Allowed/en: Unterschied zwischen den Versionen

Aus FHEMWiki
K (der Apostroph musste weg)
K (Korrektur: mit SEITENTITEL kann nur die SCHREIBWEISE des Seitennamens geändert werden)
 
(Eine dazwischenliegende Version von einem anderen Benutzer wird nicht angezeigt)
Zeile 1: Zeile 1:
{{SEITENTITEL:allowed}}  <!-- da richtige Schreibweise kleinen Anfangsbuchstaben hat -->
{{SEITENTITEL:allowed/en}}  <!-- da richtige Schreibweise kleinen Anfangsbuchstaben hat -->
{{Infobox Modul
{{Infobox Modul
|ModPurpose=Securing the FHEM server components
|ModPurpose=Securing the FHEM server components
Zeile 8: Zeile 8:
|ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig]
|ModOwner=rudolfkoenig / [http://forum.fhem.de/index.php?action=profile;u=8 rudolfkoenig]
}}
}}
[[allowed]] is a Helper module to secure and restrict access to the server services (FHEM web server and telnet) provided by fhem.pl.
[[allowed/en|allowed]] is a helper module to secure and restrict access to the services (FHEM web server and telnet) provided by fhem.pl.




==Introduction==
==Introduction==
By default, every device connected to the same network the FHEM server is part of <ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning.
By default, every device connected to the same network the FHEM server is also part of <ref>For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.'''179'''.3 would be rejected</ref> can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning.


To secure FHEM, defining an ''allowed''-device is one of the available options.
To secure FHEM, defining an '''allowed''' device is one of the available options.


Most likely you want to make use of '''allowed''' to
Most likely you want to make use of '''allowed''' to
Zeile 21: Zeile 21:


== Syntax ==
== Syntax ==
To define an ''allowed''-device for one or more [[FHEMWEB]]- or telnet-instances use
To define an '''allowed'''-device for one or more [[FHEMWEB]] or telnet instances use


     define <name> allowed <deviceList>
     define <name> allowed <deviceList>


==Additional Remarks==
==Additional Remarks==
If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use '''allowed''' but to also apply additional security measures. Possible options could be the use of VPN technologies (Virtual Private Network) and/or the installation of a reverse-proxy-server like [[Apache_Authentication_Proxy|Apache]] or [[HTTPS-Absicherung_%26_Authentifizierung_via_nginx_Webserver|nginx]].
If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use '''allowed''' but also apply additional security measures. Possible options include the use of a VPN (Virtual Private Network) and/or the installation of a reverse proxy server, for example [[Apache_Authentication_Proxy|Apache]] or [[HTTPS-Absicherung_%26_Authentifizierung_via_nginx_Webserver|nginx]].
For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute {{Link2CmdRef|Anker=HTTPS|Lang=en|Label=HTTPS}} to activate HTTPS encryption. For telnet (being more or less also a TCP/IP port) please use the {{Link2CmdRef|Anker=SSL|Lang=en|Label=SSL}}-attribute.  
For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute {{Link2CmdRef|Anker=HTTPS|Lang=en|Label=HTTPS}} to activate transport layer encryption. For telnet (being more or less also a TCP/IP port) please use the {{Link2CmdRef|Anker=SSL|Lang=en|Label=SSL}} attribute.  


<!--
<!--

Aktuelle Version vom 15. März 2018, 09:00 Uhr


allowed
Zweck / Funktion
Securing the FHEM server components
Allgemein
Typ Hilfsmodul
Details
Dokumentation EN / DE
Support (Forum) Automatisierung
Modulname 96_allowed.pm
Ersteller rudolfkoenig / rudolfkoenig
Wichtig: sofern vorhanden, gilt im Zweifel immer die (englische) Beschreibung in der commandref!

allowed is a helper module to secure and restrict access to the services (FHEM web server and telnet) provided by fhem.pl.


Introduction

By default, every device connected to the same network the FHEM server is also part of [1] can connect to and control FHEM without transport-encryption or authentication. This is why FHEM shows a security warning.

To secure FHEM, defining an allowed device is one of the available options.

Most likely you want to make use of allowed to

  • allow access to FHEM from other networks and/or
  • restrict the possibility to access FHEM for members of the same network (or at least to not getting them full control over all of your devices and configurations).

Syntax

To define an allowed-device for one or more FHEMWEB or telnet instances use

    define <name> allowed <deviceList>

Additional Remarks

If you plan to make FHEM accessible from outside your local network, it is highly recommended to not just use allowed but also apply additional security measures. Possible options include the use of a VPN (Virtual Private Network) and/or the installation of a reverse proxy server, for example Apache or nginx. For the web server interfaces provided with FHEMWEB it is as well highly recommended to use the attribute HTTPS to activate transport layer encryption. For telnet (being more or less also a TCP/IP port) please use the SSL attribute.

Examples

Configure authentification with username and password for a FHEMWEB-device:

    define allowedWEB allowed
    attr allowedWEB validFor WEB,WEBphone,WEBtablet
    attr allowedWEB basicAuth { "$user:$password" eq "admin:secret" }
    attr allowedWEB allowedCommands set,get

Same for telnet:

    define allowedTelnet allowed
    attr allowedTelnet validFor telnetPort
    attr allowedTelnet password secret


  1. For example, if all of the devices connected to you home network use addresses from the range 192.168.178.x, a device using address 192.168.178.3 has access to FHEM, whereas 192.168.179.3 would be rejected