audricschiltknecht
commented
5 years ago Might be a lead: https://github.com/tai/mod-auth-ticket-for-lighttpd
Open audricschiltknecht opened 5 years ago
audricschiltknecht
commented
5 years ago Might be a lead: https://github.com/tai/mod-auth-ticket-for-lighttpd
audricschiltknecht
commented
5 years ago Note that MQTT can be encapsulated in Websocket
Supports websocket proxy since 1.4.46 (1.4.50 on turris). Does not seem to support any kind of JWT validation, so limited to cert validation.
Have nginx proxy the SPIN web_ui/MQTT stream. Validate credentials using JWT (we could simply check for client certs in a first step). Cons: need to replace lighttpd with nginx, or have nginx listening on a non-standard port (but then we have 2 webservers installed, a bit of a waste...)
MQTT allows writing of plugins. Use https://github.com/iegomez/mosquitto-go-auth Has a JWT backend. Cons: Written in Go. Not sure we can compile it and have it run on turris/musl
audricschiltknecht
commented
5 years ago First version done in "jwt" branch. Principle is to use JWT and secure only the web API for now. We are using JWT: a new API has been created in mud-supervisor that will issue a JWT. This token is be passed along with the request to access the spin web interface. Then a lua script is called by lightppd that will validate that the JWT is valid and will allow/deny access to the API. Currently, the secret is hardcoded to 1234. Need to export it (eg. generated during first boot?), then accessed by the other applications.
mcr
commented
5 years ago Audric Schiltknecht notifications@github.com wrote:
First version done in "jwt" branch. Principle is to use JWT and secure only the web API for now. We are using JWT: a new API has been created in mud-supervisor that will issue a JWT.
Perfect use of technology!
What we want to do
Allow access to SPIN API (web_ui? MQTT?) to registered/enabled users in mud-supervisor
How authentication/authorization is done in mud-supervisor
Validation of a client TLS certificate and check of DB attributes.