Hub Login Security - effects

ilkeraktuna · October 9, 2021, 7:26am

Hi,

I finally want to enable " Hub Login Security" on my hub.
But I really can't make up what effects it will have on my usage.

I know for sure it will require a login when I access the hub on my LAN via web browser.

Other than that;

will it change behaviour of the mobile app when I use on local network ?
will it change behaviour of the mobile app when I use from internet ?
will it change access to https://cloud.hubitat.com/api/....... ?
will the access tokens for cloud access change when I enable it ?
if any custom apps will be affected with this change, how can I find them ?
what commonly used custom apps are affected ? I use Maker API, Mi Connector, Alexa Skill, InfluxDb Logger, WebCore, Tile Master 2, Unofficial Ring Connect, Life 360 with states

Bonus questions:

can I disable Hub Login Security if it does not go well for me ?
is there a way to disable local http access and force https while accessing locally ?

marktheknife · October 9, 2021, 10:26am

It secures the hub’s admin interface that’s accessed in a web browser. The other items you mentioned are not affected by this. Except certain apps could be; I’m not familiar with every app you mentioned, but if the app settings don’t have an option to add your login security details, then it’s not relevant.

Yes login security can be disabled after it’s been enabled.

You mentioned in another thread you've been using port forwarding to access your hub from the internet. You should really consider adding a password to secure access your hub.

ilkeraktuna · October 9, 2021, 11:50am

actually I am not using port forwarding.
I am accessing the hub via VPN to my router. But I just want to learn and understand what is changing in case I need to use port forwarding in the future.

So, API endpoints are not affected if I add login security ?
tokens do not change ?

marktheknife · October 9, 2021, 11:56am

Maker API and cloud dashboards continued working without missing a beat when I enabled login security a while ago.

ilkeraktuna · October 13, 2021, 7:51pm

thanks for all the answers

is there a way to disable local http access and force https while accessing locally ?

gopher.ny · October 13, 2021, 9:21pm

Yes, go to http://your.hubs.ip.here/hub/advanced/certificate and turn this switch on. You'll need a valid key pair, too. A self signed certificate works.

ilkeraktuna · October 14, 2021, 6:23pm

thanks.
actually it works with the default certificate.
I know the certificate can not be validated but at least the connection is encrypted.
Better than plain http

why isn't this option available directly in settings page ?

ilkeraktuna · October 14, 2021, 6:34pm

just a side note:
when I enabled https on the hub, some of my apps failed because they use the ping utility at:

uri: "http://${location.hub.localIP}:8080",
path:"/hub/networkTest/ping/"+ipAddress,

I changed it to https but it still did not work.
why ?

thebearmay · October 14, 2021, 6:36pm

They'll have to have the login to the hub to utilize the endpoint. Most will have a place to enter your id and password so that they can perform that in the background.

ilkeraktuna · October 14, 2021, 6:48pm

no I did not enable security yet.
I just enabled https.
but the endpoint at port 8080 is not https
so http://${location.hub.localIP}:8080/hub/networkTest/ping/ STILL WORKS (replies)
but my app receives http 408 error

just this code:

params = [
    uri: "http://${location.hub.localIP}:8080",
    path:"/hub/networkTest/ping/"+ipAddress,
    headers: [ "Cookie": cookie ]
]
asynchttpGet("sendPingHandler", params)

ilkeraktuna · October 14, 2021, 6:55pm

oh I got it
when ssl is enabled , port changes to 8443 from 8080
so the uri should be https://${location.hub.localIP}:8443

thebearmay · October 14, 2021, 6:56pm

Believe 408 is a timeout. Have you tried using the built in ping function (requires > HE 2.2.6.140):

hubitat.helper.NetworkUtils.PingData pingData = hubitat.helper.NetworkUtils.ping(ipAddress, numPings.toInteger())

ilkeraktuna · October 14, 2021, 7:02pm

as I wrote above it is because the port changes.
so I can use 8443 , but it is not a good idea to change to ssl because it requires to change all endpoint accesses.

ilkeraktuna · October 14, 2021, 7:05pm

what about calling endpoints like below, after enabling hub login security ?
http://192.168.254.10:8080/hub/shutdown

I use this with rule machine.
so after I enable secuirty, this won't work ?

thebearmay · October 14, 2021, 7:21pm

Haven't tried it in RM, but know that the Hub Rebooter App passes the login cookie when it makes the call.

ilkeraktuna · October 14, 2021, 7:50pm

well , that works because the developer has implemented calling /login endpoint and getting a cookie there.
Then he calls the reboot endpoint with that cookie.

But I need to call shutdown with a rule machine rule.
So how can I implement it in rule machine ?

thebearmay · October 14, 2021, 7:58pm

That might be a @bravenel question.

ilkeraktuna · October 14, 2021, 8:13pm

well, I can set a virtual button to trigger "rebooter" app
then activate button from rule.
but that's not nice.
I really don't like to add too many virtual buttons

KD8GRN · October 15, 2021, 12:39pm

It seems when I enable Hub UI SSL only, in the app if I am local or remote and I go and click Connect to Hub, it will take me to remoteaccess.aws.hubitat.com but will produce a 502 Bad Gateway error. Turn off SSL and it works again, and locally it will direct me to the local URL to the hub again. I also tried to access the remote admin via my computers browser, and I also get the same 502 error when trying to connect to the hub. Is this behavior to be expected?

gopher.ny · October 15, 2021, 2:50pm

Looks like an item for the "fix it" list. This will require a change on the hub side.