Philips Hue bridge
Recently I bought a Hue bridge with two bulbs, it was a specific “cheap” pack around 50€, the bridge itself usually costs that price, so I was quite interested. My idea was just to play with those bulbs and do funny things such as blinking when I get new mail, etc … After messing with it for a while using the Philips HUE app on Android, I wanted to do more so I checked the API. It’s quite well made and allows you to do a lot on your own, though, I had in mind to hide my bridge in my own local network, for security purpose and also to add more functionalities to it, let’s see how to make a hue bridge reverse proxy !
To do that, you need:
- a router, your own home box is enough
- a raspberry PI or any computer with Apache and PHP
- (optional) a USB to ethernet adapter, I bought this cheap one
- some time to configure it all !
Configure the bridge
Follow the official instructions to install your bridge, you have to connect it to your router, it needs an IP within your local network so we can reach it with an other computer.
Once it’s all set and that it got an IP, open up your web browser and go to the following URL: http://192.168.1.xxx/debug/clip.html, obviously set the IP address to the correct one.
Create a new user following the steps on the API documentation. Keep the generated hash around, it’s important to control your bridge.
Stay in your web browser in the debug and do a GET call to http://<ip-address.of.the.bridge>/api/<username>/config, it will look like that:
Copy the mac field and save it somewhere, it’s important.
Finally, we will configure the bridge to stop DHCP and also to take the IP we want it to get out of the local range.
Still in your browser, do a PUT request to http://<ip-address.of.the.bridge>/api/<username>/config with the following content:
Once you run it, you should lose the control to the bridge ! No worries, we’ll get it back.
If you bought the network adapter I suggested, it should look like that:
SSH to your raspberry pi, and check the network configuration:
Now plug the network adapter USB side to your PI, and connect the ethernet cable to the ethernet adapter.
We’ll check the adapter is working by doing the same command, but now we should see eth1 !
Perfect, now let’s configure the network, edit the file /etc/network/interfaces by adding the following:
Bring up eth1 end ping your bridge:
If it all works, you can move on to the HTTPS part, else, try using some networking tools such as tcpdump to determine what goes wrong.
New release of the Hue bridge uses HTTPS, of course it can’t rely on a real domain name since it’s connecting on the IP of the bridge and it can be different, after doing some reverse engineering it I found out how it works. Actually every bridge as an ID. Now that the link between your PI and the bridge is UP you can get your ID easily and prepare to create your own HTTPS certificate.
So there you go you have your CN which is actually what’s necessary to create your own HTTPS certificate. If you want to change your ID, you can, you’ll have to change it also in the PHP below.
First create a directory to store your key, certificate.
Now the key and the certificate
The only parameter that matters here is the CN, put a correct bridge ID, in my case I just changed a few values.
Finally just concat both files to create a pem.
A word of advice, as of now (version 1806051111 of the bridge), the hue app will use HTTPS to connect to the bridge, the first time you validate the connection it will stick the certificate. If you ever change the certificate, you’ll have to remove the credentials in your Android/iOS (i.e clear all data of the app) and press on the button again.
Second word of advice, if you test a lot, be careful to keep clean your whitelist user, it gets messy very fast ! You can delete some doing a DELETE request on /api/userYouControl/config/whitelist/userYouWishTodelete
Do you remember the MAC address of your bridge ? If, as I previously said you did, then we will use it pretty soon.
Stay on your PI and open up again /etc/network/interfaces, we will change the mac address of eth0 so if it will be seen as a HUE bridge for the mobile apps. You can use the mac address of the real bridge and alter it so it’s different, I suggest you use this website to make it sure it’s still seen as “Philips Lighting BV“.
Now on your home box, set the IP of your PI as a static one for this tutorial it will be 192.168.1.3.
It’s time to install haproxy, apache and php, I won’t describe this here, do as you wish, we’ll just go through what’s really important.
There goes a valid haproxy configuration:
Install mod_proxy and mod_http_proxy, create a new virtualhost /etc/apache2/sites-available/hue.conf this way:
Activate it and edit /var/www/index.php:
Now restart Apache and open your browser on http://192.168.1.3, it should load ! Check the logs of Apache, you should also see some requests.
I didn’t mention it, because I hadn’t figure it yet, but all the Philips’ Upgrades won’t be done anymore since the bridge has no internet access. I found out one way to do it, it’s tricky but anyone can do it.
I use the Hue App on my mobile to control lights, it tells you when some upgrades are required, it’s how I know I should run them. When it happens, I simply forward packets from my bridge to my PI and force the update thought the API, let’s do it.
Allow packet forwarding and forward the bridge to the PI:
You should notice that the third light is now lit, it reaches internet, no worries we open it up only temporarily.
Connect to the API and run the following commands:
It should download the update, restart your bridge, launch the update from your mobile app, sometimes it’s quite long ! To update three bulbs it took me around 1 hour, it depends on the update.
Once everything is done, cut the bridge from the internet:
Reboot it once again so remaining connections will be stopped. Only two lights should remain.
You might check that your bridge is really off the internet by doing a GET request to http://<ip-address.of.the.bridge>/api/<username>/config, you should have that:
Also, it’s possible you do a tcpdump to check to what your bridge tries to contact, it might amuse you.
Sources for the upgrades:
Your HUE bridge is hidden behind your raspberry PI, it’s secure moreover you can also edit the PHP to add new functionality !