search

rszimm / sprinklers_pi

Sprinkling System Control Program for the Raspberry Pi
GNU General Public License v2.0
310 stars 100 forks source link

Feature request: add login page to secure access to sprinklers_pi web interface with username/password #15

Closed dkossman closed 5 years ago

dkossman commented 10 years ago

This has been discussed on the boards, just wanted to add it here for the record.

It would be nice to add some basic password protection to the sprinklers_pi web interface, so that access to all pages was gated by a login page which required username/password. The initial username/password could be defaulted during installation. A new section would be needed on the Settings page to change it. The implementation could be simplified by just requiring a password and eliminating or defaulting the username.

I am not sure what the simplest way to do this would be given the current implementation of the web server. Perhaps HTTP Basic Auth? Although this is not really secure unless done over SSL, it would be better than nothing and would prevent those with access to your local network from easily messing with your sprinklers.

nhorvath commented 10 years ago

I know this is less than ideal but you could setup an apache (optionally with ssl) with proxypass to sprinklers_pi and put the http auth on the apache. There should be a way to do the same thing with nginx also, I just have more experience with apache. Obviously an all in one solution would be preferable but this wouldn't require any development time.

Example proxypass config (make sure you enable mod_proxy in apache): <VirtualHost *:443>

Do your SSL Setup Here

# Do your http auth here too
ProxyPass / http://localhost:80/
ProxyPassReverse / http://localhost:80/
&lt;/VirtualHost&gt;

This would connect https://your_pi_ip/ through apache to your sprinklers_pi running on port 80

dkossman commented 10 years ago

OK - if i understand this correctly, the apache virtual host is listening on port 443 and proxying the requests over to the sprinklers_pi app that is listening on port 80. what prevents someone from connecting directly to the sprinklers_pi app on port 80? Apologies if i'm being thick, I'm not very familiar with apache proxy setup, so I'm probably missing something fairly basic here.

thanks

nhorvath commented 10 years ago

You're right, someone could connect to it directly, but I was assuming you wanted this to use it over the internet, which would require you to open ports on your firewall and you could leave the direct port to sprinklers_pi unforwarded. If you wanted to secure it from the LAN as well you could use iptables. I also would recommend leaving the sprinklers_pi on 8080 or some other port (I forgot I changed mine to 80).

To block the port with iptables you would do this (and make sure that your proxypass in apache uses localhost and not the external ip of your pi): sudo iptables -A INPUT -i eth0 -p tcp --dport 8080 -j DROP This assumes your sprinklers_pi is running on the default of 8080 and you are using the wired lan interface (eth0) if you're using a wireless interface it's probably wl0 (you can check with ifconfig)

On Sun, Feb 2, 2014 at 9:10 PM, Don notifications@github.com wrote:

OK - if i understand this correctly, the apache virtual host is listening on port 443 and proxying the requests over to the sprinklers_pi app that is listening on port 80. what prevents someone from connecting directly to the sprinklers_pi app on port 80? Apologies if i'm being thick, I'm not very familiar with apache proxy setup, so I'm probably missing something fairly basic here.

thanks

Reply to this email directly or view it on GitHubhttps://github.com/rszimm/sprinklers_pi/issues/15#issuecomment-33920635 .

BrianAus commented 9 years ago

You could also use the ip tables to prevent access to port 8080 from the LAN. Then use putty to connect to the Raspberry and include a tunnel to port 8080. This way you do not need the Apache configuration. I have mine set up with a putty certificate so I do not have to enter a username/password