2.2.9 Security Enhancements?

djw1191 · October 9, 2021, 3:51am

It would be part of the URL you would use.

But, you shouldn’t have to use this setting for that, by default all private IPs are allowed. I also have a number of VLANs and I’m still able to access without issue.

gopher.ny · October 9, 2021, 9:46am

2.2.9.129 allows CIDR subnet notations, e.g. 1.2.3.4/24. It does not allow subnets broader than /24, though.

gopher.ny · October 9, 2021, 9:47am

Once you bring up hub's UI, e.g. http://192.168.1.5/, add the endpoint to that URL, e.g. http://192.168.1.5/hub/allowSubnets?123.123.123.0,124.124.124.0

mavrrick58 · October 9, 2021, 10:25am

I would make the suggestion that this is something that should be under the advanced networking section in the UI.

The ability to do this shouldn't exactly require soneobe finding these threads down the road.

thebearmay · October 9, 2021, 10:36am

…but then they’d miss out on the joy of searching the forum for these precious nuggets…

Actually not a bad idea.

rlithgow1 · October 9, 2021, 11:23am

I think the devs at Hubitat would sooner commit Sepaku than go the way of Wink in any way, shape, or form...

gopher.ny · October 9, 2021, 11:26am

That is going to happen. Can't promise the timeline, but sooner rather than later.

jameslslate · October 9, 2021, 3:55pm

So, closer to 2.2.9.130 than 3.0.0.1.

scott.j.purkey · October 9, 2021, 4:04pm

Thank you. That worked perfectly.

gopher.ny · October 9, 2021, 7:39pm

Whatever proxy you use, can you try commenting out X-Forwarded-For header? As in do not have proxy create one. That made a difference between receiving real IP vs. proxy's IP on my (admittedly very basic) nginx setup.

Yes, I said it's not looking at the headers just a few posts above... obviously, something implicitly does.

dJOS · October 10, 2021, 2:49am

So I just upgraded to .129 and found that my WebVPN Portal no longer works - I cant say I'm very impressed by this!

Now All I get is this when I try to connect:
Screen Shot 2021-10-10 at 1.45.54 pm

It's my own fault I guess for assuming the solution I use would be unaffected:

But if you guys could please add an option to allow competent IT folk to manage their own security, that'd be great, m'kay.

PS, adding my public IP doesnt solve the issue for me, however using a standard VPN tunnel into my network does still work.

gopher.ny · October 10, 2021, 1:29pm

Figured where Jetty was processing the header (sneaky) and how to disable that processing. Next update will have the fix.

gopher.ny · October 11, 2021, 6:33pm

Fix is out in 2.2.9.130, please let me know if it solves the issue.

dJOS · October 11, 2021, 9:09pm

Cheers, I’ll try it today.

dJOS · October 11, 2021, 10:42pm

Yep, my VPN Web portal is back online, lovely work sir!