Allowed/en: Unterschied zwischen den Versionen

Aus FHEMWiki
K (Seitentitel)
K (Korrektur: mit SEITENTITEL kann nur die SCHREIBWEISE des Seitennamens geändert werden)
 
(4 dazwischenliegende Versionen von 4 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
{{SEITENTITEL:allowed (engl.version)}}  <!-- da richtige Schreibweise kleinen Anfangsbuchstaben hat -->
{{SEITENTITEL:allowed/en}}  <!-- da richtige Schreibweise kleinen Anfangsbuchstaben hat -->
{{Infobox Modul
{{Infobox Modul
|ModPurpose=Securing the FHEM server components
|ModPurpose=Securing the FHEM server components
Zeile 8: Zeile 8:
|ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig]
|ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig]
}}
}}
[[allowed/en|allowed]] is a helper module to secure and restrict access to the services (FHEM web server and telnet) provided by fhem.pl.


[[allowed]] is a Helper module to secure and restrict access to the server services (FHEM web server and telnet) provided by fhem.pl.


==Introduction==
==Introduction==
By default every device connected to the same network<ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> the FHEM server is part of could connect and steer FHEM without encryption or need for user or password data. FHEM will therefore present a security warning.
By default, every device connected to the same network the FHEM server is also part of <ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning.
Defining an allowed device is one of the available options to set.
 
To secure FHEM, defining an '''allowed''' device is one of the available options.


Most likely you want to make use of '''allowed''' to
Most likely you want to make use of '''allowed''' to
* allow access to FHEM coming out of other networks and/or
* allow access to FHEM from other networks and/or
* restrict the possibility to access FHEM (or at least get not full control over all of your devices and configuration) for members of the same network.
* restrict the possibility to access FHEM for members of the same network (or at least to not getting them full control over all of your devices and configurations).


== Syntax ==
== Syntax ==
To define an allowed device for one or more FHEMWEB or telnet-Interfaces use
To define an '''allowed'''-device for one or more [[FHEMWEB]] or telnet instances use


     define <name> allowed <deviceList>
     define <name> allowed <deviceList>


==Additional Remarks==
==Additional Remarks==
If you plan to make FHEM accessible not only from a local net, it is highly recommended to not just use '''allowed''' but to apply also additional security measures. Possible options could be the use of VPN technologies (Virtual Private Network) and/or the installation of a Reverse-Proxy-Server like [[Apache_Authentication_Proxy|Apache]] or [[HTTPS-Absicherung_%26_Authentifizierung_via_nginx_Webserver|nginx]].
If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use '''allowed''' but also apply additional security measures. Possible options include the use of a VPN (Virtual Private Network) and/or the installation of a reverse proxy server, for example [[Apache_Authentication_Proxy|Apache]] or [[HTTPS-Absicherung_%26_Authentifizierung_via_nginx_Webserver|nginx]].
For the web server interfaces provided with FHEMWEB it is also highly recommended to use the attribute {{Link2CmdRef|Anker=HTTPS|Lang=en|Label=HTTPS}} to activate HTTPS enchryption on communication. For telnet (being more or less also a TCP/IP Port) please use {{Link2CmdRef|Anker=SSL|Lang=en|Label=SSL}} als an attribute.  
For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute {{Link2CmdRef|Anker=HTTPS|Lang=en|Label=HTTPS}} to activate transport layer encryption. For telnet (being more or less also a TCP/IP port) please use the {{Link2CmdRef|Anker=SSL|Lang=en|Label=SSL}} attribute.  


<!--
<!--
Zeile 32: Zeile 33:
-->
-->
== Examples ==
== Examples ==
Introduce authentification with user and password for common FHEMWEB entity:
Configure authentification with username and password for a FHEMWEB-device:
     define allowedWEB allowed
     define allowedWEB allowed
     attr allowedWEB validFor WEB,WEBphone,WEBtablet
     attr allowedWEB validFor WEB,WEBphone,WEBtablet
     attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" }
     attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" }
     attr allowedWEB allowedCommands set,get
     attr allowedWEB allowedCommands set,get
Same for telnet:
Same for telnet:
     define allowedTelnet allowed
     define allowedTelnet allowed

Aktuelle Version vom 15. März 2018, 09:00 Uhr


allowed
Zweck / Funktion
Securing the FHEM server components
Allgemein
Typ Hilfsmodul
Details
Dokumentation EN / DE
Support (Forum) Automatisierung
Modulname 96_allowed.pm
Ersteller rudolfkoenig / rudolfkoenig
Wichtig: sofern vorhanden, gilt im Zweifel immer die (englische) Beschreibung in der commandref!

allowed is a helper module to secure and restrict access to the services (FHEM web server and telnet) provided by fhem.pl.


Introduction

By default, every device connected to the same network the FHEM server is also part of [1] can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning.

To secure FHEM, defining an allowed device is one of the available options.

Most likely you want to make use of allowed to

  • allow access to FHEM from other networks and/or
  • restrict the possibility to access FHEM for members of the same network (or at least to not getting them full control over all of your devices and configurations).

Syntax

To define an allowed-device for one or more FHEMWEB or telnet instances use

    define <name> allowed <deviceList>

Additional Remarks

If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use allowed but also apply additional security measures. Possible options include the use of a VPN (Virtual Private Network) and/or the installation of a reverse proxy server, for example Apache or nginx. For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute HTTPS to activate transport layer encryption. For telnet (being more or less also a TCP/IP port) please use the SSL attribute.

Examples

Configure authentification with username and password for a FHEMWEB-device:

    define allowedWEB allowed
    attr allowedWEB validFor WEB,WEBphone,WEBtablet
    attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" }
    attr allowedWEB allowedCommands set,get

Same for telnet:

    define allowedTelnet allowed
    attr allowedTelnet validFor telnetPort
    attr allowedTelnet password secret


  1. For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.179.3 would be rejected