How to install a secure embedded Web server on a $3 WiFi device
Getting started with embedded development can be difficult and expensive, but in this article I will show you how to spin up FreeRTOS and the lwIP TCP/IP stack on a WiFi chip with a secure embedded web server in less than 30 minutes on a super low cost device.
Why use a Secure (TLS) Enabled Server?
Browsers have started flagging standard (HTTP) servers as "Not trusted" in the browser bar (see Figure 2 below), and a secure server will appear more trustworthy to the end customer. I'll go into this in detail in the Security Considerations section below.
The ESP8266 WiFi Chip and the Minnow Server
You can get ESP8266 for as low as $1, but I recommend using a board that includes USB. The USB is needed for flashing the firmware. An additional step that includes using a USB to TTL converter would be needed without onboard USB. A ready to use ESP8266 board with USB can be purchased for as low as $3.
The low cost ESP8266 WiFi chip is great for learning purposes , but it is slow, especially with CPU intensive tasks such as performing encryption. You really need to think about the design when using a slow chip with CPU intensive tasks.
The ESP8266 runs at 80 Mhz which is good for an embedded chip, but the code execution is dog slow with the code executed via SPI memory. Running a TLS enabled server on this device provides a real wakeup call when it comes to practical limitations with resource constrained microcontrollers and provides a great introduction to what is possible to run on a slow microcontroller. The type of secure web server chosen and web application design becomes critical for slow devices.
In this article, I will explain how to compile and run the Minnow Server on an ESP8266. The Minnow Server and the reference example is available on GitHub.
I recently published an article on the Minnow Server here at embedded.com. The article explains how to use the Minnow Server for creating modern web based device management applications. The article also goes into the benefits of using a WebSocket server with a so called Single Page Application (SPA) when using TLS. I recommend reading this article since we will be preparing and compiling the same example code for the ESP8266.
We will be using the ESP8266 FreeRTOS/lwIP environment provided by the esp-open-rtos project, but don't worry, you do not need to go through the complex esp-open-rtos setup. Instead, we will be using a pre-configured and completely ready to use environment with an easy to use web-based IDE.
Download the FreeRTOS/lwIP ESP8266 IDE
Navigate to Real Time Logic and download the ESP8266 IDE we have prepared. The IDE, which is designed for educational purposes, includes a pre-configured esp-open-rtos bundled with an easy to use web-based C source code IDE. The IDE requires VmWare or VirtualBox. I prefer VmWare over VirtualBox, since I find it easier to use. Note that VmWare is free for non-commercial use.
The ESP8266 IDE also includes an embedded TLS stack (SharkSSL), and the Minnow Server automatically uses TLS when compiled with SharkSSL.
You can start using the ESP8266 IDE without the ESP8266 board, but you cannot upload and run the compiled code. In other words, you can download the IDE and follow all steps in this tutorial except for running the code on the ESP8266.
The screenshot in Figure 1 below shows the virtual machine and the web-based IDE connected to the virtual machine. Notice how the virtual machine has taken ownership of the ESP8266 USB connection. The web-based IDE detects this and shows the ESP8266 as connected and ready to be flashed with new firmware.
click for larger image
Figure 1: Web based IDE connected to the IP address of the virtual machine. (Source: Real Time Logic)
The screenshot in Figure 1 shows the ESP8266 connected to LEDs via a breadboard. You do not need the extra LEDS or the breadboard unless you want to control the external LEDS used by the example application.
Note that the IP address of your VM will most likely be different than in Figure 1. Make sure to click in the virtual machine window for the IP address. If the window is blank, click the window and then press the enter key. You must enter this IP address in your browser to open the web IDE.
Installing the Minnow Server and the Example Code
The Minnow Server reference example is not included in the ESP8266 IDE and must be installed separately. Figure 1 shows the Minnow Server example already installed in the 'ESP/ms' directory. The Minnow Server must be installed from the Linux command line, but don't worry if you have not used Linux. You can simply copy and paste the commands we have prepared. The following figure shows a screenshot of the Minnow Server installation commands being pasted into the Linux web shell available at http://vm-ip-address/webshell/.
click for larger image
Figure 2: Minnow Server installation commands pasted into Linux web shell. (Source: Real Time Logic)
When you enter the URL to the web shell in your browser, you will be prompted to log in. The username is sharkssl and the password is SharkSSL.
The ESP8266 tutorial on GitHub explains how to configure the virtual machine, install everything, compile the web server example, and flash the firmware. The following video simplifies the process by explaining everything step by step.
Video 1: How to download and install the Minnow Server example, compile, and upload the code. (Source: Real Time Logic)
Secure vs. Non Secure
The Minnow Server can be used in secure or non-secure mode and automatically uses secure mode (TLS) when used with the ESP8266 IDE and SharkSSL. Using a TLS enabled web server in a device adds additional complexity, and the end user gets an administrative burden of dealing with SSL certificates. In the above video, we show how to remove the certificate error presented in the browser by installing the Certificate Authority (CA) certificate in the browser. The CA certificate is the certificate that was used to sign the certificate in the web server example.
Embedded devices are typically installed in protected private networks, but many customers still demand that the web server connections use TLS. The use of TLS enabled servers on private networks is problematic since no well-known certificate authority will sign IP addresses or non-standard (private network) names. One option is to be your own certificate authority. If you are interested in learning more about this, check out our tutorial How to act as a Certificate Authority.
As mentioned above, the ESP8266 is slow. TLS is very CPU intensive and you will notice that it takes some time to connect and establish a connection. The Single Page Application example, which uses WebSockets for communication, is optimized for CPU constrained devices, but the initial asymmetric encryption (TLS handshake) still takes time, especially with some browsers that do not follow good design practices and open many TCP connections that all require full TLS handshake. To learn more about the problem with modern web browsers and slow microcontrollers, see our tutorial Creating Single-Page Apps with the Minnow Server, which goes into the problem in details.