Closed drs-project closed 1 year ago
Sorry, but don‘t get it. Please explain in more detail what actually you expect and what is not currently implemented?!?
And just in case: it is totally normal that configuration web pages of third party addons installed in a ccu/RaspberryMatic won‘t automatically require authentication even thought authentication is enabled in the webui. It is up to the third party application/addon to implement this on their own, since the main webui cannot know anything about their use case.
Hi jens-maus, thanks for your quick reply and sorry for being too brief.
You're right that some addons like H2 Charts open their own ports for communication. I understand that that is not affected by CCU configuration.
On the other hand XML-API is delivered by lighttpd. Requests like "GET /addons/xmlapi/info.html HTTP/1.1" are logged in the access log. And the CCU GUI explicitly says that XML-API will be affected by turning on authentication: (sorry I have the screenshot only in German) But the setting seems to have no effect. I can access /addons/xmlapi/info.html with any browser, logged in or not.
However redirection to HTTPS works. So I anticipated (maybe that was wrong) that redirection and authentication are handled in the lighttpd config.
There is /etc/lighttpd/conf.d/httpsredirect.conf
that seems to redirect all requests from non-local IPs to https.
Then /etc/lighttpd/conf.d/auth.conf
defines basic authentication - so I would expect a browser pop-up for username and password. But that's not happening, so I suspect that auth.conf is not loaded. If I list it in modules.conf to make sure it is used, then lighttpd restarts, but crashes upon the next request.
Here I'm stuck understanding what's happening. Thanks for any help!
Die XML-RPC-API hat nichts mit dem XML-API AddOn zu tun. Hier mal lesen...
Die XML-RPC-API hat nichts mit dem XML-API AddOn zu tun. Hier mal lesen...
That's indeed the case. You (@drs-project) are mixing up XML-RPC with XML-API. These are two independent things. The XML-RPC service is an integral API of the CCU ecosystem and XML-API is a third-party addon project.
Thus, as this is no real "bug" or "issue" I will convert this ticket into a discussion thread....
Describe the issue you are experiencing
Authentication for websites of the RasperryMatic is enabled through the webUI Setting -> Security -> Authentication active checked.
Still not login is required for any page.
Describe the behavior you expected
User should need to authenticate via login. Otherwise an error should be returned.
Steps to reproduce the issue
...
What is the version this bug report is based on?
3.69.6-20230407
Which base platform are you running?
ova (Open Virtual Infrastructure)
Which HomeMatic/homematicIP radio module are you using?
HmIP-RFUSB
Anything in the logs that might be useful for us?
Additional information
No response