Add Basic authentication on Reflash-board

intelligent-agent / Reflash

Flasher image for Refactor distro for use with Recore 3D printer board

GNU Affero General Public License v3.0

1 stars 0 forks source link

Add Basic authentication on Reflash-board #49

Closed eliasbakken closed 6 months ago

eliasbakken commented 7 months ago

On the reflash-board app, there is no authentication of users. This is a security risk because the website allows enabling ssh access and allows rebooting to Reflash which is allows all sorts of changes. The Reflash app itself is meant as an Intermediary step and should not be left open for very long. The Reflash-board app is meant to be left available indefinitely, so security is a bigger concern. It could be possible to restrict access to only LAN as well for both apps.

Nginx allows basic auth. The password can be set from Reflash (usb).

eliasbakken commented 6 months ago

I'm not so interested in adding a password, it really complicates the whole setup procedure and the hope is to get rid of the "reflash-board" project all together in favor of a USB drive to elevate the security level. Still, we should have some sort of security, so I'm aiming to add the same level of security that Moonraker adds, which is IP limiting. That should be possible to add in Nginx.

eliasbakken commented 6 months ago

IP limiting has been implemented in nginx with the following rules:

allow 10.0.0.0/8;
allow 127.0.0.0/8;
allow 169.254.0.0/16;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
allow FE80::/10;
allow ::1/128;
deny all;