Allowed/en: Unterschied zwischen den Versionen
(First english version) |
(kein Unterschied)
|
Version vom 14. März 2018, 12:17 Uhr
allowed | |
---|---|
Zweck / Funktion | |
Securing the FHEM server components | |
Allgemein | |
Typ | Hilfsmodul |
Details | |
Dokumentation | EN / DE |
Support (Forum) | Automatisierung |
Modulname | 96_allowed.pm |
Ersteller | rudolfkoenig / rudolfkoenig |
Wichtig: sofern vorhanden, gilt im Zweifel immer die (englische) Beschreibung in der commandref! |
allowed is a Helper module to secure and restrict access to the server services (FHEM web server and telnet) provided by fhem.pl.
Introduction
By default every device connected to the same network[1] the FHEM server is part of could connect and steer FHEM without encryption or need for user or password data. FHEM will therefore present a security warning. Defining an allowed device is one of the available options to set.
Most likely you want to make use of allowed to
- allow access to FHEM coming out of other networks and/or
- restrict the possibility to access FHEM (or at least get not full control over all of your devices and configuration) for members of the same network.
Syntax
To define an allowed device for one or more FHEMWEB or telnet-Interfaces use
define <name> allowed <deviceList>
Additional Remarks
If you plan to make FHEM accessible not only from a local net, it is highly recommended to not just use allowed but to apply also additional security measures. Possible options could be the use of VPN technologies (Virtual Private Network) and/or the installation of a Reverse-Proxy-Server like Apache or nginx. For the web server interfaces provided with FHEMWEB it is also highly recommended to use the attribute HTTPS to activate HTTPS enchryption on communication. For telnet (being more or less also a TCP/IP Port) please use SSL als an attribute.
Examples
Introduce authentification with user and password for common FHEMWEB entity:
define allowedWEB allowed attr allowedWEB validFor WEB,WEBphone,WEBtablet attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" } attr allowedWEB allowedCommands set,get
Same for telnet:
define allowedTelnet allowed attr allowedTelnet validFor telnetPort attr allowedTelnet password secret
- ↑ For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.179.3 would be rejected