allowed/en

Aus FHEMWiki
Version vom 15. März 2018, 10:00 Uhr von Ph1959de (Diskussion | Beiträge) (Korrektur: mit SEITENTITEL kann nur die SCHREIBWEISE des Seitennamens geändert werden)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)


allowed
Zweck / Funktion
Securing the FHEM server components
Allgemein
Typ Hilfsmodul
Details
Dokumentation EN / DE
Support (Forum) Automatisierung
Modulname 96_allowed.pm
Ersteller rudolfkoenig / rudolfkoenig
Wichtig: sofern vorhanden, gilt im Zweifel immer die (englische) Beschreibung in der commandref!

allowed is a helper module to secure and restrict access to the services (FHEM web server and telnet) provided by fhem.pl.


Introduction

By default, every device connected to the same network the FHEM server is also part of [1] can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning.

To secure FHEM, defining an allowed device is one of the available options.

Most likely you want to make use of allowed to

  • allow access to FHEM from other networks and/or
  • restrict the possibility to access FHEM for members of the same network (or at least to not getting them full control over all of your devices and configurations).

Syntax

To define an allowed-device for one or more FHEMWEB or telnet instances use

    define <name> allowed <deviceList>

Additional Remarks

If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use allowed but also apply additional security measures. Possible options include the use of a VPN (Virtual Private Network) and/or the installation of a reverse proxy server, for example Apache or nginx. For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute HTTPS to activate transport layer encryption. For telnet (being more or less also a TCP/IP port) please use the SSL attribute.

Examples

Configure authentification with username and password for a FHEMWEB-device:

    define allowedWEB allowed
    attr allowedWEB validFor WEB,WEBphone,WEBtablet
    attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" }
    attr allowedWEB allowedCommands set,get

Same for telnet:

    define allowedTelnet allowed
    attr allowedTelnet validFor telnetPort
    attr allowedTelnet password secret


  1. For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.179.3 would be rejected