Hub Login Security - effects

Hi,

I finally want to enable " Hub Login Security" on my hub.
But I really can't make up what effects it will have on my usage.

I know for sure it will require a login when I access the hub on my LAN via web browser.

Other than that;

  1. will it change behaviour of the mobile app when I use on local network ?
  2. will it change behaviour of the mobile app when I use from internet ?
  3. will it change access to https://cloud.hubitat.com/api/....... ?
  4. will the access tokens for cloud access change when I enable it ?
  5. if any custom apps will be affected with this change, how can I find them ?
  6. what commonly used custom apps are affected ? I use Maker API, Mi Connector, Alexa Skill, InfluxDb Logger, WebCore, Tile Master 2, Unofficial Ring Connect, Life 360 with states

Bonus questions:

  1. can I disable Hub Login Security if it does not go well for me ?
  2. is there a way to disable local http access and force https while accessing locally ?

It secures the hub’s admin interface that’s accessed in a web browser. The other items you mentioned are not affected by this. Except certain apps could be; I’m not familiar with every app you mentioned, but if the app settings don’t have an option to add your login security details, then it’s not relevant.

Yes login security can be disabled after it’s been enabled.

You mentioned in another thread you've been using port forwarding to access your hub from the internet. You should really consider adding a password to secure access your hub.

1 Like

actually I am not using port forwarding.
I am accessing the hub via VPN to my router. But I just want to learn and understand what is changing in case I need to use port forwarding in the future.

So, API endpoints are not affected if I add login security ?
tokens do not change ?

Maker API and cloud dashboards continued working without missing a beat when I enabled login security a while ago.

2 Likes

thanks for all the answers

is there a way to disable local http access and force https while accessing locally ?

Yes, go to http://your.hubs.ip.here/hub/advanced/certificate and turn this switch on. You'll need a valid key pair, too. A self signed certificate works.
image

3 Likes

thanks.
actually it works with the default certificate.
I know the certificate can not be validated but at least the connection is encrypted.
Better than plain http

why isn't this option available directly in settings page ?

just a side note:
when I enabled https on the hub, some of my apps failed because they use the ping utility at:

uri: "http://${location.hub.localIP}:8080",
path:"/hub/networkTest/ping/"+ipAddress,

I changed it to https but it still did not work.
why ?

They'll have to have the login to the hub to utilize the endpoint. Most will have a place to enter your id and password so that they can perform that in the background.

no I did not enable security yet.
I just enabled https.
but the endpoint at port 8080 is not https
so http://${location.hub.localIP}:8080/hub/networkTest/ping/ STILL WORKS (replies)
but my app receives http 408 error

just this code:

params = [
    uri: "http://${location.hub.localIP}:8080",
    path:"/hub/networkTest/ping/"+ipAddress,
    headers: [ "Cookie": cookie ]
]
asynchttpGet("sendPingHandler", params)

oh I got it
when ssl is enabled , port changes to 8443 from 8080
so the uri should be https://${location.hub.localIP}:8443

Believe 408 is a timeout. Have you tried using the built in ping function (requires > HE 2.2.6.140):

hubitat.helper.NetworkUtils.PingData pingData = hubitat.helper.NetworkUtils.ping(ipAddress, numPings.toInteger())

as I wrote above it is because the port changes.
so I can use 8443 , but it is not a good idea to change to ssl because it requires to change all endpoint accesses.

what about calling endpoints like below, after enabling hub login security ?
http://192.168.254.10:8080/hub/shutdown

I use this with rule machine.
so after I enable secuirty, this won't work ?

Haven't tried it in RM, but know that the Hub Rebooter App passes the login cookie when it makes the call.

well , that works because the developer has implemented calling /login endpoint and getting a cookie there.
Then he calls the reboot endpoint with that cookie.

But I need to call shutdown with a rule machine rule.
So how can I implement it in rule machine ?

That might be a @bravenel question.

well, I can set a virtual button to trigger "rebooter" app
then activate button from rule.
but that's not nice.
I really don't like to add too many virtual buttons

It seems when I enable Hub UI SSL only, in the app if I am local or remote and I go and click Connect to Hub, it will take me to remoteaccess.aws.hubitat.com but will produce a 502 Bad Gateway error. Turn off SSL and it works again, and locally it will direct me to the local URL to the hub again. I also tried to access the remote admin via my computers browser, and I also get the same 502 error when trying to connect to the hub. Is this behavior to be expected?

Looks like an item for the "fix it" list. This will require a change on the hub side.

Download the Hubitat app