[How to do instruction] Modding moOde: restrict access to config pages

[Highsider]

Hello,

as I am using moOde in an environment, were others can use it to play their music, I added restricted access by editing nginx.conf (/etc/nginx/nginx.con)

Just change:

Code:

##
    # moOde UI server
    ##

    server {
        listen 80;
        server_name media07.knoeferl.de;

        location / {
            root /var/www;
            index index.html index.php;
            try_files $uri $uri/ /coverart.php;
        }

        location /cssw/ {
            root /var/local/www;
        }
        location /imagesw/ {
            root /var/local/www;
        }
        location /jsw/ {
            root /var/local/www;
        }
        location /templatesw/ {
            root /var/local/www;
        }

        # php-fpm
        location ~ \.php$ {
            root /var/www;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include fastcgi_params;
        }
    }

to:

Code:

##
    # moOde UI server
    ##

    server {
        listen 80;
        server_name media07.knoeferl.de;

        location / {
            root /var/www;
            index index.html index.php;
            try_files $uri $uri/ /coverart.php;
        }

        location /cssw/ {
            root /var/local/www;
        }
        location /imagesw/ {
            root /var/local/www;
        }
        location /jsw/ {
            root /var/local/www;
        }
        location /templatesw/ {
            root /var/local/www;
        }

        # php-fpm
        location ~ \.php$ {
            root /var/www;
            fastcgi_pass unix:/run/php/php7.0-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            include fastcgi_params;
        
        
            # php-fpm restricted pages
            location ~ /(apl|blu|chp|eqg|eqp|mpd|net|sel|snd|sqe|src|sys|upp)\-config.php$ {
                root /var/www;
                satisfy any;
                allow 192.168.10.0/24;
                deny all;
                auth_basic "Konfigurationsbereich";
                auth_basic_user_file /etc/nginx/htpasswd;
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                include fastcgi_params;
            }
        }
    }

so that all *-config.php pages are password protected.

You need a password file (/etc/nginx/htpasswd) which can easily be generated online (e.g. here)
In my case I have a public and a private net (192.168.10.x) - this is excluded from password protection - this entry can be left out, if not necessary.

Best regards
Hans

[Tim Curtis]

Hi Hans,

What the usage scenario where u need password protection?

-Tim

[Highsider]

Hello Tim,

the audioplayer is installed at a riding arena, were everyone can connect to an open WLAN.
This WLAN (OpenWRT router) only allows acces to the moOde player and redirects all requests.

So everyone, who connects to this WLAN can use the audioplayer.
My problem was, that some users tried to figure out what they can do with moOde and even changed the network config...
So I added password protection to avoid additional work for me :-)

I think, this is a very specifific usecase.
But perhaps it is usefull for peoply with curious kids.
Even better would be a kiosk mode, which completly hides some menu entries... but didn't try to implement it, yet.

[FizzyTea]

Hello Tim,

the audioplayer is installed at a riding arena, were everyone can connect to an open WLAN.
This WLAN (OpenWRT router) only allows acces to the moOde player and redirects all requests.

So everyone, who connects to this WLAN can use the audioplayer.
My problem was, that some users tried to figure out what they can do with moOde and even changed the network config...
So I added password protection to avoid additional work for me :-)

I think, this is a very specifific usecase.
But perhaps it is usefull for peoply with curious kids.
Even better would be a kiosk mode, which completly hides some menu entries... but didn't try to implement it, yet.

I think this is pretty cool. I have a potential usage scenario in mind, a bit similar to Highsider's usage scenario, a guest-room audio player. Guests connect to a guest WLAN and can access the player but we don't want them to access and change settings. It's something I have previously briefly considered and this mod would make it viable.

[TheOldPresbyope]

...
I think, this is a very specifific usecase.
But perhaps it is usefull for peoply with curious kids.
Even better would be a kiosk mode, which completly hides some menu entries... but didn't try to implement it, yet.

I think this is pretty cool. I have a potential usage scenario in mind, a bit similar to Highsider's usage scenario, a guest-room audio player. Guests connect to a guest WLAN and can access the player but we don't want them to access and change settings. It's something I have previously briefly considered and this mod would make it viable.

Same here. 

I could use it as a music player for the high school drama club I mentor. I could patch a moOde player through the sound board. The weeks-long drudgery of constructing and painting sets would be lightened by music, especially if the kids get to choose tracks via moOde and my music service subscriptions.

They're teenagers. If there's a way to screw up the configuration, they'll find it. Inveterate button pushers, all of them 

Regards,
Kent

[ksone]

Hi @Tim Curtis, or other with more knowledge than I

I'm using a modified version of the above pw protection. In last version I had to modify the integrity check on nginx.conf file, that was perfomed during boot. This I could do in worker.php (around line 123). With current version 5.0 - I fail to find the integrity check in worker.php - All I can see is that it have moved somewhere…. but not where. 

Modifying the nginx.conf will have it fail the integrity check(you can see that in moode.log) and it'll leave the mighty moode player dead (well mostly dead). I need to pw protect the config pages.

Thank you

[TookaFace]

Hi,

You need to change action to warning instead of exit for nginx.conf in moOde sqlite database:

Code:

sudo sqlite3 /var/local/www/db/moode-sqlite3.db "UPDATE cfg_hash SET ACTION = 'warning' WHERE PARAM = '/etc/nginx/nginx.conf'"

[ksone]

Hi,

You need to change action to warning instead of exit for nginx.conf in moOde sqlite database:

Code:

sudo sqlite3 /var/local/www/db/moode-sqlite3.db "UPDATE cfg_hash SET ACTION = 'warning' WHERE PARAM = '/etc/nginx/nginx.conf'"

@TookaFace THANK YOU - working like a charm again

Code:

M O O D E    L O G  

   20190424 144854 worker: - Start
   20190424 144854 worker: Successfully daemonized
   20190424 144854 worker: Integrity check (warning: nginx.conf)
   20190424 144854 worker: Integrity check (passed with warnings)
   …...
   20190424 144942 worker: Watchdog started
   20190424 144942 worker: Ready

[ksone]

Hi,

You need to change action to warning instead of exit for nginx.conf in moOde sqlite database:

Code:

sudo sqlite3 /var/local/www/db/moode-sqlite3.db "UPDATE cfg_hash SET ACTION = 'warning' WHERE PARAM = '/etc/nginx/nginx.conf'"

@TookaFace THANK YOU - working like a charm again

Code:

M O O D E    L O G  

   20190424 144854 worker: - Start
   20190424 144854 worker: Successfully daemonized
   20190424 144854 worker: Integrity check (warning: nginx.conf)
   20190424 144854 worker: Integrity check (passed with warnings)
   …...
   20190424 144942 worker: Watchdog started
   20190424 144942 worker: Ready

For some reason after latest moode version it doesnt work anymore. When trying to run the sqlite line I get this:
"Error: read only"
And I can't figure out how to make the db file writeable.

[TookaFace]

Hi,
You need to run this command first:

Code:

sudo sqlite3 /var/local/www/db/moode-sqlite3.db "DROP TRIGGER ro_columns"