Security of z-way JSON-API

[janver]

I can't seem to find any info about the security of the JSON-API.
Are there security features (user/password protection) implemented to the JSON-API? And how should I activate them.

[PoltoS]

No, there are no. We suggest to use solutions like ngnix to do so.We expect your local environment to be safe and protected

[alexey.zimarev]

A sample configuration for nginx for basic auth with .htpasswd and reverse proxy can be found here http://serverfault.com/questions/511846 ... erse-proxy

I just spent 10 minutes to install it and it works like a charm. The default port needs to be locked by iptables.

[pofs]

It is a bit pointless now, as find.z-wave.me offers a secure proxy to access your z-way from anywhere.

[alexey.zimarev]

I did it not to make a secure proxy but to protect the API from unauthorized access in a local environment and this is what the topic starter asked about. The assumption that the local environment is "always safe and secure" is wrong. We use Vera controllers in rented apartments and have protect it from being accessed by guests.

[pfremm]

Could you just resort to firewall rules if needed assuming you can specify a IP range for the devices that should have access to the JSON API. I just use this at my house so internal access is not a huge deal, but for external access I setup iOS profiles for on-demand VPN access with openVPN.

[aivs]

It works for me, redirect from 80 to 8083, login and password in /opt/z-way-server/.htpasswd
/etc/nginx/nginx.conf

Code: Select all

user http;
worker_processes  1;
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;
events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile        on;
    keepalive_timeout  65;

    # Z-Way server
    server {
        listen       80;
        server_name  localhost;
        access_log  /var/log/nginx/z-way.access.log  main;
        error_log   /var/log/nginx/z-way.error.log;
        location / {
            proxy_set_header X-Forwarded-Host $host;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://localhost:8083/;
            proxy_redirect off;

            # Password
            auth_basic "Restricted";
            auth_basic_user_file /opt/z-way-server/.htpasswd;

            # Don't forward auth to Z-Way
            proxy_set_header   Authorization "";
        }
    }
}