Do I really need Apache? Topic is solved

[EdddieN]

Hello,

I'm working on this project: viewtopic.php?f=4&t=21403 and I'm creating a setup page for the I/Os which needs to forward the configuration via the Raspberry Pi UART to the extension board. I have managed to create a Python or Bash script that handles that, however I need to be able create the file and trigger the script form the web.

Imagine this form created in PHP:

form.png (56.37 KiB) Viewed 4753 times

Ideally I like to have this page inside domoticz/www folder without the need to install Apache.
I have tried installing php-cgi and adding the config to the domoticz.sh start:

Code: Select all

DAEMON_ARGS="$DAEMON_ARGS -php_cgi_path /usr/bin/php-cgi7.0"

or

Code: Select all

DAEMON_ARGS="$DAEMON_ARGS -php_cgi_path /usr/bin/php-cgi"

but nothing... Domoticz is offline or 404

Is it really my only option to install Apache?
And if Apache, then how do I block the page to load if you are not logged into Domoticz?

[EdddieN]

I'm trying to achieve this in Python too, but seems simpler in PHP if I can get the page to load

[DeBaat]

In another post I read about Dashticz.
This is also a (set of) php page(s) running in the Domoticz environment.
How about to use the same technique for your php pages?

[gordonb3]

Apache is quite heavy for home use, but the nice thing about it is that it supports just about everything right out of the box and has full PHP integration. Which is actually a bad thing for providers hosting sites from multiple customers on a single server, because the PHP integration allows customers to peak into eachother's home directory. Which is why PHP is usually run as a CGI, but you don't want to do that because this access method has been known to allow uploading and executing arbitrary code more than once. If you run the original Squeeze based Raspbian you want to stay far, far away from this access method.

For something more lightweight you can use Nginx combined with PHP-FPM "fastCGI" accessed through unix:socket. If you proxy Domoticz through Nginx as well it should be possible to use Domoticz security by fetching the related cookie and proofing that with Domoticz prior to returning any data. I know this sounds very theoretical, but I'm sure there must be at least a million examples to be found on the internet doing similar to this.

[EdddieN]

In another post I read about Dashticz.
This is also a (set of) php page(s) running in the Domoticz environment.
How about to use the same technique for your php pages?

Good tip! still playing with it but a quick test of the dashticz_v2 theme seems to have the same issue when trying to use PHP files, see below (404):

Screen Shot 2018-05-01 at 22.10.33.png (208.45 KiB) Viewed 4717 times

[EdddieN]

Which is why PHP is usually run as a CGI, but you don't want to do that because this access method has been known to allow uploading and executing arbitrary code more than once. If you run the original Squeeze based Raspbian you want to stay far, far away from this access method.

I don't know enough of PHP but I take you mean that is a potential front door for a hack, right? Even if only using Domoticz web server?

[gordonb3]

Any web server that grants access to /cgi-bin/php.cgi, so yes even Domoticz web server if you manage to insert it.

The main issue with Debian (derived) systems is that if you install PHP you get all the access methods, no questions asked. And it will even link the CGI and add the Apache module where supported web servers can find them. So even if you don't know it is there it allows a hacker keyless entry. And of course if you manually deleted it the CGI may return if you run an update.

A fairly simple trick that keeps most of them out is to make use of the web server's vhost capability - i.e. the possibility to run multiple web sites through their own domain name. Which obviously Domoticz won't do as this is a single purpose web server, but Apache and Nginx will. Create a default vhost that does nothing than display the `It Works!` page and is either stripped from cgi-bin access or has it redirected to /dev/nul. Create one or more additional vhost(s) to match a specific (d)dns name. As hackers usually come in using the raw IP address all they will see is the dummy page where they can't do any harm. If you like you can also give the individual vhosts different log files so you can have fail2ban monitor the one for the default vhost. In my opinion that is rather pointless though as it will only give you an extremely long list of compromised computers and at some point this may cause your own firewall to become the source of a Denial-of-Service.

[EdddieN]

Understood.

Ok, then if I setup an Nginx server as you suggest, the only challenge left I have is that the credential logins by Domoticz will not be shared by the custom setup.php page to configure the board. Leaving that setup page open is a bit risky, so I would rather have it protected with the same credentials as having two set of logins is a bit user un-friendly.

Alternatively I'm looking at this: https://www.domoticz.com/wiki/Developin ... hon_plugin but I must admin is very new. Probably more for the python forum... I'll ask the question there.

Thanks for all your help!

[gordonb3]

As said before: if you are connecting to PHP you can read the cookie and send that along with some lightweight request to Domoticz to verify its response.

1) read cookie
2) send web request (http://.../json.htm?...)
3) read json response
4) send HTTP 403 or run rest of script to produce output