Allowed/en: Unterschied zwischen den Versionen
Drhirn (Diskussion | Beiträge) KKeine Bearbeitungszusammenfassung |
K (Korrektur: mit SEITENTITEL kann nur die SCHREIBWEISE des Seitennamens geändert werden) |
||
(2 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
{{SEITENTITEL:allowed}} <!-- da richtige Schreibweise kleinen Anfangsbuchstaben hat --> | {{SEITENTITEL:allowed/en}} <!-- da richtige Schreibweise kleinen Anfangsbuchstaben hat --> | ||
{{Infobox Modul | {{Infobox Modul | ||
|ModPurpose=Securing the FHEM server components | |ModPurpose=Securing the FHEM server components | ||
Zeile 8: | Zeile 8: | ||
|ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig] | |ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig] | ||
}} | }} | ||
[[allowed]] is a | [[allowed/en|allowed]] is a helper module to secure and restrict access to the services (FHEM web server and telnet) provided by fhem.pl. | ||
==Introduction== | ==Introduction== | ||
By default, every device connected to the same network the FHEM server is part of <ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> can connect to and control FHEM without transport-encryption or authentication. This is why FHEM | By default, every device connected to the same network the FHEM server is also part of <ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning. | ||
To secure FHEM, defining an ''allowed'' | To secure FHEM, defining an '''allowed''' device is one of the available options. | ||
Most likely you want to make use of '''allowed''' to | Most likely you want to make use of '''allowed''' to | ||
Zeile 21: | Zeile 21: | ||
== Syntax == | == Syntax == | ||
To define an ''allowed''-device for one or more [[FHEMWEB]] | To define an '''allowed'''-device for one or more [[FHEMWEB]] or telnet instances use | ||
define <name> allowed <deviceList> | define <name> allowed <deviceList> | ||
==Additional Remarks== | ==Additional Remarks== | ||
If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use '''allowed''' but | If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use '''allowed''' but also apply additional security measures. Possible options include the use of a VPN (Virtual Private Network) and/or the installation of a reverse proxy server, for example [[Apache_Authentication_Proxy|Apache]] or [[HTTPS-Absicherung_%26_Authentifizierung_via_nginx_Webserver|nginx]]. | ||
For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute {{Link2CmdRef|Anker=HTTPS|Lang=en|Label=HTTPS}} to activate | For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute {{Link2CmdRef|Anker=HTTPS|Lang=en|Label=HTTPS}} to activate transport layer encryption. For telnet (being more or less also a TCP/IP port) please use the {{Link2CmdRef|Anker=SSL|Lang=en|Label=SSL}} attribute. | ||
<!-- | <!-- |
Aktuelle Version vom 15. März 2018, 09:00 Uhr
allowed | |
---|---|
Zweck / Funktion | |
Securing the FHEM server components | |
Allgemein | |
Typ | Hilfsmodul |
Details | |
Dokumentation | EN / DE |
Support (Forum) | Automatisierung |
Modulname | 96_allowed.pm |
Ersteller | rudolfkoenig / rudolfkoenig |
Wichtig: sofern vorhanden, gilt im Zweifel immer die (englische) Beschreibung in der commandref! |
allowed is a helper module to secure and restrict access to the services (FHEM web server and telnet) provided by fhem.pl.
Introduction
By default, every device connected to the same network the FHEM server is also part of [1] can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning.
To secure FHEM, defining an allowed device is one of the available options.
Most likely you want to make use of allowed to
- allow access to FHEM from other networks and/or
- restrict the possibility to access FHEM for members of the same network (or at least to not getting them full control over all of your devices and configurations).
Syntax
To define an allowed-device for one or more FHEMWEB or telnet instances use
define <name> allowed <deviceList>
Additional Remarks
If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use allowed but also apply additional security measures. Possible options include the use of a VPN (Virtual Private Network) and/or the installation of a reverse proxy server, for example Apache or nginx. For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute HTTPS to activate transport layer encryption. For telnet (being more or less also a TCP/IP port) please use the SSL attribute.
Examples
Configure authentification with username and password for a FHEMWEB-device:
define allowedWEB allowed attr allowedWEB validFor WEB,WEBphone,WEBtablet attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" } attr allowedWEB allowedCommands set,get
Same for telnet:
define allowedTelnet allowed attr allowedTelnet validFor telnetPort attr allowedTelnet password secret
- ↑ For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.179.3 would be rejected