Dashticz - Safety (no access from outside your network)

Dashticz, alternative dashboard based on HTML, CSS, jQuery

Moderators: robgeerts, htilburgs

Post Reply
lukev
Posts: 56
Joined: Friday 21 October 2016 10:42
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Dashticz - Safety (no access from outside your network)

Post by lukev » Tuesday 09 May 2017 20:27

Hi all,

This afternoon a dashticz user pointed me to quite a security breach in my setup. My dasboard was placed on a webserver, which was accesable from the internet (because I host serveral websites).

Via this method it's fairly easy to read personal information like login credentials and/or API-codes.
I removed the dashboard from my webfolder, but now I am looking for an alternative way to safely acces the dashboard, only from within my own house. The WWW-folder of domoticz is not an option, because domoticz itself is accesable from the internet (with login). That comes in handy sometimes to put on light, heating, etc. Or to read out motion sensors when the alarm triggers.

But placed in the WWW-directory, all the credentials are also readable.

I can place the files somewhere else on my network, but then I have problems with showing the dashboard on my dedicated android tab in my house. By my knowledge it (e.g. Chrome) cannot show webfiles from a random network location.

So my question: how do you guys safely use this dashboard??

Ierlandfan
Posts: 73
Joined: Friday 09 October 2015 17:40
Target OS: Linux
Domoticz version:
Contact:

Re: Dashticz - safety

Post by Ierlandfan » Tuesday 09 May 2017 21:03

By my knowledge it (e.g. Chrome) cannot show webfiles from a random network location.
Just to make sure:
You mean that
http://192.168.x.y/dashticz/index.html
cannot be displayed by your android device?

niceandeasy
Posts: 147
Joined: Thursday 28 January 2016 23:25
Target OS: Raspberry Pi
Domoticz version: 3.8153
Location: NL
Contact:

Re: Dashticz - safety

Post by niceandeasy » Tuesday 09 May 2017 21:33

I just placed an .htaccess file in the root of my Dashticz directory on my web server.
If your webserver runs on Apache, this should work. If you're running an old version of Apache, you may need to use a different syntax (google it), or just update your Apache.

so, the file name is: .htaccess
it contains this line: Require ip 192.168.1.0/24

Where 192.168.1.0/24 (or 192.168.1.x mask 255.255.255.0) is your own network.

It is not ideal, it shows an http 403 error instead of 404 but at least it is inaccessible. It also blocks the contents of Dashticz's subdirectories.

lukev
Posts: 56
Joined: Friday 21 October 2016 10:42
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Dashticz - safety

Post by lukev » Tuesday 09 May 2017 22:19

Ierlandfan wrote:

Just to make sure:
You mean that
http://192.168.x.y/dashticz/index.html
cannot be displayed by your android device?

Yes it can, but that requires for the index.html to be on a webserver?

If I put it somewhere else on my network, it would require Some other protocol like smb or nfs or something like that.

User avatar
robgeerts
Posts: 1239
Joined: Saturday 24 January 2015 23:12
Target OS: NAS (Synology & others)
Domoticz version: 3.7067
Location: NL
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by robgeerts » Tuesday 09 May 2017 22:33

Use the htaccess solution from @niceandeasy on your webserver...
Creator of Dashticz
Do you appreciate my work and want to buy me a beer?
Send:
- XVG to D8fwNbyV6YxJk1aSiXftWTtdaPipsKn2Fa
- ANY ERC20-TOKEN to 0x9b8ee84329d77765a28bca188218c6c793875a8a

or donate via PayPal: https://www.paypal.me/robgeerts

User avatar
HansieNL
Posts: 420
Joined: Monday 28 September 2015 15:13
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by HansieNL » Tuesday 09 May 2017 22:43

I'm using a Raspberry Pi running Domoticz and have also lighttpd installed as 2nd webserver just for internal use. There are no ports forwarded to this webserver so should be safe.
Blah blah blah

asjmcguire
Posts: 140
Joined: Saturday 13 July 2013 2:45
Target OS: Linux
Domoticz version: 3.5877
Location: Scotland
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by asjmcguire » Friday 12 May 2017 20:06

It's trivial to install Nginx or Apache or something on any computer - including the Domoticz one - and host other web content - that is not accessible from the internet. You just have to make sure it's being served on a port that the router is not port forwarding.

Nginx: https://www.digitalocean.com/community/ ... untu-16-04
AEOTEC ZStick, 11 ZWave Nodes, RFXCOMM, 50ish Byron Sockets.. HE851 (PIR), 2x HE852 (DoorContact)
WS2300, CM180, CC128, 2xTHGR122NX, 2xPiZeroW w/DS18B20, 8Ch 1W Relay Board.
8 Panasonic IP Cams, 1 16ch CCTV DVR + 15 CCTV Cams

Grove
Posts: 13
Joined: Wednesday 01 June 2016 20:20
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by Grove » Sunday 14 May 2017 11:48

On Synology the .htaccess method isn't working for me.
Is there someone that has this successfully implemented on a Synology?

qwerk
Posts: 293
Joined: Tuesday 22 July 2014 7:21
Target OS: Raspberry Pi
Domoticz version: beta
Location: Netherlands
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by qwerk » Sunday 14 May 2017 12:05

I have used a dutch manual yesterday. that worked for me.
https://www.synology.com/nl-nl/knowledg ... ged_access

User avatar
Egregius
Posts: 2715
Joined: Thursday 09 April 2015 12:19
Target OS: Linux
Domoticz version: Beta
Location: Beitem, BE
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by Egregius » Sunday 14 May 2017 12:42

Grove wrote:On Synology the .htaccess method isn't working for me.
Is there someone that has this successfully implemented on a Synology?
.htaccess works only with Apache 2.2 on a Syno

Grove
Posts: 13
Joined: Wednesday 01 June 2016 20:20
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by Grove » Sunday 14 May 2017 15:26

The apache backend is configured as version 2.2. But the .htacces doesn't have any effect. So I was wondering if somebody had this implemented and how.

Verstuurd vanaf mijn SM-G950F met Tapatalk

qwerk
Posts: 293
Joined: Tuesday 22 July 2014 7:21
Target OS: Raspberry Pi
Domoticz version: beta
Location: Netherlands
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by qwerk » Sunday 14 May 2017 15:42

Grove wrote:The apache backend is configured as version 2.2. But the .htacces doesn't have any effect. So I was wondering if somebody had this implemented and how.

Verstuurd vanaf mijn SM-G950F met Tapatalk

HI Grove,

did you follow the manual I gave ( two replies above) ?
I followed it step by step and it is working on synology 6.1 and apache 2.2 backend

Grove
Posts: 13
Joined: Wednesday 01 June 2016 20:20
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by Grove » Sunday 14 May 2017 20:29

Hi Qwerk,

Did you do it on the Dashticz site?

On others sites, I did already implement a password requirement for accessing it but on the dashticz it isn't working for some reason.

lukev
Posts: 56
Joined: Friday 21 October 2016 10:42
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by lukev » Sunday 14 May 2017 20:49

Strange, im on a synology and the htaccess-solution works for me

qwerk
Posts: 293
Joined: Tuesday 22 July 2014 7:21
Target OS: Raspberry Pi
Domoticz version: beta
Location: Netherlands
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by qwerk » Sunday 14 May 2017 22:02

Grove wrote:Hi Qwerk,

Did you do it on the Dashticz site?

On others sites, I did already implement a password requirement for accessing it but on the dashticz it isn't working for some reason.

my domoticz is running on a pi, but dashticz is running om a synology.
the dashticz site is protected by htaccess.

So, your synology can handle htaccess for a number of sites.
dashticz is also running on the same synology.
you have apache 2.2 as backend,do you have php configured?
is there any nginx running?
can you access your dashticz site?

Grove
Posts: 13
Joined: Wednesday 01 June 2016 20:20
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by Grove » Monday 15 May 2017 12:31

Hi qwerk,

I've copied the directory from ..../domoticz/www to .../web from the Synology itself and now it is working.
I think domoticz is running on a nginx server.

Thanks for your support

niceandeasy
Posts: 147
Joined: Thursday 28 January 2016 23:25
Target OS: Raspberry Pi
Domoticz version: 3.8153
Location: NL
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by niceandeasy » Tuesday 01 August 2017 0:57

Grove wrote:Hi qwerk,

I've copied the directory from ..../domoticz/www to .../web from the Synology itself and now it is working.
I think domoticz is running on a nginx server.

Thanks for your support
This is how I did it, too.
Domoticz lives on a Raspberry. Dashticz is on my web server: a Synology. The Syno has Apache and supports .htaccess. Domoticz does not.

User avatar
Dynamic
Posts: 215
Joined: Friday 12 July 2013 14:50
Target OS: -
Domoticz version:
Location: Enschede
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by Dynamic » Friday 11 August 2017 14:40

Is there a way to protect Dashticz on a Raspberry?

edwin
Posts: 15
Joined: Wednesday 30 November 2016 16:21
Target OS: Linux
Domoticz version:
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by edwin » Tuesday 15 August 2017 10:19

Dynamic wrote:
Friday 11 August 2017 14:40
Is there a way to protect Dashticz on a Raspberry?
As far as I understand, your would need to run a separate webserver that uses htaccess or something similar (like nginx). The Domoticz internal webserver does not use it.

For my own setup, I don't have any access setup from outside, except ssh. I access my setup using port forwarding.
Recent beta (git) on Arch Linux | Dashticz v2 (git) | RFLink 46.0 | Ikea Trådfri | P1 Smart Meter

User avatar
Luxtux
Posts: 19
Joined: Monday 14 August 2017 15:16
Target OS: Linux
Domoticz version: 3.8153
Location: Luxembourg
Contact:

Re: Dashticz - Safety (no access from outside your network)

Post by Luxtux » Friday 25 August 2017 11:42

the htaccess idea works or you could put the dashticz dashboard outside of your publicly available site root and add an alias that can only be accessed from within your own network or even just by specific ip addresses.

example: /etc/apache2/sites-available/mydomain.conf

Code: Select all

<VirtualHost *:80>
	ServerAdmin webmaster@mydomain.com
	DocumentRoot /var/www/mydomain
	ServerAlias mydomain.com

        Alias /dashboard/ "/var/www/dashboard/"
        <Directory "/var/www/dashboard/">
    	    Order deny,allow  
    		Deny from all
		Allow from 10.10.10 # allow all ip addresses
		Allow from 192.168.0.5 # allow only this ip
        </Directory>



</VirtualHost>
everybody outside of your network will get this error
Image

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests