Difference between local Domoticz host access to localhost, 127.0.0.1 and eth0: IP address?
Posted: Thursday 20 May 2021 9:58
In one sentence, it feels like...
When I have users and passwords in Domoticz, no exceptions in 'Local Networks (no username/password):' and have a local session on my Domoticz server, I have full access to Domoticz by using urls to the eth0: IP address.
Am I right here, is this the way it should be because I can use this in python plugins to use json calls without having to authenticate which is very convenient.
Details on my implementation and testing are below.
I am running Domoticz 2021.1 on Raspberry Pi 3 / 4 both with Buster and have some users defined on both installations.
I have no addresses on the Settings page in 'Local Networks (no username/password):'
It seems that when I run something on the Domoticz host and access Domoticz by using urls with the host eth0: IP address I can get data without logging in.
I can even create/delete devices and rooms and all I need.
I can do this for example from curl, Firefox and from python plugins on the Domoticz host itself as long as I use the eth0: IP address.
It does not work on the Domoticz host using localhost or 127.0.0.1 ( same for curl, Firefox and plugins)
I verified this on both Raspberries.
More details using curl may give a better understanding of my question :
I start a vnc session to my Pi and start a terminal session
I start : sqlitebrowser domoticz.db &
I check the table UserSessions and find it to be empty and it stays empty after the 4 commands below.
( I run https on port 444 because my apache is running on 443 already)
All 4 commands below give the same expected result :
<html><head><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>
curl -o - https://localhost:444/json.htm?type=custom_light_icons -k
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
curl -o - http://localhost:8080/json.htm?type=custom_light_icons
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
curl -o - http://127.0.0.1:8080/json.htm?type=custom_light_icons
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
curl -o - https://127.0.0.1:444/json.htm?type=custom_light_icons -k
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
So far so good, but now comes the surprise.
When I access by using the IP address of the eth0: interface where I used localhost or 127.0.0.1 before I get results.
curl -o - http://192.168.2.4:8080/json.htm?type=c ... ight_icons 2> /dev/null | head -n 5
{
"result" :
[
{
"description" : "Alarm",
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows an entry without Username but with my LastUpdate and RemoteHost:
SessionID.........................................Username.....AuthToken.......................................ExpirationDate................RemoteHost LastUpdate
"4b3e4ae726a9f376845233ef57683e28" "" "db4b9ba4d9f2835be13e9ea4da053f67" "2021-05-20 09:07:04" "192.168.2.4" "2021-05-20 08:57:04"
Normally when I use a username and password to logon I see an base64 encoded Username in that field.
I checked and https to the eth0: IP address on port 444 works too.
I did the same on my Pi 3 and have the same results.
As expected with what I experienced above....
I enter '127.0.0.*;192.168.2.*' on the Settings page in 'Local Networks (no username/password):'
I can get the info from anywhere on my LAN and on the Raspberry itself I can also access using 127.0.0.1 but not with localhost.
I still feel like...
When I have users and passwords in Domoticz, nothing in 'Local Networks (no username/password):' and have a local session on my Domoticz server, I have full access to Domoticz by using urls to the eth0: IP address.
Is this the way it was meant to be and will this stay this way ?
When I have users and passwords in Domoticz, no exceptions in 'Local Networks (no username/password):' and have a local session on my Domoticz server, I have full access to Domoticz by using urls to the eth0: IP address.
Am I right here, is this the way it should be because I can use this in python plugins to use json calls without having to authenticate which is very convenient.
Details on my implementation and testing are below.
I am running Domoticz 2021.1 on Raspberry Pi 3 / 4 both with Buster and have some users defined on both installations.
I have no addresses on the Settings page in 'Local Networks (no username/password):'
It seems that when I run something on the Domoticz host and access Domoticz by using urls with the host eth0: IP address I can get data without logging in.
I can even create/delete devices and rooms and all I need.
I can do this for example from curl, Firefox and from python plugins on the Domoticz host itself as long as I use the eth0: IP address.
It does not work on the Domoticz host using localhost or 127.0.0.1 ( same for curl, Firefox and plugins)
I verified this on both Raspberries.
More details using curl may give a better understanding of my question :
I start a vnc session to my Pi and start a terminal session
I start : sqlitebrowser domoticz.db &
I check the table UserSessions and find it to be empty and it stays empty after the 4 commands below.
( I run https on port 444 because my apache is running on 443 already)
All 4 commands below give the same expected result :
<html><head><title>Unauthorized</title></head><body><h1>401 Unauthorized</h1></body></html>
curl -o - https://localhost:444/json.htm?type=custom_light_icons -k
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
curl -o - http://localhost:8080/json.htm?type=custom_light_icons
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
curl -o - http://127.0.0.1:8080/json.htm?type=custom_light_icons
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
curl -o - https://127.0.0.1:444/json.htm?type=custom_light_icons -k
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows empty UserSessions
So far so good, but now comes the surprise.
When I access by using the IP address of the eth0: interface where I used localhost or 127.0.0.1 before I get results.
curl -o - http://192.168.2.4:8080/json.htm?type=c ... ight_icons 2> /dev/null | head -n 5
{
"result" :
[
{
"description" : "Alarm",
Close sqlitebrowser and restart 'sqlitebrowser domoticz.db &' shows an entry without Username but with my LastUpdate and RemoteHost:
SessionID.........................................Username.....AuthToken.......................................ExpirationDate................RemoteHost LastUpdate
"4b3e4ae726a9f376845233ef57683e28" "" "db4b9ba4d9f2835be13e9ea4da053f67" "2021-05-20 09:07:04" "192.168.2.4" "2021-05-20 08:57:04"
Normally when I use a username and password to logon I see an base64 encoded Username in that field.
I checked and https to the eth0: IP address on port 444 works too.
I did the same on my Pi 3 and have the same results.
As expected with what I experienced above....
I enter '127.0.0.*;192.168.2.*' on the Settings page in 'Local Networks (no username/password):'
I can get the info from anywhere on my LAN and on the Raspberry itself I can also access using 127.0.0.1 but not with localhost.
I still feel like...
When I have users and passwords in Domoticz, nothing in 'Local Networks (no username/password):' and have a local session on my Domoticz server, I have full access to Domoticz by using urls to the eth0: IP address.
Is this the way it was meant to be and will this stay this way ?