I have two questions regarding my installation of Domoticz 2020.2 on Ubuntu 18.04. I'm trying to get my domoticz more secure.
1. How can I completely disable HTTP ? I want to use HTTPS only.
I have searched the internet but couldn't find it.
2. I've set:
website security with a password in settings,
light switch protection with a password in settings
and security panel with a password in settings.
But I still can access https://domoticz/json.htm?type=command¶m=getconfig without password.
Is this supposed to be? And isn't this a security issue?
Kind regards
disable http & no password for "json.htm?type=command¶m=getconfig"
Moderators: leecollings, remb0
disable http & no password for "json.htm?type=command¶m=getconfig"
Domoticz 2025.2 on Ubuntu 24.04 LTS VM (ESXi 7u3s)
SolarEdge/webAPI, SE2MQTT/modbus IP, Zigbee2MQTT/Sonoff ZB3.0+, ZWave-JS-UI/ZMEEUZB1, MQTT AD Client Gw, P1 mtr, RFXCOM433E, Philips Hue v2, Kodi, Panasonic TV, BuienRadar & Watermtr/HTTP/HTTPS poll
SolarEdge/webAPI, SE2MQTT/modbus IP, Zigbee2MQTT/Sonoff ZB3.0+, ZWave-JS-UI/ZMEEUZB1, MQTT AD Client Gw, P1 mtr, RFXCOM433E, Philips Hue v2, Kodi, Panasonic TV, BuienRadar & Watermtr/HTTP/HTTPS poll
-
waaren
- Posts: 6028
- Joined: Tuesday 03 January 2017 14:18
- Target OS: Linux
- Domoticz version: Beta
- Location: Netherlands
- Contact:
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Did you try to changegbonny wrote: Friday 14 August 2020 12:55 1. How can I completely disable HTTP ? I want to use HTTPS only.
Code: Select all
DAEMON_ARGS="$DAEMON_ARGS -www 8080"
Code: Select all
DAEMON_ARGS="$DAEMON_ARGS -www 0"
If this is on your local network: what do see in settings page for "Local Networks (no username/password):"2. I've set:
website security with a password in settings,
light switch protection with a password in settings
and security panel with a password in settings.
But I still can access https://domoticz/json.htm?type=command¶m=getconfig without password.
Debian buster, bullseye on RPI-4, Intel NUC.
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Code: Select all
DAEMON_ARGS="$DAEMON_ARGS -www 0"It seems that worked out.
Regarding the "local network (no network password)" that one is empty.
I'm accessing domoticz on my local network, yes.
To point it a little bit more out.
"I still can access https://domoticz/json.htm?type=command¶m=getconfig without password."
While this URL requires a password https://domoticz/
So it's specifically json.htm?... that might have an issue?
Domoticz 2025.2 on Ubuntu 24.04 LTS VM (ESXi 7u3s)
SolarEdge/webAPI, SE2MQTT/modbus IP, Zigbee2MQTT/Sonoff ZB3.0+, ZWave-JS-UI/ZMEEUZB1, MQTT AD Client Gw, P1 mtr, RFXCOM433E, Philips Hue v2, Kodi, Panasonic TV, BuienRadar & Watermtr/HTTP/HTTPS poll
SolarEdge/webAPI, SE2MQTT/modbus IP, Zigbee2MQTT/Sonoff ZB3.0+, ZWave-JS-UI/ZMEEUZB1, MQTT AD Client Gw, P1 mtr, RFXCOM433E, Philips Hue v2, Kodi, Panasonic TV, BuienRadar & Watermtr/HTTP/HTTPS poll
-
waaren
- Posts: 6028
- Joined: Tuesday 03 January 2017 14:18
- Target OS: Linux
- Domoticz version: Beta
- Location: Netherlands
- Contact:
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
No it is by design.gbonny wrote: Friday 14 August 2020 18:44 So it's specifically json.htm?... that might have an issue?
When you check other JSON's you will see some will work and some will return a 401 UNAUTHORIZED message based on the perceived risk/impact.
Debian buster, bullseye on RPI-4, Intel NUC.
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
dz Beta, Z-Wave, RFLink, RFXtrx433e, P1, Youless, Hue, Yeelight, Xiaomi, MQTT
==>> dzVents wiki
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Maybe a stupid question, but why isn't just simply everything: 401 UNAUTHORIZED? That's at least no risk/impact at all.waaren wrote: Friday 14 August 2020 23:14No it is by design.gbonny wrote: Friday 14 August 2020 18:44 So it's specifically json.htm?... that might have an issue?
When you check other JSON's you will see some will work and some will return a 401 UNAUTHORIZED message based on the perceived risk/impact.
Domoticz 2025.2 on Ubuntu 24.04 LTS VM (ESXi 7u3s)
SolarEdge/webAPI, SE2MQTT/modbus IP, Zigbee2MQTT/Sonoff ZB3.0+, ZWave-JS-UI/ZMEEUZB1, MQTT AD Client Gw, P1 mtr, RFXCOM433E, Philips Hue v2, Kodi, Panasonic TV, BuienRadar & Watermtr/HTTP/HTTPS poll
SolarEdge/webAPI, SE2MQTT/modbus IP, Zigbee2MQTT/Sonoff ZB3.0+, ZWave-JS-UI/ZMEEUZB1, MQTT AD Client Gw, P1 mtr, RFXCOM433E, Philips Hue v2, Kodi, Panasonic TV, BuienRadar & Watermtr/HTTP/HTTPS poll
Who is online
Users browsing this forum: Bing [Bot] and 1 guest