Page 1 of 1
disable http & no password for "json.htm?type=command¶m=getconfig"
Posted: Friday 14 August 2020 12:55
by gbonny
I have two questions regarding my installation of Domoticz 2020.2 on Ubuntu 18.04. I'm trying to get my domoticz more secure.
1. How can I completely
disable HTTP ? I want to use HTTPS only.
I have searched the internet but couldn't find it.
2. I've set:
website security with a password in settings,
light switch protection with a password in settings
and security panel with a password in settings.
But I still can access
https://domoticz/json.htm?type=command¶m=getconfig without password.
Is this supposed to be? And isn't this a security issue?
Kind regards
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Posted: Friday 14 August 2020 17:24
by waaren
gbonny wrote: ↑Friday 14 August 2020 12:55
1. How can I completely
disable HTTP ? I want to use HTTPS only.
Did you try to change
Code: Select all
DAEMON_ARGS="$DAEMON_ARGS -www 8080"
in /etc/init.d/domoticz.sh and restart domoticz after changing this ?
If this is on your local network: what do see in settings page for "Local Networks (no username/password):"
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Posted: Friday 14 August 2020 18:44
by gbonny
Thanks for pointing that one out, waaren.
It seems that worked out.
Regarding the "local network (no network password)" that one is empty.
I'm accessing domoticz on my local network, yes.
To point it a little bit more out.
"I still can access
https://domoticz/json.htm?type=command¶m=getconfig without password."
While this URL requires a password
https://domoticz/
So it's specifically json.htm?... that might have an issue?
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Posted: Friday 14 August 2020 23:14
by waaren
gbonny wrote: ↑Friday 14 August 2020 18:44
So it's specifically json.htm?... that might have an issue?
No it is by design.
When you check other JSON's you will see some will work and some will return a 401 UNAUTHORIZED message based on the perceived risk/impact.
Re: disable http & no password for "json.htm?type=command¶m=getconfig"
Posted: Monday 17 August 2020 20:33
by gbonny
waaren wrote: ↑Friday 14 August 2020 23:14
gbonny wrote: ↑Friday 14 August 2020 18:44
So it's specifically json.htm?... that might have an issue?
No it is by design.
When you check other JSON's you will see some will work and some will return a 401 UNAUTHORIZED message based on the perceived risk/impact.
Maybe a stupid question, but why isn't just simply everything: 401 UNAUTHORIZED? That's at least no risk/impact at all.