Closed eliasbakken closed 6 months ago
I'm not so interested in adding a password, it really complicates the whole setup procedure and the hope is to get rid of the "reflash-board" project all together in favor of a USB drive to elevate the security level. Still, we should have some sort of security, so I'm aiming to add the same level of security that Moonraker adds, which is IP limiting. That should be possible to add in Nginx.
IP limiting has been implemented in nginx with the following rules:
allow 10.0.0.0/8;
allow 127.0.0.0/8;
allow 169.254.0.0/16;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
allow FE80::/10;
allow ::1/128;
deny all;
On the reflash-board app, there is no authentication of users. This is a security risk because the website allows enabling ssh access and allows rebooting to Reflash which is allows all sorts of changes. The Reflash app itself is meant as an Intermediary step and should not be left open for very long. The Reflash-board app is meant to be left available indefinitely, so security is a bigger concern. It could be possible to restrict access to only LAN as well for both apps.
Nginx allows basic auth. The password can be set from Reflash (usb).