The setup page allows the administrator to configure the power controller. These settings are supported:
Controller and outlet names
Use the controller name fields to assign a Controller Name to the power controller itself. Examples are "Server Rack Power Strip" or "Plutonium Refinery Control". The Controller Name field appears on the top of the home page. Assign a separate name to each outlet, such as "Missile Launcher" or "Email Server" to make identification of each circuit simple.
You can use characters from the full Unicode character set; they'll be transliterated for display on the LCD if necessary.
Delays
When a time value is entered in the "All ON sequence delay" field, the power controller will pause for a period of time before switching each outlet on in sequence. This delay helps prevent the power surges and blown circuit breakers which can occur when multiple devices are switched on simultaneously. A delay of 60 seconds is suggested for server applications. You may also enter a screen refresh delay in this section. If "Enable screen refresh" is checked, and a delay value is entered, your browser should periodically update the status screen.
Power loss recovery modes
The power loss recovery mode setting has three settings which take effect after a power failure:
- You can turn all outlets off (all systems will be switched off until manually turned on later) by checking the first box.
- You can automatically turn all outlets on using the "All ON sequence delay" described above. Check the second option to do this.
- You can return to the same outlet settings that were used prior to the power loss. The "All ON sequence delay" will also be used in this instance. Click the third option to return to pre-powerless state.
User-defined links
You may link to other power controllers, your own web pages, or remote web sites by entering up to four URLs and descriptions in the Setup page. For example, enter "Site Two Power Controller" in the description field with a URL of "http://192.168.0.250/". These links appear on every page of the main web UI.
Network settings
You can adjust the HTTP and HTTPS port bindings. If left empty, the corresponding service is not accessible. It may be a good idea to disable HTTP if HTTPS satisfies your needs. Disabling both for security is possible; you can use the LCD and keypad, or SSH to re-enable them if needed.
Enabling SSH will allow full control over the device, possibly bypassing most of the restrictions, e.g. setting protection. The SSH port is customizable as well. The SSH server also accepts public key authentication for a configurable set of keys (the format is the same as in the authorized_keys file).
You can limit the severity of the locally recorded log messages by setting a minimal severity. Note that the local log is circular, with old messages being replaced by newer ones; messages aren't persisted across reboots. For persistent storage, you can configure the unit to send the system log to a syslog server. All messages, regardless of severity, are sent; the receiver is expected to do the filtering.
Same subnet restriction can used to prevent remote access from outside. ONLY MACHINES IN THE SAME SUBNET WILL CONNECT AFTER ENABLING THIS. If connectivity is lost, use a local connection such as a laptop with a crossover cable to restore your original network settings; you can also use the LCD and keypad for that.
Wired network settings
The device MAC address is provided for reference only and cannot be changed in this form. If you need to change the MAC address, you may do so via LCD+keypad, SSH or using the REST-like API. Be sure you know what you're doing, as e.g. assigning a conflicting MAC address, or a broadcast MAC address will make an interface unusable.
To configure the unit to use static IP assignment, a fixed IP address and network mask must be entered. If a default gateway is specified it must be on the same subnet as the IP address specified. A number of DNS server IP addresses can be supplied separated by commas, e.g. 192.168.0.1,8.8.8.8. If DNS servers are available, some other configuration variables can accept hostnames instead of IP addresses.
If you wish to configure the unit to use DHCP IP assignment, you needn't change the IP, network mask, default gateway and DNS servers; rather, after the unit obtains a DHCP lease, the parameters will be displayed for reference.
It is recommended to configure the DHCP server to provide a static lease for the EPCDC32 using its MAC address (also displayed).
When changing IP addresses, you may need to restart the unit and your network switch to validate the new IP on an "auto-configuring" switch port.
Wireless network settings
The wireless network adapter has settings similar to those of the wired network adapter (see above), and adds WiFi-specific ones. This configuration section will not be shown if wireless support is absent.
It's possible to disable the wireless module entirely by unchecking the "WiFi module enabled" checkbox. The wireless MAC address is configured to match the wired MAC address as the adapters will never be on the same subnet in a regular setup. Use LCD+keypad, SSH access or the REST-like API if you need to change that.
The WiFi module can operate either in Access Point ("server") or Station ("client") mode. Either way, the name of the wireless network to create/connect to must be specified as the SSID.
If the unit is configured to be an Access Point and have a static IP assignment, it starts a DHCP server on the wireless interface.
It is possible to use no encryption on the WiFi channel, or one of the WPA, WPA2 or WPA/WPA2 mixed mode with pre-shared key (the key has to be entered then). WEP encryption is considered insecure and is not supported. Other encryption modes are not supported.
Network settings protection
You may press the "protect" button to lock the network settings (this will also affect the external API settings). Once locked, the network settings cannot be changed except by pressing the physical reset button on the front of the unit.
Access control
The administrator's username and password can (and should) be changed from the default values. Note that you need to provide the current password for confirmation.
In addition to the administrator, any number of users with individual passwords and outlet permissions may be configured on the setup page. Only the administrator can edit user names and passwords (users can only inspect and switch outlets).
Checkboxes to the right of each user name outlet control access privileges. Users can only see and interact with the chosen outlets. For example, user 'harry' would see the following on login:
Individual outlets can be manipulated as usual. The top links allow switching all accessible outlets on, off or cycling them.
Notice the outlet numbering difference for non-administrative users vs the previous generations of EPCR/LPC controllers. In EPCDC32, non-administrative users see all outlets accessible to them numbered consecutively starting from 1; previously the indices used to match those seen by the administrator. Naive outlet state manipulation links like http://192.168.0.100/outlet?3=ON will work differently depending on the user you're logged in as; however, certain use cases may benefit from this change. Consider using the REST-like API if you need consistent outlet manipulation.
The next group is comprised of miscellaneous settings for access control.
If you need to access the controller with clients supporting Basic authentication, or by browsers without JavaScript, you may need to enable the "Allow legacy plaintext login methods" setting. Those methods transmit passwords over the network and are thus considered insecure. This includes Basic authentication over HTTPS, which is secure relative to Basic authentication over HTTP, but relies solely on TLS for security, which is considered risky by some experts. DLI Ethernet Sender should not require this setting.
If you need to configure outlets or run scripts on the controller via links or use browsers without JavaScript, you may need to enable the "Allow legacy state-changing GET requests" setting. This allows configuring the controller by following links, but is insecure as you or your browser can be tricked into following such a link. This setting is on by default for compatibility, but is deprecated, and its use is discouraged; it will become disabled by default in future firmware versions, and you're encouraged to disable it manually. Links defined in the Links section will be rewritten on the fly to not require this setting if JavaScript is enabled.
The "Hide user passwords" and "Hide WiFi password" settings configure whether clients should be able to read back the relevant values; this may be a security issue if there are untrusted administrator users.
The "Disable local keypad" setting is designed for untrusted physical environments. When enabled, the LCD will briefly indicate that the keypad is disabled on each keypress and otherwise ignore it.
Note that this still leaves the reset button available to an attacker.
The "Show device name on login page" setting can be used to control if unauthenticated users can see the device name (it used to be controllable by a space character preceding the device name in previous controller models, but is now an individual setting). This may be a convenience, but also a possible security issue.
HTTPS certificate generation and renewal
HTTPS clients rely on certificates to ensure the server's identity. Operating as an HTTPS server, the EPCDC32 is capable of generating self-signed certificates or obtaining certificates from third parties, such as certificate authorities (CAs).
Identity of the server is protected by a private key, which must be kept secret. EPCDC32 currently supports RSA private keys only; the number of bits can be configured. A key is generated by default; you can create a new one by pressing the "Generate" button. Note that this may take some time.
Whenever you generate a new key, a matching certificate needs to be issued in order for clients to trust the unit. If automatic enrollment is configured (see below), key regeneration triggers it as well.
Unlike the key, a certificate is public, not secret, and assures that its holder indeed is the entity it claims to be as long as the client trusts the certificate's issuer. To configure what your EPCDC32 claims to be, the following certificate signing request (CSR) fields need to be filled:
- DNS and IP subject alternate names are used by browsers to check HTTPS server identity; if left at defaults ("Override defaults" not checked), the system domain name and the currently configured IP addresses are used, respectively; in many cases, e.g when using port forwarding, this isn't what you want; public CAs will not issue, and most browsers will not trust, certificates issued for private (e.g. RFC1918) IP addresses;
- Additional distinguished name elements can be configured; these can be seen by a browser's user.
Due to historical reasons, strings in certificates can be encoded in various ways; this can also be configured here.
If you rely on a CA to issue your certificates, refer to that CA's documentation on what distinguished name elements are permitted (or even mandatory) and what string type set to use.
To manually generate a certificate, use the "Download CSR" link and transfer the downloaded file to your CA; once the CA issues you a certificate, you should select and upload it using the "Upload certificate" form. The file to upload must be a PEM-formatted file containing the full certificate chain; in case your CA provides you a single-certificate file, you need to convert it to the PEM format and prepend the CA's certificate chain to it.
Note that the CSR you transfer contains only public, not secret, information; the private key need never leave the unit.
For convenience, a link to download a previously uploaded or automatically generated certificate is present as well.
If "Automated renewal" is selected, certificate renewal will be triggered when the certificate is close to expiry.
If you perform CSR signing manually, be sure to switch automated renewal off as it will cause (e.g. generation of a self-signed certificate) once the certificate you have uploaded is close to expiry, which is likely not what you want.
The following automated certificate generation or renewal methods are supported:
Generating a self-signed certificate
Generating a self-signed certificate is always possible and is a viable option if you can persuade clients (e.g. browsers) to trust the certificate generated this way. This method does not rely on any Internet connectivity and is totally self-sufficient; however, such certificates will not be trusted by browsers by default.
The only configurable parameter is the number of days to issue the certificate for.
ACME certificate enrollment
ACMEv2 (Automatic Certificate Management Environment, RFC 8555) is a way of obtaining a certificate from a CA that includes proving that you indeed own the domain names or IP addresses you claim to own; those names and addresses must be public to allow the CA to perform the validation. This method is supported by a number of CAs including Let's Encrypt, Buypass, ZeroSSL and others.
The current implementation only supports the http-01 challenge, so the EPCDC32 (or the network it is on) needs to be configured so that HTTP requests to the names and addresses specified and port 80 are routed to the unit's HTTP port. Additionally, external account binding, which is required by some CAs, is not yet supported.
To use this method, you need to configure the ACMEv2 directory endpoint and the service agreement URLs, which should be provided by the CA. Providing the service agreement URL is considered to be accepting it; that URL is also available via the directory, so if the CA changes its service agreement and the URL no longer matches, EPCDC32 will not perform enrollment of new certificates. You should supply your own contact URLs as a whitespace-separated list for the CA admin to contact you in case of problems. The default ACMEv2 authentication algorithm, as well as the one mandated to be supported by all CAs, is ES256; the digits indicate the SHA* digest function choice; ES* algorithms use NIST prime elliptic curve keys of appropriate sizes, and RS* algorithms use RSA keys of appropriate sizes. Note that initial generation of the authentication key, distinct from the certificate key, may take some time, especially for the RSA variants.
The system log is useful in diagnosing automated certificate generation issues; in particular, it may include messages from ACME CA indicating that the subject alternate names or distinguished name elements you have configured are unsuitable, or the private key you're using is too weak (you'll need to increase the number of bits and regenerate the key then).
ACMEv1 certificate enrollment method is an older, deprecated variant of ACME which is no longer supported for new domains by any known provider.
EST certificate enrollment
EST (Enrollment over Secure Transport, RFC 7030), successor of SCEP, is a simpler method of obtaining a certificate than ACME that only requires proving your identity, from which the EST server can supposedly deduce what domains or IP addresses you can claim. It is useful in environments where a pre-established trust relationship is present, such as a company's local network.
To configure this method, you need to supply the EST server base URL, which must be a HTTPS one, set the credentials and the authentication method to use.
Miscellaneous settings
The following setting group controls aspects of data presentation of the unit.
You can force all the text displayed on the LCD to be in CAPS, which may be more legible. However, this won't affect the network settings, as they include the WiFi password which would be useless if capitalized.
You can specify the preferred image format for plots and meters. PNG is the default, as it's supported by most browsers, but SVG can provide a much cleaner result on recent ones.
