Dashticz and Domoticz beta > 14857

Moderator: leecollings

Post Reply
magicduck
Posts: 36
Joined: Sunday 11 February 2018 13:25
Target OS: -
Domoticz version:
Location: Longwy, France
Contact:

Dashticz and Domoticz beta > 14857

Post by magicduck »

Hello,

According to https://www.domoticz.com/wiki/Security, the access to API with user and password in URL are not accepted anymore.

For unknown reasons (try to figure why), the whitelisting on domoticz doesn't seems to work on my system (trying to figure why) so access to json.htm is returned by 401.

So all my dashticz screens are now... dead.

Do we have an alternative to provide dashticz access with "random" source ips ?

Regards,
Xavier
Lokonli
Posts: 2260
Joined: Monday 29 August 2016 22:40
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Dashticz and Domoticz beta > 14857

Post by Lokonli »

magicduck wrote:Hello,

According to https://www.domoticz.com/wiki/Security, the access to API with user and password in URL are not accepted anymore.

For unknown reasons (try to figure why), the whitelisting on domoticz doesn't seems to work on my system (trying to figure why) so access to json.htm is returned by 401.

So all my dashticz screens are now... dead.

Do we have an alternative to provide dashticz access with "random" source ips ?

Regards,
Xavier
This weekend I'll have a look at the new Domoticz access management mechanisms. Maybe you can help testing.

Verstuurd vanaf mijn SM-A526B met Tapatalk

User avatar
kiddigital
Posts: 435
Joined: Thursday 10 August 2017 6:52
Target OS: Raspberry Pi / ODroid
Domoticz version: Beta
Location: Netherlands
Contact:

Re: Dashticz and Domoticz beta > 14857

Post by kiddigital »

Try running your Domoticz with some debug flags. Running with ‘-loglevel all -debuglevel auth,webserver,received’ might provide the information you need to identify why the trusted network is not accepting the requests.
One RPi with Domoticz, RFX433e, aeon labs z-wave plus stick GEN5, ha-bridge 5.4.0 for Alexa, Philips Hue Bridge, Pimoroni Automation Hat
One RPi with Pi foundation standard touch screen to display Dashticz
magicduck
Posts: 36
Joined: Sunday 11 February 2018 13:25
Target OS: -
Domoticz version:
Location: Longwy, France
Contact:

Re: Dashticz and Domoticz beta > 14857

Post by magicduck »

My domoticz is behind a nginx.
I have on the location :

Code: Select all

location / {
                        rewrite /(.*) /$1 break;
                        proxy_connect_timeout 60;
                        proxy_read_timeout    60;
                        proxy_send_timeout    60;
                        proxy_intercept_errors off;
                        proxy_http_version      1.1;
                        proxy_set_header        Host            $http_host;
                        proxy_set_header        X-Real-IP       $remote_addr;
                        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header        X-Forwarded_Proto       $scheme;
                        proxy_set_header        Upgrade $http_upgrade;
                        proxy_set_header        Connection "upgrade";
                        proxy_pass http://localhost:8080/;
                        client_max_body_size 10m;
                }
So some reasons, it seems that domoticz doesn't have the right IP (well no logs, no where) so I did a quick hack with open a port for my dashtick with removing X-Real-IP / X-Forwarded-For and this fix this (not the best way, but it works).
magicduck
Posts: 36
Joined: Sunday 11 February 2018 13:25
Target OS: -
Domoticz version:
Location: Longwy, France
Contact:

Re: Dashticz and Domoticz beta > 14857

Post by magicduck »

Or maybe this is because my dashticz are dual stack and the code that handle ip address whitelist is not really good at it should. As a network engineer, I am always shocked about : 127.0.0.*;192.168.0.* instead of using CIDR... (will have to find the code and propose a PR...)
User avatar
kiddigital
Posts: 435
Joined: Thursday 10 August 2017 6:52
Target OS: Raspberry Pi / ODroid
Domoticz version: Beta
Location: Netherlands
Contact:

Dashticz and Domoticz beta > 14857

Post by kiddigital »

If you run Domoticz with these debug flags mentioned, you will see logging showing what the Domoticz webserver receives (including headers) and for sure that with your networking skills you can quickly find what is wrong.

And yes, totally agree about the ‘bad’ way the Trusted network address ranges are currently configured.

Only problem is that users easily understand the asterisk (*) way and often do not know how to specify proper CIDR notation.

I have been considering translating them on the fly, meaning input of i.e. 172.21.0.* would be stored and represented back to the user as 172.21.0.0/24 and single IP addresses as x.x.x.x/32, etc. But also the current masking check has to be updated to do proper netmasking. And IPv6 support should be added as well.

Looking forward to your PR (and I will gladly assist).

BTW. Check-out the recent changes in the Beta on proxy handling. Should be much improved.
One RPi with Domoticz, RFX433e, aeon labs z-wave plus stick GEN5, ha-bridge 5.4.0 for Alexa, Philips Hue Bridge, Pimoroni Automation Hat
One RPi with Pi foundation standard touch screen to display Dashticz
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests