| View previous topic :: View next topic |
| Author |
Message |
jpp_
Tux's lil' helper
Joined: 23 Oct 2009
Posts: 110
Location: Argentina
|
 Posted: Tue Dec 28, 2021 2:24 pm Post subject: Redirect secure web page to unsecure after password prompt |
 |
|
Hello
explanation: there is a generator (electricity) that has an http interface to handle it, which does not have any kind of password. It is possible to create a login page, which, once the session is correctly started redirects to the generator page? the web server of the login page would be in the same lan as the generator web page.
What would be the best way to achieve this, from a security point of view?
Also there Is a mikrotik router, can it be useful to this?
Regards |
|
| Back to top |
|
 |
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21624
|
| Posted: Tue Dec 28, 2021 5:33 pm Post subject: |
|
|
This is easily done at the HTTP layer, but if you do the redirect there, then anyone who knows the address of the generator can just load it directly, without talking to the login page at all. If your goal is to secure the generator, you should use a firewall to restrict access to it, so that only the Linux web server can talk to it. Then, have the server make requests to the generator on behalf of authorized clients. That is not as easy, but still quite possible.
What is your goal here? At the network level, where are the authorized and unauthorized clients? If you took no action to secure it, would the generator be accessible from the Internet? Are you trying to allow certain trusted Internet users to manage it, while disallowing everyone else? Are you trying to make it accessible only to people on the local LAN, and block all Internet access to it? |
|
| Back to top |
|
|
jpp_
Tux's lil' helper
Joined: 23 Oct 2009
Posts: 110
Location: Argentina
|
| Posted: Tue Dec 28, 2021 6:20 pm Post subject: |
|
|
| Hu wrote: | This is easily done at the HTTP layer, but if you do the redirect there, then anyone who knows the address of the generator can just load it directly, without talking to the login page at all. If your goal is to secure the generator, you should use a firewall to restrict access to it, so that only the Linux web server can talk to it. Then, have the server make requests to the generator on behalf of authorized clients. That is not as easy, but still quite possible.
What is your goal here? At the network level, where are the authorized and unauthorized clients? If you took no action to secure it, would the generator be accessible from the Internet? Are you trying to allow certain trusted Internet users to manage it, while disallowing everyone else? Are you trying to make it accessible only to people on the local LAN, and block all Internet access to it? |
Hi Hu, good day.
The goal is that certain people can access and monitor / control it from lan or over internet if they are not there.
a vpn to the router can solve this,
I was looking for something that does not need configuration on the client side. for example going to a certain web page, login with some credentials, and after the succesfull login, the web page redirects (via lan) to the generator http, the web server and generator in this case would be in the same lan. Its ok doing that way?
Regards |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21624
|
| Posted: Tue Dec 28, 2021 6:48 pm Post subject: |
|
|
A redirect would mean that the authentication server is not involved after the password is given, and that the clients can access the generator directly. That would not be secure.
Making the authentication server proxy valid requests to the generator would work, and if done right, should be secure. |
|
| Back to top |
|
|
steve_v
Guru
Joined: 20 Jun 2004
Posts: 388
Location: New Zealand
|
| Posted: Tue Dec 28, 2021 6:48 pm Post subject: |
|
|
While I haven't tried this exact setup myself, I'm pretty sure an apache (or nginix, if that's your jam) reverse proxy will do what you want. That's kinda what the feature is for after all.
Between this post (no responsibility, first result I found), the apache documentation, and a general internet search it shouldn't be difficult to figure out.
As for the router being of use, it's webserver might be able to be configured to do this, but exposing a routers internal webserver to the internet is an exceedingly bad idea from a security standpoint. What you really want is a dedicated machine to act as a proxy "gateway" to the insecure service, providing SSL/TLS and authentication...
And ideally a less braindead generator controller, if it doesn't support TLS or authentication, doG only knows what other security problems it has.
_________________
Once is happenstance. Twice is coincidence. Three times is enemy action. Four times is Official GNOME Policy. |
|
| Back to top |
|
|
spica
Apprentice
Joined: 04 Jun 2021
Posts: 287
|
| Posted: Wed Dec 29, 2021 9:04 am Post subject: |
|
|
I used auth_request + self written web service which checks provided credentials.
Only nginx should have access to generator, otherwise users will use a direct link. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
