Nginx reverse proxy and Domoticz with no authentication on local network

[Nautilus]

Hi,

just tested the Nginx reverse proxy as mentioned in wiki. It worked quite nicely, but I was still wondering that when my authentication setup in Domoticz is so that I do not require authentication on local network and as Nginx is serving the local IP, it seems Domoticz does not require any authentication via this gateway - which I guess is expected.

Is there any way, without changing Domoticz auth setup, to force authentication page via Nginx reverse proxy? What is the usual approach when it comes to Domoticz authentication setup and using Nginx reverse proxy: No authentication (just the certificate), no local authentication or authentication on both local and external networks?

I also came to realize that if I proxy iframes for custom template for some other web page, it becomes publicly available to the location defined in the configuration. I wonder if there is any way to proxy these pages so that they are served only via the Domoticz custom template page?

Finally, is anyone using iOS Pilot app with Nginx reverse proxy setup ( = does it work)?

[Nautilus]

I use no authentication in Domoticz. Security to the outside world is provided by x509 client restriction.

Thanks for the reply, though that this might be the most common way to use it. As it is Domoticz that handles the SSO, then I guess this approach would not expose pages proxied through iframes for custom templates (https://www.domoticz.com/wiki/Secure_Ng ... _Templates) to external network either...?

Do you happen to use Pilot or any other 3rd party app for iOS or Android (which would support this)?

[Nautilus]

You can either shield the whole web root or individual folders. I prefer the latter myself and then use PHP to test whether a valid x509 client certificate is available so I can display alternate versions of a home page. This also allows me to access certain pages from untrusted devices, e.g. access webmail from an internet cafe.

I actually do not use any such device to access Domoticz (yet).

Ok, interesting. I thought that even with x509 you need to use the single sign-on approach if you wan to securely access Domoticz. But you have authentication completely disabled in Domoticz? Mind sharing which kind of conf this (shield individual folders, Domoticz without any authentication) requires?

Anyone using Nginx reverse proxy with just Domoticz authentication (without x509)?

[jvdz]

I've added the same Userid/Password combination to NGINX so the same userid and password can/must be used from outside.
Fail2Ban is monitoring the NGINX logs to ban anybody trying to access the system without or wrong userid/pw combo.

Jos

[Nautilus]

Thanks for sharing gordonb3!

I've added the same Userid/Password combination to NGINX so the same userid and password can/must be used from outside.
Fail2Ban is monitoring the NGINX logs to ban anybody trying to access the system without or wrong userid/pw combo.

Jos

Do you mean you have setup a .htpasswd file (with apache2-utils?) with same username and password than Domoticz? This would probably allow also using a third party app like Pilot (I would think for the app's viewpoint it would be just like logging directly in to Domoticz with basic auth enabled)?

What do you think, how does this compare to x509 authentication from security perspective?

[jvdz]

The .htpasswd file is defined in the nginx config file:

Code: Select all

   auth_basic "Restricted";                    #For Basic Auth
   auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth

and users are defined with:

Code: Select all

sudo htpasswd -c /etc/nginx/.htpasswd <username>

Jos

[Nautilus]

The .htpasswd file is defined in the nginx config file:

Code: Select all

   auth_basic "Restricted";                    #For Basic Auth
   auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth

and users are defined with:

Code: Select all

sudo htpasswd -c /etc/nginx/.htpasswd <username>

Jos

Right, and I take it that you also force https with an SSL certificate, somethinh similar as here?

[jvdz]

I have the basic setup as initially was part of the SD image and originally documented in the WiKi (this is now changed), just adapted it a little as far as the port to proxy.
Also added the userid's and passwords to ensure that is required to get access.

This is the domoticz file in sites-enabled (only replaced the port number for XXXX) :

Code: Select all

access_log off;
add_header Cache-Control public;
server_tokens off;
server  {
   include    /etc/nginx/proxy_params;
   listen XXXX ssl;
   keepalive_timeout 70;
   server_name localhost;
   ssl on;
   ssl_certificate             /etc/ssl/ca/server.crt;
   ssl_certificate_key         /etc/ssl/ca/server.key;
   add_header X-Frame-Options SAMEORIGIN;
   location / {
     proxy_pass http://localhost:8080;
     access_log /var/log/nginx/domoticz.access.log;
     error_log /var/log/nginx/domoticz.error.log;

.. and as mentioned: I've also setup fail2ban to monitor the logfiles of NGINX for anybody trying to access my system and banning them after 2 mistakes for 10 minites and when they try again within 24 hours, they get banned for a week.

Jos

[Nautilus]

Thanks a lot, will definitely look into these options in more detail...