Domoticz

Hello,

Domoticz remote access is limited to a user without administrative rights in my system, so configuration tab cannot be accessed. But sometimes, I'd like to be able to see log remotely if I suspect some issue. But as log page is under configuration tab, that's not possible!

So, is it possible to redirect log page to a custom one for instance?

If there is no easy way, I'll probably do some hack using the log file directly, for instance tailed into websocketd:
https://medium.com/@joewalnes/tail-f-to ... 933d9056cc

But maybe I missed something to enable this?

The log page is or when SSL not enabled (not advised for external access) But I do not know if that page will be blocked when no configuration access.
You could ssh into your system and cat or tail the logfile from OS (if enabled) https://www.domoticz.com/wiki/Troublesh ... bugging.29

waltervl wrote: Wednesday 25 January 2023 14:14 The log page is

Code: Select all

https://IP:PORT/#/Log

or when SSL not enabled (not advised for external access)

Code: Select all

http://IP:PORT/#/Log

But I do not know if that page will be blocked when no configuration access.
You could ssh into your system and cat or tail the logfile from OS (if enabled) https://www.domoticz.com/wiki/Troublesh ... bugging.29

Hello,

I already thinked about this, but setting a minimal custom web page with an iframe pointing to the internal/LAN URL will not work from outside/WAN (this may, using external domain name, but did not tried as if https server security is managed correctly this redirection will be blocked for a non admin user).

Of course, I could use ssh (I have a virtual switch that changes firewall rules to allow ssh for 30s for this, as knockd does not support IPV6 and SSH is highly targeted by bruteforcers compared to HTTPS), but sometimes I have something that does not behave as intended with just my dumbphone in hand... and that's not very convenient to fire a ConnectBot to use ssh from such device just to see a lastlog of a few hundred lines max.

So at the time, I finally did a dirty hack I'm not so proud to talk about (but I'm clearly not a web developper!): A shell script triggered every minutes by a cron job that updates a minimal custom static web page (a title, an update button, and the last logs text) with last 500 logs lines retrieved by tail. As Domoticz log, this page updated every minute is setup in /tmp, a tmpfs in ram, to avoid uSD flash wear. Just a symbolic link is updated in ~/domoticz/www/templates.

The very dirty thing I'll be happy to remove if someone have something clean in mind to do the job! But IMO, best would be to change log location to a specific tab (out of the setup menu) and use the existing possibility to limit available tabs per user.

Just to be clear: You were not able to go to the "https://IP:PORT/#/Log" page from outside? That was blocked for a viewer User with limited access?

waltervl wrote: Wednesday 25 January 2023 17:18 Just to be clear: You were not able to go to the "https://IP:PORT/#/Log" page from outside? That was blocked for a viewer User with limited access?

No, that's just the redirection will somehow be sent to the browser, on the WAN side, unable to use internal LAN addresses. But IMO even using my domain name will not work as the resource will be locked for a non admin user (if not, this would be a huge security issue to allow digging freely, provided you know the path that is supposed to unaccessible).

EDIT: Just tried manually, from WAN, after login, to alter url from "#/Dashoard" default to "#/Log", can confirm I cannont access log page and I'm sent back to dashboard

You can always login as admin....

waltervl wrote: Wednesday 25 January 2023 17:30 You can always login as admin....

Should be made possible, but I did not intended to allow admin user from WAN (only from LAN currently possible & default without password as LAN address range is setup to allow this). So an admin user is created (because mandatory to be able to setup another restricted user) but currently disabled.

As this is for external access, I prefer to keep current setup. Even if this would be the last wall in my system security, at least this would not allow immediate use of some access/alarm related password protected switches after being able to get their password from setup tab...

@lost , I can understand and appreciate why you choose not to use an Admin user to login from the WAN-side. It is a choice, not something the system enforces. There is no setting that says ‘only allow Admin logins from LAN’ or something.

But the log can also contain sensitive information so that is why only Admins can see it at the moment.

Say that as a Viewer you could see the logs. If the logs tell you something is wrong and/or needs changing, etc. you would still need to logout and log back in as Admin to do whatever is needed.

It feels like it is just convenient in some cases like yours where Admin people use a non-admin to access Domoticz remotely and can have a peek into the log without needing to switch/use an Admin account.

kiddigital wrote: Thursday 26 January 2023 7:09 Say that as a Viewer you could see the logs. If the logs tell you something is wrong and/or needs changing, etc. you would still need to logout and log back in as Admin to do whatever is needed.

This user is not a simple viewer, but is given access to a subset of tabs/devices. The idea is not to correct from a mobile phone with my big&bulky fingers but just to figure out what just may have go wrong to keep this in mind for correction when I'm back home.

Don't think I ever saw anything really confidential in Domoticz logs. May happen, but IMO this would be some user script (on my side, I use logger in my own scripts so anything confidential, like some configured mail accounts info, goes to syslog instead of domoticz log) or plugin print, not from domoticz core: Maybe setting logs in another tab (so it may be selected at user creation) as I suggested could be done with default disabled.

When you say "There is no setting that says ‘only allow Admin logins from LAN’ or something", looks this indeed works, even if this may not be expected. In fact, on current 2022.2 stable (so before current login rework), if on setup side you have a login setup+nologin for LAN subnet, setting same admin user in user management side (just to be able to setup another basic user) but disabled you cannot login from admin user remotely and only basic user works.

Anyway, that's no big deal and I have a workaround (the first I planned using websocketd was not working, probably because Domoticz web server does not implement the feature).