search

jens-maus / RaspberryMatic

:house: A feature-rich but lightweight, buildroot-based Linux operating system alternative for your CloudFree CCU3/ELV-Charly 'homematicIP CCU' IoT smarthome central. Running as a pure virtual appliance (ProxmoxVE, Home Assistant, LXC, Docker/OCI, Kubernetes/K8s, etc.) on a dedicated embedded device (RaspberryPi, etc.) or generic x86/ARM hardware.
https://raspberrymatic.de
Apache License 2.0
1.52k stars 186 forks source link

lighttpd auth.conf is not loaded, authentication doesn't work if activated #2279

Closed drs-project closed 1 year ago

drs-project commented 1 year ago

Describe the issue you are experiencing

Authentication for websites of the RasperryMatic is enabled through the webUI Setting -> Security -> Authentication active checked.

Still not login is required for any page.

Describe the behavior you expected

User should need to authenticate via login. Otherwise an error should be returned.

Steps to reproduce the issue

  1. Activate authentication
  2. Open a page (e.g. XMP-API, H2-Charts) with another browser that is not logged in.

  3. ...

What is the version this bug report is based on?

3.69.6-20230407

Which base platform are you running?

ova (Open Virtual Infrastructure)

Which HomeMatic/homematicIP radio module are you using?

HmIP-RFUSB

Anything in the logs that might be useful for us?

Digging into the config files it seems that lighttpd is not loading auth.conf.
If it is manually added to the modules.conf, lighttpd crashes with the next request.

Additional information

No response

jens-maus commented 1 year ago

Sorry, but don‘t get it. Please explain in more detail what actually you expect and what is not currently implemented?!?

And just in case: it is totally normal that configuration web pages of third party addons installed in a ccu/RaspberryMatic won‘t automatically require authentication even thought authentication is enabled in the webui. It is up to the third party application/addon to implement this on their own, since the main webui cannot know anything about their use case.

drs-project commented 1 year ago

Hi jens-maus, thanks for your quick reply and sorry for being too brief.

You're right that some addons like H2 Charts open their own ports for communication. I understand that that is not affected by CCU configuration.

On the other hand XML-API is delivered by lighttpd. Requests like "GET /addons/xmlapi/info.html HTTP/1.1" are logged in the access log. And the CCU GUI explicitly says that XML-API will be affected by turning on authentication: (sorry I have the screenshot only in German) image But the setting seems to have no effect. I can access /addons/xmlapi/info.html with any browser, logged in or not.

However redirection to HTTPS works. So I anticipated (maybe that was wrong) that redirection and authentication are handled in the lighttpd config. There is /etc/lighttpd/conf.d/httpsredirect.conf that seems to redirect all requests from non-local IPs to https. Then /etc/lighttpd/conf.d/auth.conf defines basic authentication - so I would expect a browser pop-up for username and password. But that's not happening, so I suspect that auth.conf is not loaded. If I list it in modules.conf to make sure it is used, then lighttpd restarts, but crashes upon the next request.

Here I'm stuck understanding what's happening. Thanks for any help!

Baxxy13 commented 1 year ago

Die XML-RPC-API hat nichts mit dem XML-API AddOn zu tun. Hier mal lesen...

jens-maus commented 1 year ago

Die XML-RPC-API hat nichts mit dem XML-API AddOn zu tun. Hier mal lesen...

That's indeed the case. You (@drs-project) are mixing up XML-RPC with XML-API. These are two independent things. The XML-RPC service is an integral API of the CCU ecosystem and XML-API is a third-party addon project.

Thus, as this is no real "bug" or "issue" I will convert this ticket into a discussion thread....