Avoid to expose settings page

Question

Avoid to expose settings page

SylvainPer opened this issue 4 years ago · 5 comments

Is your feature request related to a problem? Please describe.
I don't want to expose unnecessary pages, especially settings one.

Describe the solution you'd like
Only expose the needed pages.

I've modified the auth.py file:

oauthGetMappings` = {"/gapi/oauth": OAuthReqHandler.oauth,
                    "/gapi/login": OAuthReqHandler.login,
                    "/login": OAuthReqHandler.login}

oauthPostMappings = {"/login": OAuthReqHandler.login_post,
                    "/gapi/login": OAuthReqHandler.login_post,
                     "/gapi/token": OAuthReqHandler.token_post}

This modification can be inserted with a new option in the configuration file.

I've also modified the nginx configuration:

        location ~ ^/assistant/(.*)$ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Scheme $scheme;
                proxy_pass http://127.0.0.1:3030/gapi/$1$is_args$args; #Local ipno to dzga
                proxy_read_timeout  90;
        }

and for the google link, i'm using:

https://MYURL/assistant/oauth
https://MYURL/assistant/token

Answer 1 · 2020-12-13T09:07:08.000Z

I forgot the smarthome.py modification:

    smarthomeGetMappings = {"/gapi/smarthome": SmartHomeReqHandler.smarthome,
                            "/gapi/sync": SmartHomeReqHandler.syncDevices,
                            "/settings": SmartHomeReqHandler.settings,
                            "/restart": SmartHomeReqHandler.restartServer}

    smarthomePostMappings = {"/gapi/smarthome": SmartHomeReqHandler.smarthome_post,
                             "/settings": SmartHomeReqHandler.settings_post}

This config was before the latest updates, the new links are missing.

Answer 2 · 2021-01-13T01:32:59.000Z

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days

Answer 3 · 2021-01-14T09:48:28.000Z

@DewGew just to avoid to close it too early.

Answer 4 · 2021-01-14T16:26:41.000Z

Hi,

I've found a workaround to this: With Sophos UTM Home free, you can use the firewall's reverse proxy - also called WAF - and set protection rules for your web server like "hardening = enabled; entry urls = /oauth, /token, /smarthome" . This prevents anyone from outside accessing the /settings point while you can still reach it from internal by going to http://server-ip-local:3030/settings. The firewall also takes care of managing letsEncrypt certificates for https including auto renewal. You only need a domain (or dyndns) for that.

Answer 5 · 2021-01-14T20:29:33.000Z

Hello @Catfriend1 , thanks for your answer but this solution is not available for rpi and lots of configurations are based on it.
My proposal is to update the paths configuration.