Comments (11)
Hi @MilesTEG1 - thanks for raising this :)
I've added an option for you to select how long the session should last before expiring in #66
This is what it looks like:
from dashy.
Unfortunately your other two requests are outside the scope, so I won't be implementing them at this time. I recommend implement this on your server instead.
@EVOTk recommend Authelia, which can be used in conjunction with your reverse proxy (like NGINX, Traefik, etc). It supports 2-Factor authentication, and you can use it globally across your lab, so should be much more convenient. I found this video by Techno Tim very useful for getting started.
Just to reiterate, if your dashboard is exposed to the internet and/ or contains any sensitive data, you should not rely on Dashy's login page. It is handled on the client-side, which means it is possible for an attacker to potentially reverse-engineer. It's definitely better than nothing, but is really intended for use within the safe walls of your local network, to restrict access for those who share your server.
from dashy.
Salut,
As tu lu https://github.com/Lissy93/dashy/blob/master/docs/authentication.md#security
Tu verra que la page de login de Dashy n'est pas a l'epreuvre des balles du fait de ca conception et qu'il est recommandé d'utiliser autre chose comme Authelia, ngnix,. ..
Translate :
Hi,
Have you read https://github.com/Lissy93/dashy/blob/master/docs/authentication.md#security
You will see that Dashy's login page is not bulletproof due to this design and that it is recommended to use something else like Authelia, ngnix ,. ..
from dashy.
@EVOTk
Salut ✋🏻
Oui j'ai lu cette page, mais ça me semble un peu complexe à mettre en place pour moi...
Faut que tu fasses un tuto détaillé 😄
Translate :
Hello ✋🏻
Yes I read this page, but it seems a bit too complicate to set it up for me...
You have to made a detail tuto 😄
from dashy.
Thanks for the answer.
I think I let Dashy stay inside my LAN only... not expose to internet with a domaine name.
Implementing Authelia on my NAS would be too complicated for me...
I use the DSM reverse-proxy (based on nginx), but I don't have completly the hand on it...
So for now, I'll stick with basic auth :)
But, could it be possible to have a connection log (in a .log file accessible with a volume) (failed one, successfull one) to have my fail2ban container working on it ?
from dashy.
I'm not sure about the connection log. The login is very simple, and I don't want to over-complicate things, and risk increasing the attack surface. A connection log would involve writing to a file, and if that's done by an unauthenticated user it could be abused by an attacker. This is because unlike server-side apps, Dashy is mostly a frontend app, and so it's possible to use the browsers dev tools to intercept and modify requests.
At the end of the day, I think most users who will want these kind of features will use a different authentication method. Sorry about that. But if you've got it within your LAN, then why don't you restrict which IPs can access Dashy instead? Say only allow access from yourself, do it on your web server, and it will be quite safe.
from dashy.
Hey @MilesTEG1 - Sorry I forgot to update you sooner, but just to let you know that both 2-factor auth and failed attempts logging is now implemented, though integrating with Keycloak. This was merged in #174 so you need to be using V-1.6.5
or later. You can learn more about how to set this up it in the authentication docs.
Keycloak also allows for SSO, plus many more features than I could ever feasibly implement with Dashy's basic auth, and since it's handled server-side it is also more secure too - I think you'll like it! Feel free to reach out if you have any more questions :)
from dashy.
Hello @Lissy93
Great news, I'll go check the doc to see how I can set it up :)
But I don't know what is Keycloak...
Thanks for the heads-up :)
from dashy.
It seems a bit too complicated for me...
from dashy.
Ah ok, no worries :)
Is it because the docs aren't clear enough, or just because there's more things to setup versus the basic auth?
from dashy.
It's more beacause there is much more to setup yes :) And the fact that it use another service.
Maybe one day I try it :)
For now, the actual auth should be enough. I only use it on my LAN, and with the reverse proxy with Access Control limited to the LAN IP and my VPN IP.
I wonder if it could be possible to extend a little bit the remember me values :)
from dashy.
Related Issues (20)
- [BUG] <title>MVG Connections always shows the connection between Marienplatz and Giesing no matter how the config file is modified. HOT 2
- Hi, I'm new here and I could really use some help HOT 1
- [QUESTION] how to get widgets working when using nginxproxymanager HOT 12
- [FEATURE_REQUEST] Add a startpage view optimized to reduce load time HOT 2
- 导航图标标题 HOT 1
- [FEATURE_REQUEST] widget for uptime-kuma HOT 2
- [FEATURE_REQUEST] healthchecks continues checking HOT 1
- How to change --content-max-width HOT 6
- deployed on vercel HOT 10
- [QUESTION] Serve assets only to logged in users HOT 3
- [FEATURE_REQUEST] Unify weather and weather forecast widgets HOT 5
- [QUESTION] Custom HTML? HOT 16
- All tickets related to dashy not rebuilding automatically HOT 1
- [SHOWCASE] MNDashboard HOT 4
- [BUG] Dashy crashlooping after last upgrade to 2.1.2 HOT 13
- [QUESTION] Build from Source not working anymore 2.1.2? HOT 3
- [BUG] Authentication settings cannot be saved to a configuration file HOT 2
- [BUG] Build Failed Vercel HOT 6
- [BUG] Dashy v2.1.2 consuming all assigned resources after changing config (either via GUI or direct conf.yml change) HOT 13
- [QUESTION] Alpine 3.15 LXC unmet peer dependency warnings? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dashy.