I can't seem to find any info about the security of the JSON-API.
Are there security features (user/password protection) implemented to the JSON-API? And how should I activate them.
Security of z-way JSON-API
No, there are no. We suggest
No, there are no. We suggest to use solutions like ngnix to do so.We expect your local environment to be safe and protected
- alexey.zimarev
- Posts: 24
- Joined: 16 Oct 2012 17:54
Re: Security of z-way JSON-API
A sample configuration for nginx for basic auth with .htpasswd and reverse proxy can be found here http://serverfault.com/questions/511846 ... erse-proxy
I just spent 10 minutes to install it and it works like a charm. The default port needs to be locked by iptables.
I just spent 10 minutes to install it and it works like a charm. The default port needs to be locked by iptables.
Last edited by alexey.zimarev on 20 May 2014 21:46, edited 1 time in total.
Re: Security of z-way JSON-API
It is a bit pointless now, as find.z-wave.me offers a secure proxy to access your z-way from anywhere.
- alexey.zimarev
- Posts: 24
- Joined: 16 Oct 2012 17:54
Re: Security of z-way JSON-API
I did it not to make a secure proxy but to protect the API from unauthorized access in a local environment and this is what the topic starter asked about. The assumption that the local environment is "always safe and secure" is wrong. We use Vera controllers in rented apartments and have protect it from being accessed by guests.
Re: Security of z-way JSON-API
Could you just resort to firewall rules if needed assuming you can specify a IP range for the devices that should have access to the JSON API. I just use this at my house so internal access is not a huge deal, but for external access I setup iOS profiles for on-demand VPN access with openVPN.
Re: Security of z-way JSON-API
It works for me, redirect from 80 to 8083, login and password in /opt/z-way-server/.htpasswd
/etc/nginx/nginx.conf
/etc/nginx/nginx.conf
Code: Select all
user http;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# Z-Way server
server {
listen 80;
server_name localhost;
access_log /var/log/nginx/z-way.access.log main;
error_log /var/log/nginx/z-way.error.log;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8083/;
proxy_redirect off;
# Password
auth_basic "Restricted";
auth_basic_user_file /opt/z-way-server/.htpasswd;
# Don't forward auth to Z-Way
proxy_set_header Authorization "";
}
}
}