethernet, so there are some tweaks we can do to allow the Garmin MFD to connect.
Enable "secured" profile in VenusOS to secure my CerboGX with HTTPS and password authentication, while only permitting traffic from the Garmin MFD over Ethernet to access HTTP without authentication.
Connectivity between Garmin MFD's and the CerboGX is established with a simple crossover cable (see this document). You can buy an expensive premade cable from Garmin or just crimp your own.
The Garmin MFD runs its own DHCP server, and the network is 172.16.0.0/16.
The Garmin MFD IP is 172.16.6.0. With this information in hand, we can secure
access to just this IP using simple allow and deny provided by ngx_http_access_module.
If you're using the ActiveCaptain app on your phone, you need to permit entire /16 or
whatever IP address you're assigned when you connect to the MFD wifi.
See Venus OS: Root Access for a detailed step by step to enable root/ssh access to your device.
Create a patch file in /data/home/root/http-explanation.patch, which modifies the http-explanation.site nginx server configuration file with some additional location blocks which will be restricted to just the Garmin MFD network:
--- http-explanation.site.original
+++ /etc/nginx/sites-available/http-explanation.site
@@ -27,4 +27,32 @@
add_header Access-Control-Allow-Credentials true;
add_header Vary "Content-Encoding, Access-Control-Allow-Origin, Access-Control-Allow-Credentials";
}
+
+ location ~ ^/websocket-mqtt$ {
+ allow 172.16.0.0/16; # Garmin MFD Bridge Network
+ deny all;
+
+ proxy_pass http://127.0.0.1:9001;
+ proxy_http_version 1.1;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header Host $host;
+ }
+
+ location /app {
+ root /var/www/venus/;
+
+ index index.html index.php;
+
+ allow 172.16.0.0/16; # Garmin MFD Bridge Network
+ deny all;
+
+ gzip_static always;
+ add_header Cache-Control "no-cache";
+ }
+
+
+ location /garmin {
+ root /var/www/venus/;
+ }
}
Second, create /data/rcS.local marked as executable with the following contents:
#!/bin/sh
SITE_CONFIG=/etc/nginx/sites-available/http-explanation.site
PATCH_FILE=/data/home/root/http-explanation.patch
if ! grep -q "Garmin MFD" "${SITE_CONFIG}"; then
patch "${SITE_CONFIG}" "${PATCH_FILE}"
fi
This second script is invoked during early startup, patching the file before nginx is started by daemontools. This will ensure that after firmware upgrades, our changes to the nginx configuration are retained.