Closed m0lmk closed 4 years ago
Initial analysis:
No need to move any files into an admin folder. We will want to lock every file except the index unless logged in. This can be done with this modification to the nginx config.
location /index.php { auth_basic off; }
Looking at using pam instead of the normal authentication. That way it'll be the same details as the RPi.
Sounds like a nice and simple way to achieve it.
Started to implement this and will be in a new image soon.
All files are password protected accept index.php, image, js, css and a new incorrect password page.
Ticket Review 11/05/2019 - This is half implemented and should also fix https://github.com/PiSupply/iot-pi-gen/issues/4
I believe this has been implemented in the last few releases now. Closing ticket.
It would be great if the config files were moved to an admin folder and protected with a .htpasswd. I have done this on my dev system and it works well.
The status page remains public so that it can be viewed across the LAN but the config pages become protected so the settings can't be changed without authorisation.