Allowed/en: Unterschied zwischen den Versionen
KKeine Bearbeitungszusammenfassung |
Drhirn (Diskussion | Beiträge) KKeine Bearbeitungszusammenfassung |
||
| Zeile 8: | Zeile 8: | ||
|ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig] | |ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig] | ||
}} | }} | ||
[[allowed]] is a Helper module to secure and restrict access to the server services (FHEM web server and telnet) provided by fhem.pl. | |||
==Introduction== | ==Introduction== | ||
By default every device connected to the same network<ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> | By default, every device connected to the same network the FHEM server is part of <ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> can connect to and control FHEM without transport-encryption or authentication. This is why FHEM show's a security warning. | ||
To secure FHEM, defining an ''allowed''-device is one of the available options. | |||
Most likely you want to make use of '''allowed''' to | Most likely you want to make use of '''allowed''' to | ||
* allow access to FHEM | * allow access to FHEM from other networks and/or | ||
* restrict the possibility to access FHEM (or at least | * restrict the possibility to access FHEM for members of the same network (or at least to not getting them full control over all of your devices and configurations). | ||
== Syntax == | == Syntax == | ||
To define an allowed device for one or more FHEMWEB or telnet- | To define an ''allowed''-device for one or more [[FHEMWEB]]- or telnet-instances use | ||
define <name> allowed <deviceList> | define <name> allowed <deviceList> | ||
==Additional Remarks== | ==Additional Remarks== | ||
If you plan to make FHEM accessible | If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use '''allowed''' but to also apply additional security measures. Possible options could be the use of VPN technologies (Virtual Private Network) and/or the installation of a reverse-proxy-server like [[Apache_Authentication_Proxy|Apache]] or [[HTTPS-Absicherung_%26_Authentifizierung_via_nginx_Webserver|nginx]]. | ||
For the web server interfaces provided with FHEMWEB it is | For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute {{Link2CmdRef|Anker=HTTPS|Lang=en|Label=HTTPS}} to activate HTTPS encryption. For telnet (being more or less also a TCP/IP port) please use the {{Link2CmdRef|Anker=SSL|Lang=en|Label=SSL}}-attribute. | ||
<!-- | <!-- | ||
| Zeile 32: | Zeile 33: | ||
--> | --> | ||
== Examples == | == Examples == | ||
Configure authentification with username and password for a FHEMWEB-device: | |||
define allowedWEB allowed | define allowedWEB allowed | ||
attr allowedWEB validFor WEB,WEBphone,WEBtablet | attr allowedWEB validFor WEB,WEBphone,WEBtablet | ||
attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" } | attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" } | ||
attr allowedWEB allowedCommands set,get | attr allowedWEB allowedCommands set,get | ||
Same for telnet: | Same for telnet: | ||
define allowedTelnet allowed | define allowedTelnet allowed | ||
Version vom 14. März 2018, 14:03 Uhr
| allowed | |
|---|---|
| Zweck / Funktion | |
| Securing the FHEM server components | |
| Allgemein | |
| Typ | Hilfsmodul |
| Details | |
| Dokumentation | EN / DE |
| Support (Forum) | Automatisierung |
| Modulname | 96_allowed.pm |
| Ersteller | rudolfkoenig / rudolfkoenig |
| Wichtig: sofern vorhanden, gilt im Zweifel immer die (englische) Beschreibung in der commandref! | |
allowed is a Helper module to secure and restrict access to the server services (FHEM web server and telnet) provided by fhem.pl.
Introduction
By default, every device connected to the same network the FHEM server is part of [1] can connect to and control FHEM without transport-encryption or authentication. This is why FHEM show's a security warning.
To secure FHEM, defining an allowed-device is one of the available options.
Most likely you want to make use of allowed to
- allow access to FHEM from other networks and/or
- restrict the possibility to access FHEM for members of the same network (or at least to not getting them full control over all of your devices and configurations).
Syntax
To define an allowed-device for one or more FHEMWEB- or telnet-instances use
define <name> allowed <deviceList>
Additional Remarks
If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use allowed but to also apply additional security measures. Possible options could be the use of VPN technologies (Virtual Private Network) and/or the installation of a reverse-proxy-server like Apache or nginx. For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute HTTPS to activate HTTPS encryption. For telnet (being more or less also a TCP/IP port) please use the SSL-attribute.
Examples
Configure authentification with username and password for a FHEMWEB-device:
define allowedWEB allowed
attr allowedWEB validFor WEB,WEBphone,WEBtablet
attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" }
attr allowedWEB allowedCommands set,get
Same for telnet:
define allowedTelnet allowed
attr allowedTelnet validFor telnetPort
attr allowedTelnet password secret
- ↑ For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.179.3 would be rejected