Simplistic configuration UI

I have been working on this. Here’s the PR if you want to follow: https://github.com/danielperna84/hass-configurator/pull/74

The usage would be, that you have to send POST requests that look like this:

curl -d "method=add&network=127.0.0.1" -X POST http://user:[email protected]:3218/api/allowed_networks

curl -d "method=ban&ip=9.9.9.9" -X POST http://user:[email protected]:3218/api/banned_ips

If the credentials are needed or not depends on the setup. But for you I assume they are activated, so you would have to include them.

not sure how I would execute/implement that… (learning but still a noob)

I have added another way to allow access from anywhere. With this method you set a cryptic key in the settings, and then you cann access the configurator from anywhere by browsing to https://your.configurator:3218/yoursecretkey. This will whitelist the IP you are accessing the configurator from and redirect you to the actual configurator. So ideally you set a key like 24CCL7R9BG0I25FY and bookmark your regular URL + the appended key. It’s of course turned off by default, since this would allow a brute force attacker. Hence the key should be pretty complex.

I’m waiting for some of the contributors to test everything, and soon I’ll release the new version.

1 Like

Nice Daniel. I’m actually using a complex user-name and password anyway… Would this new method allow you to still have the panel_iframe in the menu? Would you just replace the URL there and it would all work?

With my VPS I am using a CSF firewall and I can set a DYNDNS update time (I use 600 seconds) and it has my dynamic dnd name from duckdns and it uses /etc/csf/csf.dyndns to store the allowed dynamic dns name in it. If my IP address changes then it will just update the new one within 10 minutes. It only uses this for ssh to the server anyway.

Maybe an add-on could handle it this way?

I’m pretty sure it will work with the panel_iframe for now. However, Chrome 64 for Android has the new security-feature do block redirects within iframes. This will be added to the desktop version as well I guess. I don’t know any details on the imlpementation, but with this version you’ll either be notified and asked to proceed, or it won’t work. We’ll have to wait and see.

What you’re doing with your CSF firewall is essentially what the other feature of the configurator (dynamically adding allowed IPs) could be used for. I don’t know if the way its done with CSF allows you to add some script that would make the curl-requests to the configurator. Am I correct, that the configurator is running on the same machine? You could also create a bash-script that does the curl-requests and let it be executed by cron or by an automation that executes shell scripts. That really depends on your setup. hassio would be a bit more restrictive. But with a full blown Linux there are a variety of choice on how to trust IPs.

1 Like

Hi Daniel - yes I’m running Hassio on a rpi3 which is quite restrictive. Configurator is running as an add-on.

I’m confused then. How is that VPS related? VPS for me is a Virtual Private Server that is hosted somewhere. So that for sure isn’t your Pi3 with hassio installed.

Sorry - I was just using my VPS as an example of how that gets around dynamic IP addresses. Sorry for confusing you.

0.2.5 has been released.

The changelog:

  • Added warning-logs for access failure
  • Added transparency to whitespace characters
  • Using external repository for Docker
  • Modify BANNED_IPS and ALLOWED_NETWORKS at runtime
  • Use relative paths in webserver (for usage behind reverse proxy)
  • Added “Sesame” feature

Although it has been mentioned here before, here an explanation of the Sesame feature:

SESAME (string)

If set to somesecretkeynobodycanguess, you can browse to https://your.configurator:3218/somesecretkeynobodycanguess from any IP, and it will be removed from the BANNED_IPS list (in case it has been banned before) and added to the ALLOWED_NETWORKS list. Once the request has been processed you will automatically be redirected to the configurator. Think of this as dynamically allowing access from untrusted IPs by providing a secret key (open sesame!). Keep in mind, that once the IP has been added, you will either have to restart the configurator or manually remove the IP through the Network status to revoke access.
This is currently compatible with the panel_iframe. So if you change your URL there to include the sesame-token, it will log you in automatically. This might break though in the future in some browsers, since redirecting in iframes usually is something sneaky ads do. It’s said that Chrome starting at version 64 will block such redirects. We’ll have to see how well this keeps working then.

2 Likes

Thanks for the continued development.

Would there be any possibility for tabbed editing in the future? I often find I’m flicking backwards and forwards between a few files when editing so having to choose and reopen them repeatedly becomes a pain.

Is this set on the configurator URL or is it something I need to set in options?

You set the sesame option in the configuration for the addon, and afterwards you can access the configurator by appending the string to the regular url like in the example I gave. The sesame option is optional, and I don’t know if the hassio-UI displays optional options. So if it’s not displayed, add it manually.

@Bobby_Nobble
There’s an issue for that, so it’s on my agenda. It however has a low priotity, since you can simply open the configurator in multiple browser tabs and have the same effect without any additional work from my side. Adding direct support for multiple tabs is a bit tricky. But I’ll think about an efficient solution.

1 Like

Cool, thanks Daniel.

Here’s a random for you, anyway to get the browser tab to reflect the name of the file that’s open in that tab. Have to admit I drifted away from your add-on to the IDE one for the tab functionality but your adding of linting has brought me back again :slight_smile:

Great idea! Never thought of that. Way too obvious! :smiley: The next version will have that.

1 Like

In the dev branch the name of the current file is now displayed in the (browser)tab-title. I have also added a shortcut to open the configurator (not a specific file) in a new (browser)tab in the dropdown menu on the upper right.
In case you are not on hassio (which I assume since you were talking about the IDE editor) or have a machine capable of running the configurator you can give it a try and report if that solution contributes to your workflow. :slight_smile:

Sidenote: When using the panel_iframe the title won’t be changed. That’s a technical issue because an iframe can’t change the title of it’s parent.

I am indeed using hassio but what you’ve done sounds spot on and the shortcut is a nice touch :+1:

Only tend to use the iframe when doing a quick check as I like having a separate instance of HA open too for reference so that’s no issue.

So do I delete the allowed networks?

{
  "username": "secret-user",
  "password": "secret-password",
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "ssl": true,
  "allowed_networks": [
    ""
  ],
  "sesame": "somesecretnoonecanguess",
  "banned_ips": [
    ""
  ],
  "banlimit": 5,
  "ignore_pattern": [
    "__pycache__"
  ],
  "dirsfirst": true
}

Is that the right syntax? I don’t think the docs show this option yet.

I get this in the logs when I try the above:
starting version 3.2.4
INFO:2018-01-31 09:47:30,770:main:Starting server
INFO:2018-01-31 09:47:30,774:main:Listening on: https://0.0.0.0:3218
INFO:2018-01-31 09:47:39,204:main:x.x.x.x - “GET /my-secret-sesame@ HTTP/1.1” 302 -

x.x.x.x is my public duckdns ip address

I saved the options and restarted the service. It doesn’t connect - empty response, page does not send any data

(I’m running 3.2.5 too - it’s showing the wrong version in the log)

Make the allowed_networks just [] without content.

The message in the log is the correct one. 302 is the status that tells the browser a redirect is happening. So in general the token seems to be accepted.

I don’t know about the version in the log. I don’t think that’s related to the configurator, since that’s a completely different version.

Maybe for testing also add some local IP to the allowed_networks for direct access (maybe from another machine) so you can have a look at the network status panel.

1 Like

oops! my mistake - yeah I saw 2.4 and knew configurator was 2.5 - actually 0.2.5 and made an assumption.

OK so that works perfectly. I edited the ipanel url to include it as well and it works.

Nice Daniel and thanks. Feels better not exposing it to all IP addresses.