Dashticz - Safety (no access from outside your network)

[lukev]

Hi all,

This afternoon a dashticz user pointed me to quite a security breach in my setup. My dasboard was placed on a webserver, which was accesable from the internet (because I host serveral websites).

Via this method it's fairly easy to read personal information like login credentials and/or API-codes.
I removed the dashboard from my webfolder, but now I am looking for an alternative way to safely acces the dashboard, only from within my own house. The WWW-folder of domoticz is not an option, because domoticz itself is accesable from the internet (with login). That comes in handy sometimes to put on light, heating, etc. Or to read out motion sensors when the alarm triggers.

But placed in the WWW-directory, all the credentials are also readable.

I can place the files somewhere else on my network, but then I have problems with showing the dashboard on my dedicated android tab in my house. By my knowledge it (e.g. Chrome) cannot show webfiles from a random network location.

So my question: how do you guys safely use this dashboard??

[Ierlandfan]

By my knowledge it (e.g. Chrome) cannot show webfiles from a random network location.

Just to make sure:
You mean that
http://192.168.x.y/dashticz/index.html
cannot be displayed by your android device?

[niceandeasy]

I just placed an .htaccess file in the root of my Dashticz directory on my web server.
If your webserver runs on Apache, this should work. If you're running an old version of Apache, you may need to use a different syntax (google it), or just update your Apache.

so, the file name is: .htaccess
it contains this line: Require ip 192.168.1.0/24

Where 192.168.1.0/24 (or 192.168.1.x mask 255.255.255.0) is your own network.

It is not ideal, it shows an http 403 error instead of 404 but at least it is inaccessible. It also blocks the contents of Dashticz's subdirectories.

[lukev]

Just to make sure:
You mean that
http://192.168.x.y/dashticz/index.html
cannot be displayed by your android device?

Yes it can, but that requires for the index.html to be on a webserver?

If I put it somewhere else on my network, it would require Some other protocol like smb or nfs or something like that.

[robgeerts]

Use the htaccess solution from @niceandeasy on your webserver...

[HansieNL]

I'm using a Raspberry Pi running Domoticz and have also lighttpd installed as 2nd webserver just for internal use. There are no ports forwarded to this webserver so should be safe.

[asjmcguire]

It's trivial to install Nginx or Apache or something on any computer - including the Domoticz one - and host other web content - that is not accessible from the internet. You just have to make sure it's being served on a port that the router is not port forwarding.

Nginx: https://www.digitalocean.com/community/ ... untu-16-04

[Grove]

On Synology the .htaccess method isn't working for me.
Is there someone that has this successfully implemented on a Synology?

[qwerk]

I have used a dutch manual yesterday. that worked for me.
https://www.synology.com/nl-nl/knowledg ... ged_access

[Egregius]

On Synology the .htaccess method isn't working for me.
Is there someone that has this successfully implemented on a Synology?

.htaccess works only with Apache 2.2 on a Syno

[Grove]

The apache backend is configured as version 2.2. But the .htacces doesn't have any effect. So I was wondering if somebody had this implemented and how.

Verstuurd vanaf mijn SM-G950F met Tapatalk

[qwerk]

The apache backend is configured as version 2.2. But the .htacces doesn't have any effect. So I was wondering if somebody had this implemented and how.

Verstuurd vanaf mijn SM-G950F met Tapatalk

HI Grove,

did you follow the manual I gave ( two replies above) ?
I followed it step by step and it is working on synology 6.1 and apache 2.2 backend

[Grove]

Hi Qwerk,

Did you do it on the Dashticz site?

On others sites, I did already implement a password requirement for accessing it but on the dashticz it isn't working for some reason.

[lukev]

Strange, im on a synology and the htaccess-solution works for me

[qwerk]

Hi Qwerk,

Did you do it on the Dashticz site?

On others sites, I did already implement a password requirement for accessing it but on the dashticz it isn't working for some reason.

my domoticz is running on a pi, but dashticz is running om a synology.
the dashticz site is protected by htaccess.

So, your synology can handle htaccess for a number of sites.
dashticz is also running on the same synology.
you have apache 2.2 as backend,do you have php configured?
is there any nginx running?
can you access your dashticz site?

[Grove]

Hi qwerk,

I've copied the directory from ..../domoticz/www to .../web from the Synology itself and now it is working.
I think domoticz is running on a nginx server.

Thanks for your support

[niceandeasy]

Hi qwerk,

I've copied the directory from ..../domoticz/www to .../web from the Synology itself and now it is working.
I think domoticz is running on a nginx server.

Thanks for your support

This is how I did it, too.
Domoticz lives on a Raspberry. Dashticz is on my web server: a Synology. The Syno has Apache and supports .htaccess. Domoticz does not.

[Dynamic]

Is there a way to protect Dashticz on a Raspberry?

[edwin]

Is there a way to protect Dashticz on a Raspberry?

As far as I understand, your would need to run a separate webserver that uses htaccess or something similar (like nginx). The Domoticz internal webserver does not use it.

For my own setup, I don't have any access setup from outside, except ssh. I access my setup using port forwarding.

[Luxtux]

the htaccess idea works or you could put the dashticz dashboard outside of your publicly available site root and add an alias that can only be accessed from within your own network or even just by specific ip addresses.

example: /etc/apache2/sites-available/mydomain.conf

Code: Select all

<VirtualHost *:80>
	ServerAdmin [email protected]
	DocumentRoot /var/www/mydomain
	ServerAlias mydomain.com

        Alias /dashboard/ "/var/www/dashboard/"
        <Directory "/var/www/dashboard/">
    	    Order deny,allow  
    		Deny from all
		Allow from 10.10.10 # allow all ip addresses
		Allow from 192.168.0.5 # allow only this ip
        </Directory>



</VirtualHost>

everybody outside of your network will get this error