danielperna84
commented
4 years ago Or am I missing something?
I guess so. The Sesame token doesn't provide any value in this setup, because all requests will be coming from 127.0.0.1. Hence the integrated security features (blacklist / banning etc.) won't have any effect. They are meant for setups where the configurator is exposed to the web directly.
When operating behind a reverse proxy the only usable security-feature is setting up credentials required to log in. Additional hardening would have to be implemented by yourself with tools like fail2ban.
Hi, I have been using HASS Configurator (v0.4.0) with my Home Assistant setup (v0.112.1) and it works great!
However, I have a doubt regarding the use of SESAME token.
As I have configured an Apache reverse proxy to provide external access to my setup under my sub-domains, the Configurator plugin (embedded into my Home Assistant) will always make use of SESAME token to allow the usage and display the content inside a panel_iframe. The incoming connection will always be from IP 127.0.0.1 in this case.
I have also configured the following ALLOWED_NETWORKS:
"127.0.0.1", "192.168.15.0/24"
Considering the scenario above, I still keep getting a notification on my Home Assistant whenever I click at HASS Configurator menu saying:
Your SESAME token has been used to whitelist the IP address 127.0.0.1.
Here goes my question: is it really needed to show that message, even when the incoming IP has been already white-listed (and will never change)? Or am I missing something?
Thank you