Moode Forum

Full Version: Modding moOde: restrict access to config pages
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Hello,

as I am using moOde in an environment, were others can use it to play their music, I added restricted access by editing nginx.conf (/etc/nginx/nginx.con)

Just change:

Code:
##
    # moOde UI server
    ##

    server {
        listen 80;
        server_name media07.knoeferl.de;

        location / {
            root /var/www;
            index index.html index.php;
            try_files $uri $uri/ /coverart.php;
        }

        location /cssw/ {
            root /var/local/www;
        }
        location /imagesw/ {
            root /var/local/www;
        }
        location /jsw/ {
            root /var/local/www;
        }
        location /templatesw/ {
            root /var/local/www;
        }

        # php-fpm
        location ~ \.php$ {
            root /var/www;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include fastcgi_params;
        }
    }

to:

Code:
##
    # moOde UI server
    ##

    server {
        listen 80;
        server_name media07.knoeferl.de;

        location / {
            root /var/www;
            index index.html index.php;
            try_files $uri $uri/ /coverart.php;
        }

        location /cssw/ {
            root /var/local/www;
        }
        location /imagesw/ {
            root /var/local/www;
        }
        location /jsw/ {
            root /var/local/www;
        }
        location /templatesw/ {
            root /var/local/www;
        }

        # php-fpm
        location ~ \.php$ {
            root /var/www;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include fastcgi_params;
        
        
            # php-fpm restricted pages
            location ~ /(apl|blu|chp|eqg|eqp|mpd|net|sel|snd|sqe|src|sys|upp)\-config.php$ {
                root /var/www;
                satisfy any;
                allow 192.168.10.0/24;
                deny all;
                auth_basic "Konfigurationsbereich";
                auth_basic_user_file /etc/nginx/htpasswd;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                include fastcgi_params;
            }
        }
    }


so that all *-config.php pages are password protected.

You need a password file (/etc/nginx/htpasswd) which can easily be generated online (e.g. here)
In my case I have a public and a private net (192.168.10.x) - this is excluded from password protection - this entry can be left out, if not necessary.

Best regards
Hans
Hi Hans,

What the usage scenario where u need password protection?

-Tim
Hello Tim,

the audioplayer is installed at a riding arena, were everyone can connect to an open WLAN.
This WLAN (OpenWRT router) only allows acces to the moOde player and redirects all requests.

So everyone, who connects to this WLAN can use the audioplayer.
My problem was, that some users tried to figure out what they can do with moOde and even changed the network config...
So I added password protection to avoid additional work for me :-)

I think, this is a very specifific usecase.
But perhaps it is usefull for peoply with curious kids.
Even better would be a kiosk mode, which completly hides some menu entries... but didn't try to implement it, yet.
(07-23-2018, 05:20 AM)Highsider Wrote: [ -> ]Hello Tim,

the audioplayer is installed at a riding arena, were everyone can connect to an open WLAN.
This WLAN (OpenWRT router) only allows acces to the moOde player and redirects all requests.

So everyone, who connects to this WLAN can use the audioplayer.
My problem was, that some users tried to figure out what they can do with moOde and even changed the network config...
So I added password protection to avoid additional work for me :-)

I think, this is a very specifific usecase.
But perhaps it is usefull for peoply with curious kids.
Even better would be a kiosk mode, which completly hides some menu entries... but didn't try to implement it, yet.

I think this is pretty cool. I have a potential usage scenario in mind, a bit similar to Highsider's usage scenario, a guest-room audio player. Guests connect to a guest WLAN and can access the player but we don't want them to access and change settings. It's something I have previously briefly considered and this mod would make it viable.
(07-23-2018, 12:53 PM)FizzyTea Wrote: [ -> ]
(07-23-2018, 05:20 AM)Highsider Wrote: [ -> ]...
I think, this is a very specifific usecase.
But perhaps it is usefull for peoply with curious kids.
Even better would be a kiosk mode, which completly hides some menu entries... but didn't try to implement it, yet.

I think this is pretty cool. I have a potential usage scenario in mind, a bit similar to Highsider's usage scenario, a guest-room audio player. Guests connect to a guest WLAN and can access the player but we don't want them to access and change settings. It's something I have previously briefly considered and this mod would make it viable.

Same here. 

I could use it as a music player for the high school drama club I mentor. I could patch a moOde player through the sound board. The weeks-long drudgery of constructing and painting sets would be lightened by music, especially if the kids get to choose tracks via moOde and my music service subscriptions.

They're teenagers. If there's a way to screw up the configuration, they'll find it. Inveterate button pushers, all of them Undecided

Regards,
Kent
This week I've been testing my way through the available Sonos alternatives.  Rune -> Volumio -> MoOde and I seem to have saved the best for last.  Best presentation and stability so far.

But for each system I was amazed there was such open access to the settings pages.  I've become used to guests having access to my wifi and my toys, but without the risk of them accidentally or maliciously changing settings!   Could this be a built in feature? 

@Highsider thanks for sharing this mod.  But is it still working for you? I'm using moOde 4.4 and I've edited nginx.conf  and created a htpasswd file for user pi as directed above.  But it just seems to render the web UI in almost complete white and stop the play controls working.  I can access the settings without a password still!  But the options appear blank.

Many thanks for any advice.
Hi @Tim Curtis, or other with more knowledge than I Smile

I'm using a modified version of the above pw protection. In last version I had to modify the integrity check on nginx.conf file, that was perfomed during boot. This I could do in worker.php (around line 123). With current version 5.0 - I fail to find the integrity check in worker.php - All I can see is that it have moved somewhere…. but not where. 

Modifying the nginx.conf will have it fail the integrity check(you can see that in moode.log) and it'll leave the mighty moode player dead (well mostly dead). I need to pw protect the config pages.

Thank you
Hi,

You need to change action to warning instead of exit for nginx.conf in moOde sqlite database:

Code:
sudo sqlite3 /var/local/www/db/moode-sqlite3.db "UPDATE cfg_hash SET ACTION = 'warning' WHERE PARAM = '/etc/nginx/nginx.conf'"
(04-24-2019, 09:22 AM)TookaFace Wrote: [ -> ]Hi,

You need to change action to warning instead of exit for nginx.conf in moOde sqlite database:

Code:
sudo sqlite3 /var/local/www/db/moode-sqlite3.db "UPDATE cfg_hash SET ACTION = 'warning' WHERE PARAM = '/etc/nginx/nginx.conf'"

@TookaFace THANK YOU - working like a charm again Smile

Code:
M O O D E    L O G  

   20190424 144854 worker: - Start
   20190424 144854 worker: Successfully daemonized
   20190424 144854 worker: Integrity check (warning: nginx.conf)
   20190424 144854 worker: Integrity check (passed with warnings)
   …...
   20190424 144942 worker: Watchdog started
   20190424 144942 worker: Ready
(04-24-2019, 12:52 PM)ksone Wrote: [ -> ]
(04-24-2019, 09:22 AM)TookaFace Wrote: [ -> ]Hi,

You need to change action to warning instead of exit for nginx.conf in moOde sqlite database:

Code:
sudo sqlite3 /var/local/www/db/moode-sqlite3.db "UPDATE cfg_hash SET ACTION = 'warning' WHERE PARAM = '/etc/nginx/nginx.conf'"

@TookaFace THANK YOU - working like a charm again Smile

Code:
M O O D E    L O G  

   20190424 144854 worker: - Start
   20190424 144854 worker: Successfully daemonized
   20190424 144854 worker: Integrity check (warning: nginx.conf)
   20190424 144854 worker: Integrity check (passed with warnings)
   …...
   20190424 144942 worker: Watchdog started
   20190424 144942 worker: Ready

For some reason after latest moode version it doesnt work anymore. When trying to run the sqlite line I get this:
"Error: read only"
And I can't figure out how to make the db file writeable.
Pages: 1 2