Only allow modification of settings for admins + Autossl

[ibrahimk157]

Hello,

I don’t like the fact that anyone visiting the downloader is able to modify anything in the settings. It should’ve been made that only admins can modify that.

Also, It would be great to have autossl built in with auto-renew.

Thanks

[Tzahi12345]

I don’t like the fact that anyone visiting the downloader is able to modify anything in the settings. It should’ve been made that only admins can modify that.

I understand. What if you could optionally putting the settings behind a pin? I think that might be able to reduce most of the security risk.

Also, It would be great to have autossl built in with auto-renew.

You can put the frontend behind a reverse-proxy in nginx or apache2 and use an existing cert that way (you don't even need to enable encryption in the settings).

I did a quick search and it doesn't look like there's an easy way to generate a certificate automatically in node.js, but if you see something feel free to share!

[ibrahimk157]

I don’t like the fact that anyone visiting the downloader is able to modify anything in the settings. It should’ve been made that only admins can modify that.

I understand. What if you could optionally putting the settings behind a pin? I think that might be able to reduce most of the security risk.

Also, It would be great to have autossl built in with auto-renew.

You can put the frontend behind a reverse-proxy in nginx or apache2 and use an existing cert that way (you don't even need to enable encryption in the settings).

I did a quick search and it doesn't look like there's an easy way to generate a certificate automatically in node.js, but if you see something feel free to share!

Putting settings behind a pin seems to be quite a great idea! I was initially thinking a button that would disable settings altogether and you could only get it back with a re-install. That way you could configure whatever you want and then remove settings altogether.

As for the reverse proxy, I currently use OpenLiteSpeed since that’s what my panel supports. No clue how to get that done at all (I’m not very experienced in this sort of stuff).

[Tzahi12345]

As for the reverse proxy, I currently use OpenLiteSpeed since that’s what my panel supports. No clue how to get that done at all (I’m not very experienced in this sort of stuff).

No problem, I looked it up and turns out there's a guide for it, check it out here. You would have to set up your certificates with OpenLiteSpeed/the virtual host. Doesn't look too hard, but let me know if you get stuck! Web server configs are very confusing at first.

[ibrahimk157]

As for the reverse proxy, I currently use OpenLiteSpeed since that’s what my panel supports. No clue how to get that done at all (I’m not very experienced in this sort of stuff).

No problem, I looked it up and turns out there's a guide for it, check it out here. You would have to set up your certificates with OpenLiteSpeed/the virtual host. Doesn't look too hard, but let me know if you get stuck! Web server configs are very confusing at first.

Thank you for that. I’ll give it a try in a few hours as I’ll have to head off soon and hence can’t do it now.

[GlassedSilver]

I don’t like the fact that anyone visiting the downloader is able to modify anything in the settings. It should’ve been made that only admins can modify that.

I understand. What if you could optionally putting the settings behind a pin? I think that might be able to reduce most of the security risk.

Also, It would be great to have autossl built in with auto-renew.

You can put the frontend behind a reverse-proxy in nginx or apache2 and use an existing cert that way (you don't even need to enable encryption in the settings). I did a quick search and it doesn't look like there's an easy way to generate a certificate automatically in node.js, but if you see something feel free to share!

Putting settings behind a pin seems to be quite a great idea! I was initially thinking a button that would disable settings altogether and you could only get it back with a re-install. That way you could configure whatever you want and then remove settings altogether.

One MAJOR reason why you would probably never want to have that is that as new versions release more settings will come along with it that you might not always like at default settings.

Re-installing every time then? Mind you, just to SEE if there is something you'd like to overwrite. Unless you fancy catching up on github at every patch to see what's new...

Sounds like a lot of trouble for access control. PIN/password would be the best option here I think as well. An extension to that would be user management with roles, but honestly I think this is best kept on mind for way later development, because there's still a few things that are a little more urgent in the most common use cases. I am not the developer here so my talk is cheap. :D

(read this more as a perspective than a guideline)

[ibrahimk157]

I don’t like the fact that anyone visiting the downloader is able to modify anything in the settings. It should’ve been made that only admins can modify that.

I understand. What if you could optionally putting the settings behind a pin? I think that might be able to reduce most of the security risk.

Also, It would be great to have autossl built in with auto-renew.

You can put the frontend behind a reverse-proxy in nginx or apache2 and use an existing cert that way (you don't even need to enable encryption in the settings). I did a quick search and it doesn't look like there's an easy way to generate a certificate automatically in node.js, but if you see something feel free to share!

Putting settings behind a pin seems to be quite a great idea! I was initially thinking a button that would disable settings altogether and you could only get it back with a re-install. That way you could configure whatever you want and then remove settings altogether.

One MAJOR reason why you would probably never want to have that is that as new versions release more settings will come along with it that you might not always like at default settings.

Re-installing every time then? Mind you, just to SEE if there is something you'd like to overwrite. Unless you fancy catching up on github at every patch to see what's new...

Sounds like a lot of trouble for access control. PIN/password would be the best option here I think as well. An extension to that would be user management with roles, but honestly I think this is best kept on mind for way later development, because there's still a few things that are a little more urgent in the most common use cases. I am not the developer here so my talk is cheap. :D

(read this more as a perspective than a guideline)

You do have a point there. For me, I was planning on deleting the container and then pulling a new image and creating a container for it whenever a new version is out, much easier than attempting an update. But using a pin is a much better approach indeed!

[GlassedSilver]

You do have a point there. For me, I was planning on deleting the container and then pulling a new image and creating a container for it whenever a new version is out, much easier than attempting an update. But using a pin is a much better approach indeed!

Which docker implementation are you running? Sounds needlessly complicated!

I'm using docker on unRAID, it's literally hitting an update button for me and off it goes.

Settings don't however YET persist. See my issue #19. This is however being tackled soon and then the world should be a flowery comfy place. :D

[ibrahimk157]

You do have a point there. For me, I was planning on deleting the container and then pulling a new image and creating a container for it whenever a new version is out, much easier than attempting an update. But using a pin is a much better approach indeed!

Which docker implementation are you running? Sounds needlessly complicated!

I'm using docker on unRAID, it's literally hitting an update button for me and off it goes.

Settings don't however YET persist. See my issue #19. This is however being tackled soon and then the world should be a flowery comfy place. :D

I use Cyberpanel which takes care of everything for me... I literally just need to hit a few buttons lol

[ibrahimk157]

I don’t like the fact that anyone visiting the downloader is able to modify anything in the settings. It should’ve been made that only admins can modify that.

I understand. What if you could optionally putting the settings behind a pin? I think that might be able to reduce most of the security risk.

Also, It would be great to have autossl built in with auto-renew.

You can put the frontend behind a reverse-proxy in nginx or apache2 and use an existing cert that way (you don't even need to enable encryption in the settings).

I did a quick search and it doesn't look like there's an easy way to generate a certificate automatically in node.js, but if you see something feel free to share!

I tried to follow that guide but I wasn’t able to access the OpenLiteSpeed admin panel, most likely because it was installed by cyberpanel. So I guess i’ll have to use it without ssl for now unfortunately.

[GlassedSilver]

I use Cyberpanel which takes care of everything for me... I literally just need to hit a few buttons lol

And yet updating is more complicated? I must be missing something major here, because if I reinstalled all my containers everytime there is an update I'd go crazy.

Updating a container on unRAID is ONE button and it's kinda fail-safe. (one exception: Calibre from the linuxserver.io repo, that one is a B**** to set up/update/etc... That container's implementation of guacamole is beyond borked I swear to God)

I digress.

[ibrahimk157]

I use Cyberpanel which takes care of everything for me... I literally just need to hit a few buttons lol

And yet updating is more complicated? I must be missing something major here, because if I reinstalled all my containers everytime there is an update I'd go crazy.

Updating a container on unRAID is ONE button and it's kinda fail-safe. (one exception: Calibre from the linuxserver.io repo, that one is a B**** to set up/update/etc... That container's implementation of guacamole is beyond borked I swear to God)

I digress.

That was not my point. I never tried updating since I’m literally on the latest version lol.

My point was that nuking the container and starting from scratch is quite straightforward with cyberpanel.

[Tzahi12345]

@ibrahimk157

Just wanted to let you know that the ability to add a pin to settings is now available in version 3.5!.

Regarding automatically renewing SSL certs, I think it's out of the scope of this project, at least for now. It seems like you can issue certs through Cyberpanel directly, but I'm quite inexperienced with Cyberpanel so I can't speak for it (last I used it was a decade ago).

Feel free to ask for help, and let me know if you have another suggestion! Hope you like the new update :)

[ibrahimk157]

@ibrahimk157

Just wanted to let you know that the ability to add a pin to settings is now available in version 3.5!.

Regarding automatically renewing SSL certs, I think it's out of the scope of this project, at least for now. It seems like you can issue certs through Cyberpanel directly, but I'm quite inexperienced with Cyberpanel so I can't speak for it (last I used it was a decade ago).

Feel free to ask for help, and let me know if you have another suggestion! Hope you like the new update :)

Thanks a lot for this! I’ll give it a try shortly.

As for issuing ssl certificates from cyberpanel, it doesn’t seem to work on anything apart from port 80. But thinking about, it’s not that big of a deal... just a simple ssl warning in browsers which you can easily ignore.

[ibrahimk157]

Works beautifully! Excellent job on the new update! Can’t thank you enough!

[Tzahi12345]

Glad you like it :)