Hello
i'm new to the Forum and started yesterday with a smartplug (same HW as Sonoff S20)
i flashed ESPeasy 2:
"ESP_Easy_mega-20190511_normal_core_241_ESP8266_1M"
Everything is okay and works fine. I've setup a password and if i want to connect to the WebIF i have to enter User and Password - fine.
But, if i want to control the plug with commands "/control?......" i can control it without any password auth.
For my szenario i have to connect the plug directly to the Internet and i think its a bug and a little bit risky.
Also that i can only set 1 Ip or Ip range its disappointing - because i would whitelist the local net, and one IP Adress to connect from the Internet site.
At the moment the only solution is to allow all Ip adresses - with working password protection it would be a little bit more safe. (and yes i know its plain text and only http which is not encrypted)
HTTP control without password???
Moderators: grovkillen, Stuntteam, TD-er
- grovkillen
- Core team member
- Posts: 3621
- Joined: 19 Jan 2017, 12:56
- Location: Hudiksvall, Sweden
- Contact:
Re: HTTP control without password???
Best option in my opinion is to control it over MQTT. That way you only have to exploit the MQTT broker to the Internet but that one you can HTTPS + Password protect. I'm not gonna show you how to exploit the unit directly to the internet because I don't think that's a good idea at all.
ESP Easy Flasher [flash tool and wifi setup at flash time]
ESP Easy Webdumper [easy screendumping of your units]
ESP Easy Netscan [find units]
Official shop: https://firstbyte.shop/
Sponsor ESP Easy, we need you
ESP Easy Webdumper [easy screendumping of your units]
ESP Easy Netscan [find units]
Official shop: https://firstbyte.shop/
Sponsor ESP Easy, we need you
Re: HTTP control without password???
THX for your feedback, the problem is that i have only this one plug.
I have a complete working smart home setup based on other system - but at the moment i have many trouble with my wifi router and i need this plug only to break the power supply from the router to restart it remotly.
Thats why i can't connect the plug to my existing smarthome setup.
The plug is only connected to a backup internet connection to restart my main router if needed.
I have a Portfoarwarding to the plug directly, but a higher random port - not 80 or some standard port.
A password protection for HTTP control would be nice, also https (but i understand that it is all limited by 1M flash and normally its not needed in a home network).
P.S.: Is there a way to enable telnet to the device? Maybe i can install a SSL / SSH certificate and enable ssh by myself?
I have a complete working smart home setup based on other system - but at the moment i have many trouble with my wifi router and i need this plug only to break the power supply from the router to restart it remotly.
Thats why i can't connect the plug to my existing smarthome setup.
The plug is only connected to a backup internet connection to restart my main router if needed.
I have a Portfoarwarding to the plug directly, but a higher random port - not 80 or some standard port.
A password protection for HTTP control would be nice, also https (but i understand that it is all limited by 1M flash and normally its not needed in a home network).
P.S.: Is there a way to enable telnet to the device? Maybe i can install a SSL / SSH certificate and enable ssh by myself?
-
- Normal user
- Posts: 11
- Joined: 05 Nov 2018, 17:02
Re: HTTP control without password???
If your backup connection is only to restart the router, why not setup controlled access on the backup connection router (login, VPN etc) to connect to the plug?
Thanks for reading,
regards,
Rob
regards,
Rob
Re: HTTP control without password???
Some routers (e.g. Fritzbox ones) allow to set a password in HTTP port forwards.
If you know Apache, then it is just like a proxypath (and reverse) including a .htaccess with a password setup.
If you know Apache, then it is just like a proxypath (and reverse) including a .htaccess with a password setup.
Re: HTTP control without password???
@Ath:
The same message, only with different URL, has been posted several times the last few days.
So I deleted the bot-generated message and IP-banned it.
But IP-ban is probably not going to work on bots, but it's all we've got.
The same message, only with different URL, has been posted several times the last few days.
So I deleted the bot-generated message and IP-banned it.
But IP-ban is probably not going to work on bots, but it's all we've got.
Who is online
Users browsing this forum: No registered users and 138 guests