Page 1 of 1
Dashticz and Domoticz beta > 14857
Posted: Monday 23 January 2023 8:51
by magicduck
Hello,
According to
https://www.domoticz.com/wiki/Security, the access to API with user and password in URL are not accepted anymore.
For unknown reasons (try to figure why), the whitelisting on domoticz doesn't seems to work on my system (trying to figure why) so access to json.htm is returned by 401.
So all my dashticz screens are now... dead.
Do we have an alternative to provide dashticz access with "random" source ips ?
Regards,
Xavier
Re: Dashticz and Domoticz beta > 14857
Posted: Monday 23 January 2023 21:37
by Lokonli
magicduck wrote:Hello,
According to
https://www.domoticz.com/wiki/Security, the access to API with user and password in URL are not accepted anymore.
For unknown reasons (try to figure why), the whitelisting on domoticz doesn't seems to work on my system (trying to figure why) so access to json.htm is returned by 401.
So all my dashticz screens are now... dead.
Do we have an alternative to provide dashticz access with "random" source ips ?
Regards,
Xavier
This weekend I'll have a look at the new Domoticz access management mechanisms. Maybe you can help testing.
Verstuurd vanaf mijn SM-A526B met Tapatalk
Re: Dashticz and Domoticz beta > 14857
Posted: Tuesday 24 January 2023 7:18
by kiddigital
Try running your Domoticz with some debug flags. Running with ‘-loglevel all -debuglevel auth,webserver,received’ might provide the information you need to identify why the trusted network is not accepting the requests.
Re: Dashticz and Domoticz beta > 14857
Posted: Tuesday 24 January 2023 11:54
by magicduck
My domoticz is behind a nginx.
I have on the location :
Code: Select all
location / {
rewrite /(.*) /$1 break;
proxy_connect_timeout 60;
proxy_read_timeout 60;
proxy_send_timeout 60;
proxy_intercept_errors off;
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded_Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_pass http://localhost:8080/;
client_max_body_size 10m;
}
So some reasons, it seems that domoticz doesn't have the right IP (well no logs, no where) so I did a quick hack with open a port for my dashtick with removing X-Real-IP / X-Forwarded-For and this fix this (not the best way, but it works).
Re: Dashticz and Domoticz beta > 14857
Posted: Tuesday 24 January 2023 11:56
by magicduck
Or maybe this is because my dashticz are dual stack and the code that handle ip address whitelist is not really good at it should. As a network engineer, I am always shocked about : 127.0.0.*;192.168.0.* instead of using CIDR... (will have to find the code and propose a PR...)
Dashticz and Domoticz beta > 14857
Posted: Tuesday 24 January 2023 21:55
by kiddigital
If you run Domoticz with these debug flags mentioned, you will see logging showing what the Domoticz webserver receives (including headers) and for sure that with your networking skills you can quickly find what is wrong.
And yes, totally agree about the ‘bad’ way the Trusted network address ranges are currently configured.
Only problem is that users easily understand the asterisk (*) way and often do not know how to specify proper CIDR notation.
I have been considering translating them on the fly, meaning input of i.e. 172.21.0.* would be stored and represented back to the user as 172.21.0.0/24 and single IP addresses as x.x.x.x/32, etc. But also the current masking check has to be updated to do proper netmasking. And IPv6 support should be added as well.
Looking forward to your PR (and I will gladly assist).
BTW. Check-out the recent changes in the Beta on proxy handling. Should be much improved.