Do I really need Apache? Topic is solved

Post Reply
User avatar
EdddieN
Posts: 458
Joined: Wednesday 16 November 2016 12:31
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Scotland
Contact:

Do I really need Apache?

Post by EdddieN » Tuesday 01 May 2018 19:38

Hello,

I'm working on this project: viewtopic.php?f=4&t=21403 and I'm creating a setup page for the I/Os which needs to forward the configuration via the Raspberry Pi UART to the extension board. I have managed to create a Python or Bash script that handles that, however I need to be able create the file and trigger the script form the web.

Imagine this form created in PHP:
form.png
form.png (56.37 KiB) Viewed 936 times
Ideally I like to have this page inside domoticz/www folder without the need to install Apache.
I have tried installing php-cgi and adding the config to the domoticz.sh start:

Code: Select all

DAEMON_ARGS="$DAEMON_ARGS -php_cgi_path /usr/bin/php-cgi7.0"
or

Code: Select all

DAEMON_ARGS="$DAEMON_ARGS -php_cgi_path /usr/bin/php-cgi"
but nothing... Domoticz is offline or 404

Is it really my only option to install Apache?
And if Apache, then how do I block the page to load if you are not logged into Domoticz?
11101101 - www.machinon.com

User avatar
EdddieN
Posts: 458
Joined: Wednesday 16 November 2016 12:31
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Scotland
Contact:

Re: Do I really need Apache?

Post by EdddieN » Tuesday 01 May 2018 19:39

I'm trying to achieve this in Python too, but seems simpler in PHP if I can get the page to load :D
11101101 - www.machinon.com

User avatar
DeBaat
Posts: 31
Joined: Saturday 27 January 2018 15:52
Target OS: NAS (Synology & others)
Domoticz version: V3.8153
Contact:

Re: Do I really need Apache?

Post by DeBaat » Tuesday 01 May 2018 20:59

In another post I read about Dashticz.
This is also a (set of) php page(s) running in the Domoticz environment.
How about to use the same technique for your php pages?

gordonb3
Posts: 146
Joined: Saturday 31 March 2018 22:24
Target OS: Linux
Domoticz version: Custom
Location: Delft, NL
Contact:

Re: Do I really need Apache?

Post by gordonb3 » Tuesday 01 May 2018 21:18

Apache is quite heavy for home use, but the nice thing about it is that it supports just about everything right out of the box and has full PHP integration. Which is actually a bad thing for providers hosting sites from multiple customers on a single server, because the PHP integration allows customers to peak into eachother's home directory. Which is why PHP is usually run as a CGI, but you don't want to do that because this access method has been known to allow uploading and executing arbitrary code more than once. If you run the original Squeeze based Raspbian you want to stay far, far away from this access method.

For something more lightweight you can use Nginx combined with PHP-FPM "fastCGI" accessed through unix:socket. If you proxy Domoticz through Nginx as well it should be possible to use Domoticz security by fetching the related cookie and proofing that with Domoticz prior to returning any data. I know this sounds very theoretical, but I'm sure there must be at least a million examples to be found on the internet doing similar to this.

User avatar
EdddieN
Posts: 458
Joined: Wednesday 16 November 2016 12:31
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Scotland
Contact:

Re: Do I really need Apache?

Post by EdddieN » Tuesday 01 May 2018 23:12

DeBaat wrote:
Tuesday 01 May 2018 20:59
In another post I read about Dashticz.
This is also a (set of) php page(s) running in the Domoticz environment.
How about to use the same technique for your php pages?
Good tip! still playing with it but a quick test of the dashticz_v2 theme seems to have the same issue when trying to use PHP files, see below (404):
Screen Shot 2018-05-01 at 22.10.33.png
Screen Shot 2018-05-01 at 22.10.33.png (208.45 KiB) Viewed 900 times
11101101 - www.machinon.com

User avatar
EdddieN
Posts: 458
Joined: Wednesday 16 November 2016 12:31
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Scotland
Contact:

Re: Do I really need Apache?

Post by EdddieN » Tuesday 01 May 2018 23:14

gordonb3 wrote:
Tuesday 01 May 2018 21:18
Which is why PHP is usually run as a CGI, but you don't want to do that because this access method has been known to allow uploading and executing arbitrary code more than once. If you run the original Squeeze based Raspbian you want to stay far, far away from this access method.
I don't know enough of PHP but I take you mean that is a potential front door for a hack, right? Even if only using Domoticz web server?
11101101 - www.machinon.com

gordonb3
Posts: 146
Joined: Saturday 31 March 2018 22:24
Target OS: Linux
Domoticz version: Custom
Location: Delft, NL
Contact:

Re: Do I really need Apache?

Post by gordonb3 » Wednesday 02 May 2018 11:02

Any web server that grants access to /cgi-bin/php.cgi, so yes even Domoticz web server if you manage to insert it.

The main issue with Debian (derived) systems is that if you install PHP you get all the access methods, no questions asked. And it will even link the CGI and add the Apache module where supported web servers can find them. So even if you don't know it is there it allows a hacker keyless entry. And of course if you manually deleted it the CGI may return if you run an update.

A fairly simple trick that keeps most of them out is to make use of the web server's vhost capability - i.e. the possibility to run multiple web sites through their own domain name. Which obviously Domoticz won't do as this is a single purpose web server, but Apache and Nginx will. Create a default vhost that does nothing than display the `It Works!` page and is either stripped from cgi-bin access or has it redirected to /dev/nul. Create one or more additional vhost(s) to match a specific (d)dns name. As hackers usually come in using the raw IP address all they will see is the dummy page where they can't do any harm. If you like you can also give the individual vhosts different log files so you can have fail2ban monitor the one for the default vhost. In my opinion that is rather pointless though as it will only give you an extremely long list of compromised computers and at some point this may cause your own firewall to become the source of a Denial-of-Service.

User avatar
EdddieN
Posts: 458
Joined: Wednesday 16 November 2016 12:31
Target OS: Raspberry Pi
Domoticz version: 4.9700
Location: Scotland
Contact:

Re: Do I really need Apache?

Post by EdddieN » Wednesday 02 May 2018 15:47

Understood.

Ok, then if I setup an Nginx server as you suggest, the only challenge left I have is that the credential logins by Domoticz will not be shared by the custom setup.php page to configure the board. Leaving that setup page open is a bit risky, so I would rather have it protected with the same credentials as having two set of logins is a bit user un-friendly.

Alternatively I'm looking at this: https://www.domoticz.com/wiki/Developin ... hon_plugin but I must admin is very new. Probably more for the python forum... I'll ask the question there.

Thanks for all your help!
11101101 - www.machinon.com

gordonb3
Posts: 146
Joined: Saturday 31 March 2018 22:24
Target OS: Linux
Domoticz version: Custom
Location: Delft, NL
Contact:

Re: Do I really need Apache?

Post by gordonb3 » Wednesday 02 May 2018 19:15

As said before: if you are connecting to PHP you can read the cookie and send that along with some lightweight request to Domoticz to verify its response.

1) read cookie
2) send web request (http://.../json.htm?...)
3) read json response
4) send HTTP 403 or run rest of script to produce output

Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests