There is no password protection on web UI.

Skysea45 commented 4 months ago

There is no password protection on deployment. (I generated pass with bcrypt and exactly passed to .yml file). It doesnt asks for any password for accesing wg profiles.

valorisa commented 4 months ago

With the hash, no need password.

pheiduck commented 4 months ago

My WG is protected on older versions with password or on nightly with a hashed password. I guess it is a wrong configuration on the user side.

Duoquote commented 4 months ago

Same applies for me, I think it can be a real issue, here is my config for docker-compose:

services:
  wg-easy:
    environment:
      - LANG=en
      - WG_HOST=xxx
      - PASSWORD_HASH=$$2b$$12$$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      - WG_DEFAULT_DNS=8.8.8.8
      - UI_TRAFFIC_STATS=true
      - UI_CHART_TYPE=3 # (0 Charts disabled, 1 # Line chart, 2 # Area chart, 3 # Bar chart)

    image: ghcr.io/wg-easy/wg-easy
    container_name: wg-easy
    volumes:
      - ./data:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "127.0.0.1:51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

Also mine is behind reverse proxy here is my nginx config too if related:

upstream wg-easy {
        server localhost:51821;
}

map $http_upgrade $connection_upgrade {
        default keep-alive;
        'websocket' upgrade;
        '' close;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name xxx;

        ssl_certificate xxx;
        ssl_certificate_key xxx;
        ssl_protocols TLSv1.2 TLSv1.3;

        location / {
                proxy_pass http://wg-easy;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
                proxy_set_header Host $server_name;
                proxy_redirect http:// https://;
                proxy_buffering off;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
                add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
        }
}

And here is the result, there is no prompt for anything, I can just browse to the address I defined and it's open. I also opened cookie section as something is stored there but it is probably cloudflare related. And yes I installed it on a real domain so right now its actually accessible by anyone...

Docker logs:

wg-easy  | 2024-07-10T18:46:31.349Z Server Listening on http://0.0.0.0:51821
wg-easy  | 2024-07-10T18:46:31.355Z WireGuard Loading configuration...
wg-easy  | 2024-07-10T18:46:31.362Z WireGuard Configuration loaded.
wg-easy  | 2024-07-10T18:46:31.362Z WireGuard Config saving...
wg-easy  | 2024-07-10T18:46:31.364Z WireGuard Config saved.
wg-easy  | $ wg-quick down wg0
wg-easy  | $ wg-quick up wg0
wg-easy  | 2024-07-10T18:46:31.487Z WireGuard Config syncing...
wg-easy  | $ wg syncconf wg0 <(wg-quick strip wg0)
wg-easy  | 2024-07-10T18:46:31.527Z WireGuard Config synced.

filipkotoucek commented 4 months ago

I also ran into this issue. I think latest version still takes "obsolete" PASSWORD for now. But nightly already takes PASWORD_HASH.

wg-easy / wg-easy

There is no password protection on web UI. #1151