I have two questions regarding my installation of Domoticz 2020.2 on Ubuntu 18.04. I'm trying to get my domoticz more secure.
1. How can I completely disable HTTP ? I want to use HTTPS only.
I have searched the internet but couldn't find it.
2. I've set:
website security with a password in settings,
light switch protection with a password in settings
and security panel with a password in settings.
But I still can access https://domoticz/json.htm?type=command¶m=getconfig without password.
Is this supposed to be? And isn't this a security issue?
Kind regards
disable http & no password for "json.htm?type=command¶m=getconfig"
Moderators: leecollings, remb0
disable http & no password for "json.htm?type=command¶m=getconfig"
Domoticz 2024.7 on Ubuntu 22.04 LTS VM on ESXi 7
SolarEdge Web API, P1 meter, RFXCOM433E, OpenZWave via ZMEEUZB1, MQTT AD Client Gateway ZWave-JS-UI, Philips Hue bridge, Kodi Media server, Panasonic TV, OWM, BuienRadar and HTTP/HTTPS poller Watermeter
SolarEdge Web API, P1 meter, RFXCOM433E, OpenZWave via ZMEEUZB1, MQTT AD Client Gateway ZWave-JS-UI, Philips Hue bridge, Kodi Media server, Panasonic TV, OWM, BuienRadar and HTTP/HTTPS poller Watermeter
-
waaren
- Posts: 6028
- Joined: Tuesday 03 January 2017 14:18
- Target OS: Linux
- Domoticz version: Beta
- Location: Netherlands
- Contact:
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Did you try to change
Code: Select all
DAEMON_ARGS="$DAEMON_ARGS -www 8080"
Code: Select all
DAEMON_ARGS="$DAEMON_ARGS -www 0"
If this is on your local network: what do see in settings page for "Local Networks (no username/password):"2. I've set:
website security with a password in settings,
light switch protection with a password in settings
and security panel with a password in settings.
But I still can access https://domoticz/json.htm?type=command¶m=getconfig without password.
Debian buster, bullseye on RPI-4, Intel NUC.
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Code: Select all
DAEMON_ARGS="$DAEMON_ARGS -www 0"It seems that worked out.
Regarding the "local network (no network password)" that one is empty.
I'm accessing domoticz on my local network, yes.
To point it a little bit more out.
"I still can access https://domoticz/json.htm?type=command¶m=getconfig without password."
While this URL requires a password https://domoticz/
So it's specifically json.htm?... that might have an issue?
Domoticz 2024.7 on Ubuntu 22.04 LTS VM on ESXi 7
SolarEdge Web API, P1 meter, RFXCOM433E, OpenZWave via ZMEEUZB1, MQTT AD Client Gateway ZWave-JS-UI, Philips Hue bridge, Kodi Media server, Panasonic TV, OWM, BuienRadar and HTTP/HTTPS poller Watermeter
SolarEdge Web API, P1 meter, RFXCOM433E, OpenZWave via ZMEEUZB1, MQTT AD Client Gateway ZWave-JS-UI, Philips Hue bridge, Kodi Media server, Panasonic TV, OWM, BuienRadar and HTTP/HTTPS poller Watermeter
-
waaren
- Posts: 6028
- Joined: Tuesday 03 January 2017 14:18
- Target OS: Linux
- Domoticz version: Beta
- Location: Netherlands
- Contact:
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
No it is by design.
When you check other JSON's you will see some will work and some will return a 401 UNAUTHORIZED message based on the perceived risk/impact.
Debian buster, bullseye on RPI-4, Intel NUC.
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Maybe a stupid question, but why isn't just simply everything: 401 UNAUTHORIZED? That's at least no risk/impact at all.
Domoticz 2024.7 on Ubuntu 22.04 LTS VM on ESXi 7
SolarEdge Web API, P1 meter, RFXCOM433E, OpenZWave via ZMEEUZB1, MQTT AD Client Gateway ZWave-JS-UI, Philips Hue bridge, Kodi Media server, Panasonic TV, OWM, BuienRadar and HTTP/HTTPS poller Watermeter
SolarEdge Web API, P1 meter, RFXCOM433E, OpenZWave via ZMEEUZB1, MQTT AD Client Gateway ZWave-JS-UI, Philips Hue bridge, Kodi Media server, Panasonic TV, OWM, BuienRadar and HTTP/HTTPS poller Watermeter
Who is online
Users browsing this forum: Amazon [Bot] and 1 guest