Hello,
According to https://www.domoticz.com/wiki/Security, the access to API with user and password in URL are not accepted anymore.
For unknown reasons (try to figure why), the whitelisting on domoticz doesn't seems to work on my system (trying to figure why) so access to json.htm is returned by 401.
So all my dashticz screens are now... dead.
Do we have an alternative to provide dashticz access with "random" source ips ?
Regards,
Xavier
Dashticz and Domoticz beta > 14857
Moderator: leecollings
-
- Posts: 2260
- Joined: Monday 29 August 2016 22:40
- Target OS: Raspberry Pi / ODroid
- Domoticz version:
- Contact:
Re: Dashticz and Domoticz beta > 14857
This weekend I'll have a look at the new Domoticz access management mechanisms. Maybe you can help testing.magicduck wrote:Hello,
According to https://www.domoticz.com/wiki/Security, the access to API with user and password in URL are not accepted anymore.
For unknown reasons (try to figure why), the whitelisting on domoticz doesn't seems to work on my system (trying to figure why) so access to json.htm is returned by 401.
So all my dashticz screens are now... dead.
Do we have an alternative to provide dashticz access with "random" source ips ?
Regards,
Xavier
Verstuurd vanaf mijn SM-A526B met Tapatalk
- kiddigital
- Posts: 435
- Joined: Thursday 10 August 2017 6:52
- Target OS: Raspberry Pi / ODroid
- Domoticz version: Beta
- Location: Netherlands
- Contact:
Re: Dashticz and Domoticz beta > 14857
Try running your Domoticz with some debug flags. Running with ‘-loglevel all -debuglevel auth,webserver,received’ might provide the information you need to identify why the trusted network is not accepting the requests.
One RPi with Domoticz, RFX433e, aeon labs z-wave plus stick GEN5, ha-bridge 5.4.0 for Alexa, Philips Hue Bridge, Pimoroni Automation Hat
One RPi with Pi foundation standard touch screen to display Dashticz
One RPi with Pi foundation standard touch screen to display Dashticz
-
- Posts: 36
- Joined: Sunday 11 February 2018 13:25
- Target OS: -
- Domoticz version:
- Location: Longwy, France
- Contact:
Re: Dashticz and Domoticz beta > 14857
My domoticz is behind a nginx.
I have on the location :
So some reasons, it seems that domoticz doesn't have the right IP (well no logs, no where) so I did a quick hack with open a port for my dashtick with removing X-Real-IP / X-Forwarded-For and this fix this (not the best way, but it works).
I have on the location :
Code: Select all
location / {
rewrite /(.*) /$1 break;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_intercept_errors off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded_Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://localhost:8080/;
client_max_body_size 10m;
}
-
- Posts: 36
- Joined: Sunday 11 February 2018 13:25
- Target OS: -
- Domoticz version:
- Location: Longwy, France
- Contact:
Re: Dashticz and Domoticz beta > 14857
Or maybe this is because my dashticz are dual stack and the code that handle ip address whitelist is not really good at it should. As a network engineer, I am always shocked about : 127.0.0.*;192.168.0.* instead of using CIDR... (will have to find the code and propose a PR...)
- kiddigital
- Posts: 435
- Joined: Thursday 10 August 2017 6:52
- Target OS: Raspberry Pi / ODroid
- Domoticz version: Beta
- Location: Netherlands
- Contact:
Dashticz and Domoticz beta > 14857
If you run Domoticz with these debug flags mentioned, you will see logging showing what the Domoticz webserver receives (including headers) and for sure that with your networking skills you can quickly find what is wrong.
And yes, totally agree about the ‘bad’ way the Trusted network address ranges are currently configured.
Only problem is that users easily understand the asterisk (*) way and often do not know how to specify proper CIDR notation.
I have been considering translating them on the fly, meaning input of i.e. 172.21.0.* would be stored and represented back to the user as 172.21.0.0/24 and single IP addresses as x.x.x.x/32, etc. But also the current masking check has to be updated to do proper netmasking. And IPv6 support should be added as well.
Looking forward to your PR (and I will gladly assist).
BTW. Check-out the recent changes in the Beta on proxy handling. Should be much improved.
And yes, totally agree about the ‘bad’ way the Trusted network address ranges are currently configured.
Only problem is that users easily understand the asterisk (*) way and often do not know how to specify proper CIDR notation.
I have been considering translating them on the fly, meaning input of i.e. 172.21.0.* would be stored and represented back to the user as 172.21.0.0/24 and single IP addresses as x.x.x.x/32, etc. But also the current masking check has to be updated to do proper netmasking. And IPv6 support should be added as well.
Looking forward to your PR (and I will gladly assist).
BTW. Check-out the recent changes in the Beta on proxy handling. Should be much improved.
One RPi with Domoticz, RFX433e, aeon labs z-wave plus stick GEN5, ha-bridge 5.4.0 for Alexa, Philips Hue Bridge, Pimoroni Automation Hat
One RPi with Pi foundation standard touch screen to display Dashticz
One RPi with Pi foundation standard touch screen to display Dashticz
Who is online
Users browsing this forum: No registered users and 0 guests