Is it possible to disable the new loginscreen

You can understand that whoever updates to this latest release-202312 automatically have all their users exposed in their LAN and you can assume that most (if not all) people use a proxy, they automatically get all their users exposed to the outside world.

It seems that something might have been done about this here yesterday: Add option for exposing users on local networks by edenhaus · Pull Request #105545 · home-assistant/core · GitHub
But then again they made this option to default TRUE (which should logically from a security standpoint be defaulted to FALSE). Ridiculous.

5 Likes

Wait, this is good news. Ok, they will add an option to disable the public user list.

1 Like

So in your view almost everyone is using a reverse proxy, and the majority of those have it configured in a way that does not pass the origin ip through to Home Assistant correctly, likely ignoring the inclusion of the X-Forwarded-For header and possibly other headers. They connect from outside their network, and they appear to HA to be connecting from a device inside their network.

Ignoring the local login page, how could that best be addressed?

Maybe a repair could be added?
HA could detect suspicious patterns in X-Real-IP and inform the user with a repair.

Typical patterns would be:

  • always the same X-Real-IP
  • always one from a local network

Most of users haven’t ever heard about reverse proxy and the X-Forwarded-For header and possibly other headers. They surf WWW and repeat as shown. As for me, I’m not a super-puper IT-specialist, so I found several ways to expose my HA to WWW. The most suitable for me is SSH-tunnel between HA and VPS (I suppose it works as reverse proxy). The Nginx on VPS forwards requests on VPS to necessary port on HA. And when I log in from outside my home network my HA detects it as local login. So default security settings for most users must be the Highest Security!

2 Likes

I think you underestimate most users. Yes, there are users who only use Home Assistant on private network, and ofcourse a lot of users use Home Assistant Cloud.

Then there are the tech savvy users. They read the changelog, can Identify the problem and (if possible) implement a fix.

Everything in between are users that copy paste every possible solution on Stack Overflow untill it works for them. I think this is the vast majority.

2 Likes

Feature has been disabled:

3 Likes