mirror of https://github.com/Lissy93/dashy.git
📝 Updates docs :)
This commit is contained in:
parent
35297c90b6
commit
4673515f24
|
@ -39,9 +39,9 @@ Once authentication is enabled, so long as there is no valid token in cookie sto
|
||||||
## Security
|
## Security
|
||||||
Since all authentication is happening entirely on the client-side, it is vulnerable to manipulation by an adversary. An attacker could look at the source code, find the function used generate the auth token, then decode the minified JavaScript to find the hash, and manually generate a token using it, then just insert that value as a cookie using the console, and become a logged in user. Therefore, if you need secure authentication for your app, it is strongly recommended to implement this using your web server, or use a VPN to control access to Dashy. The purpose of the login page is merely to prevent immediate unauthorized access to your homepage.
|
Since all authentication is happening entirely on the client-side, it is vulnerable to manipulation by an adversary. An attacker could look at the source code, find the function used generate the auth token, then decode the minified JavaScript to find the hash, and manually generate a token using it, then just insert that value as a cookie using the console, and become a logged in user. Therefore, if you need secure authentication for your app, it is strongly recommended to implement this using your web server, or use a VPN to control access to Dashy. The purpose of the login page is merely to prevent immediate unauthorized access to your homepage.
|
||||||
|
|
||||||
Addressing this is on the todo list, and there are two potential solutions:
|
Addressing this is on the todo list, and there are several potential solutions:
|
||||||
1. Encrypt all site data against the users password, so that an attacker can not physically access any data without the correct decryption key
|
1. Encrypt all site data against the users password, so that an attacker can not physically access any data without the correct decryption key
|
||||||
2. Use a backend service to handle authentication, and do not return user data from the server until the correct credentials are provided. However, this would require either Dashy to be run using it's Node.js server, or the use of an external service
|
2. Use a backend service to handle authentication and configuration, with no user data returned from the server until the correct credentials are provided. However, this would require either Dashy to be run using it's Node.js server, or the use of an external service
|
||||||
3. Implement authentication using a self-hosted identity management solution, such as [Keycloak for Vue](https://www.keycloak.org/securing-apps/vue)
|
3. Implement authentication using a self-hosted identity management solution, such as [Keycloak for Vue](https://www.keycloak.org/securing-apps/vue)
|
||||||
|
|
||||||
**[⬆️ Back to Top](#authentication)**
|
**[⬆️ Back to Top](#authentication)**
|
||||||
|
@ -50,13 +50,13 @@ Addressing this is on the todo list, and there are two potential solutions:
|
||||||
|
|
||||||
## Alternative Authentication Methods
|
## Alternative Authentication Methods
|
||||||
|
|
||||||
If you are hosting Dashy locally, and require remote access, it is recommend to configure a VPN connection into your local network. For instances running on the cloud, you have several other options:
|
If you are self-hosting Dashy, and require secure authentication to prevent unauthorized access, you have several options:
|
||||||
- Authentication Server
|
- [Authentication Server](#authentication-server) - Put Dashy behind a self-hosted auth server
|
||||||
- VPN
|
- [VPN](#vpn) - Use a VPN to tunnel into the network where Dashy is running
|
||||||
- IP-Based Access
|
- [IP-Based Access](#ip-based-access) - Disallow access from all IP addresses, except your own
|
||||||
- Web Server Authentication
|
- [Web Server Authentication](#web-server-authentication) - Enable user control within your web server or proxy
|
||||||
- OAuth Services
|
- [OAuth Services](#oauth-services) - Implement a user management system using a cloud provider
|
||||||
- Password Protection (for cloud providers)
|
- [Password Protection (for cloud providers)](#static-site-hosting-providers) - Enable password-protection on your site
|
||||||
|
|
||||||
### Authentication Server
|
### Authentication Server
|
||||||
##### Authelia
|
##### Authelia
|
||||||
|
@ -141,6 +141,8 @@ basicauth /secret/* {
|
||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
|
For more info about implementing a single sign on for all your apps with Caddy, see [this tutorial](https://joshstrange.com/securing-your-self-hosted-apps-with-single-signon/)
|
||||||
|
|
||||||
##### Lighttpd
|
##### Lighttpd
|
||||||
You can use the [mod_auth](https://doc.lighttpd.net/lighttpd2/mod_auth.html) module to secure your site with Lighttpd. Like with Apache, you need to first create a password file listing your usersnames and hashed passwords, but in Lighttpd, it's usually called `.lighttpdpassword`.
|
You can use the [mod_auth](https://doc.lighttpd.net/lighttpd2/mod_auth.html) module to secure your site with Lighttpd. Like with Apache, you need to first create a password file listing your usersnames and hashed passwords, but in Lighttpd, it's usually called `.lighttpdpassword`.
|
||||||
|
|
||||||
|
|
|
@ -218,6 +218,25 @@ For Podman, you can use `systemd` to create a service that launches your contain
|
||||||
|
|
||||||
To restart the container after something within it has crashed, consider using [`docker-autoheal`](https://github.com/willfarrell/docker-autoheal) by @willfarrell, a service that monitors and restarts unhealthy containers. For more info, see the [Healthchecks](#healthchecks) section above.
|
To restart the container after something within it has crashed, consider using [`docker-autoheal`](https://github.com/willfarrell/docker-autoheal) by @willfarrell, a service that monitors and restarts unhealthy containers. For more info, see the [Healthchecks](#healthchecks) section above.
|
||||||
|
|
||||||
|
### Securing
|
||||||
|
|
||||||
|
##### SSL
|
||||||
|
|
||||||
|
Enabling HTTPS with an SSL certificate is recommended if you hare hosting Dashy anywhere other than your home. This will ensure that all traffic is encrypted in transit.
|
||||||
|
|
||||||
|
[Let's Encrypt](https://letsencrypt.org/docs/) is a global Certificate Authority, providing free SSL/TLS Domain Validation certificates in order to enable secure HTTPS access to your website. They have good browser/ OS [compatibility](https://letsencrypt.org/docs/certificate-compatibility/) with their ISRG X1 and DST CA X3 root certificates, support [Wildcard issuance](https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578) done via ACMEv2 using the DNS-01 and have [Multi-Perspective Validation](https://letsencrypt.org/2020/02/19/multi-perspective-validation.html). Let's Encrypt provide [CertBot](https://certbot.eff.org/) an easy app for generating and setting up an SSL certificate
|
||||||
|
|
||||||
|
[ZeroSSL](https://zerossl.com/) is another popular certificate issuer, they are free for personal use, and also provide easy-to-use tools for getting things setup.
|
||||||
|
|
||||||
|
|
||||||
|
If you're hosting Dashy behind Cloudflare, then they offer [free and easy SSL](https://www.cloudflare.com/en-gb/learning/ssl/what-is-an-ssl-certificate/).
|
||||||
|
|
||||||
|
If you're not so comfortable on the command line, then you can use a tool like [SSL For Free](https://www.sslforfree.com/) to generate your Let's Encrypt or ZeroSSL certificate, and support shared hosting servers. They also provide step-by-step tutorials on setting up your certificate on most common platforms. If you are using shared hosting, you may find [this tutorial](https://www.sitepoint.com/a-guide-to-setting-up-lets-encrypt-ssl-on-shared-hosting/) helpful.
|
||||||
|
|
||||||
|
##### Authentication
|
||||||
|
Dashy has [basic authentication](/docs/authentication.md) built in, however at present this is handled on the front-end, and so where security is critical, it is recommended to use an alternative method. See [here](/docs/authentication.md#alternative-authentication-methods) for options regarding securing Dashy.
|
||||||
|
|
||||||
|
|
||||||
**[⬆️ Back to Top](#deployment)**
|
**[⬆️ Back to Top](#deployment)**
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|
|
@ -9,6 +9,10 @@ Both sections and items can have an icon, which is specified using the `icon` at
|
||||||
- [Local Icons](#local-icons)
|
- [Local Icons](#local-icons)
|
||||||
- [No Icon](#no-icon)
|
- [No Icon](#no-icon)
|
||||||
|
|
||||||
|
<p align="center">
|
||||||
|
<img width="400" src="https://i.ibb.co/GTVmZnc/dashy-example-icons.png" />
|
||||||
|
</p>
|
||||||
|
|
||||||
### Font Awesome
|
### Font Awesome
|
||||||
You can use any [Font Awesome Icon](https://fontawesome.com/icons) simply by specifying it's identifier. This is in the format of `[category] [name]` and can be found on the page for any given icon on the Font Awesome site. For example: `fas fa-rocket`, `fab fa-monero` or `fas fa-unicorn`.
|
You can use any [Font Awesome Icon](https://fontawesome.com/icons) simply by specifying it's identifier. This is in the format of `[category] [name]` and can be found on the page for any given icon on the Font Awesome site. For example: `fas fa-rocket`, `fab fa-monero` or `fas fa-unicorn`.
|
||||||
|
|
||||||
|
@ -35,7 +39,7 @@ Uses a unique and programmatically generated icon for a given service. This is p
|
||||||
You can also set an icon by passing in a valid URL pointing to the icons location. For example `icon: https://i.ibb.co/710B3Yc/space-invader-x256.png`, this can be in .png, .jpg or .svg format, and hosted anywhere- so long as it's accessible from where you are hosting Dashy. The icon will be automatically scaled to fit, however loading in a lot of large icons may have a negative impact on performance, especially if you visit Dashy from new devices often.
|
You can also set an icon by passing in a valid URL pointing to the icons location. For example `icon: https://i.ibb.co/710B3Yc/space-invader-x256.png`, this can be in .png, .jpg or .svg format, and hosted anywhere- so long as it's accessible from where you are hosting Dashy. The icon will be automatically scaled to fit, however loading in a lot of large icons may have a negative impact on performance, especially if you visit Dashy from new devices often.
|
||||||
|
|
||||||
### Local Icons
|
### Local Icons
|
||||||
You may also want to store your icons locally, bundled within Dashy so that there is no reliance on outside services. This can be done by putting the icons within Dashy's ./public/item-icons/` directory. If you are using Docker, then the easiest option is to map a volume from your host system, for example: `-v /local/image/directory:/app/public/item-icons/`. To reference an icon stored locally, just specify it's name and extension. For example, if my icon was stored in `/app/public/item-icons/maltrail.png`, then I would just set `icon: maltrail.png`.
|
You may also want to store your icons locally, bundled within Dashy so that there is no reliance on outside services. This can be done by putting the icons within Dashy's `./public/item-icons/` directory. If you are using Docker, then the easiest option is to map a volume from your host system, for example: `-v /local/image/directory:/app/public/item-icons/`. To reference an icon stored locally, just specify it's name and extension. For example, if my icon was stored in `/app/public/item-icons/maltrail.png`, then I would just set `icon: maltrail.png`.
|
||||||
|
|
||||||
You can also use sub-folders within the `item-icons` directory to keep things organised. You would then specify an icon with it's folder name slash image name. For example: `networking/monit.png`
|
You can also use sub-folders within the `item-icons` directory to keep things organised. You would then specify an icon with it's folder name slash image name. For example: `networking/monit.png`
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue