How do I protect /history with ngnix?

Configuration
, , ,
1

Hello,

I thought I could protect some panels by adding restrictions on related URIs (/history, /logbook, …) but it seems to not work because when you click (eg) “History” in the frontend the page is not refreshed. (the page will be denied if I manually refresh the page).

Is my idea a dead end ?

server conf:

	location ^~ /history {
		deny all;
	}


	location / {
		proxy_pass                                  http://127.0.0.1:8123/;
            proxy_set_header  Host                      $host;
	}

	location /api/websocket {
            proxy_pass                                  http://127.0.0.1:8123/api/websocket;
            proxy_set_header  Host                      $host;
            proxy_http_version                          1.1;
            proxy_set_header  Upgrade                   $http_upgrade;
            proxy_set_header  Connection                "upgrade";

       }

Cheers,
Mick.

1 Like
2

Not sure if it’s a dead end but I like the idea. I plan to follow this topic. I hope you will update us if you find an answer.

3

Is the objective to remove (eg) History and/or Logbook from the dashboard, for the use case of, say, a kiosk control panel on the wall in the living room?

Elaborate on why you want to do this would be great.

4

You should always test your setup with an inprivate/private/incognito browser.

If the page is not refreshed, then it means it is cached because you have visited it before.
The one you block access for would probably never have been on the page before, so you need to see it as they do.

1 Like
5

Hi, yes this is the use case but since I failed to remove the entries from the frontend I am trying to put in place some ACL (which would more secure anyway)

6

Hi !
Yes tested in incognito mode, cache cleared with developer mode on shows not network activity on /history /logbook …

7

image
image3136×2120 440 KB

8

If that’s the case,
https://www.home-assistant.io/blog/2020/09/17/release-115/#customize-the-sidebar

I believe this is per browser and/or per user (you probably could create a kiosk-only user anyways).
Not 100% block since people could still manually type in (e.g.) /history in the address bar if they absolutely wants to, but could be helpful.

9

Yes I am aware of this use case but I find it to weak for a protection.

10

Hello,

I maybe made it by filtering request referrer; I need to test in depth but first results are very positives.

ngn-inx conf:

if ($http_referer ~* (/history|/logbook|/map|/energy|/media) ) {
    return 444;
}

Cheers!
MiCk.

1 Like
11

That sounds like a good solution to keep trusted people in the correct areas. Just remember referrer spoofing is possible and it was even simple the last time I used it.