Closed m0lmk closed 4 years ago
ryanteck
commented
5 years ago Initial analysis:
No need to move any files into an admin folder. We will want to lock every file except the index unless logged in. This can be done with this modification to the nginx config.
location /index.php { auth_basic off; }
Looking at using pam instead of the normal authentication. That way it'll be the same details as the RPi.
m0lmk
commented
5 years ago Sounds like a nice and simple way to achieve it.
ryanteck
commented
5 years ago Started to implement this and will be in a new image soon.
All files are password protected accept index.php, image, js, css and a new incorrect password page.
ryanteck
commented
5 years ago Ticket Review 11/05/2019 - This is half implemented and should also fix https://github.com/PiSupply/iot-pi-gen/issues/4
ryanteck
commented
4 years ago I believe this has been implemented in the last few releases now. Closing ticket.
It would be great if the config files were moved to an admin folder and protected with a .htpasswd. I have done this on my dev system and it works well.
The status page remains public so that it can be viewed across the LAN but the config pages become protected so the settings can't be changed without authorisation.