Securing Domoticz – Authentication
Because there are several options for securing Domoticz, this how-to is divided into several separate how-to’s, each with its own option.
This specific how-to goes further into the aspect of setting up authentication from Domoticz itself. You can choose to enable this protection for all connections other than your own home network, including the internet. It offers basic protection and is not a complete solution on its own if you want to connect Domoticz to the internet.
This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!
This tutorial has been verified with:
Domoticz 2020.1
Prerequisites
- Running Domoticz installation with stable Raspbian Buster release and SSH access. See my previous post for a how-to:
- https://sancla.com/domoticz/raspberry-pi-4-with-domoticz/
- For the Let’s Encrypt SSL certificate, a domain and basic understanding of DNS (DDNS/A-records).
- For port forwarding, basic networking knowledge and ability to create a port forward with IPv4/NAT.
Tested with
- Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
- Raspbian Buster Lite 4.19, Februari 2020
- Domoticz Stable 2020.1 (compile date 22-3-2020)
Enable authentication
Before we enable authentication, it can be very helpful to exclude your local network. This way, only when you connect from the internet, you need to authenticate. When you are at home and connected to your wifi, authentication is automatically skipped. It can also prevents accidental lock-outs.
Open your Settings in Domoticz
Depending on the IP address of your Domoticz installation, you need enter the network. For example, if your Domoticz can be reached with IP address 192.168.0.123, we should include the network 192.168.0.*
For example:
IP address 192.168.1.112 -> Add the network 192.168.1.*
IP address 192.168.224.18 -> Add the network 192.168.224.*
Also, make sure to include the loopback address 127.0.0.1 so any local plugins keep working as expected.
You could also specify exact IP addresses that could become handy if you like to test authentication.
For the more experienced network specialists, you need to enter the complete network/subnet (for example 10.*.*.*).
Next, the authentication for remote access.
Unfortunately, although we can create users (and viewers & admins) in Domoticz, this can not be used for authentication for remote access. With Domoticz you are limited to a single user and password.
For the authentication part itself, there are 2 options: Login Page and Basic-Auth. Basically, the Login Page option has a nice view and logo. But due to a larger attack vector, it’s less secure by design.
The safest option is the “Basic-Auth” option where you are presented with a ‘dull’ username and password window upon visiting your Domoticz remotely. You can always change this at a later moment but for the sake of security, let’s choose the “Basic-Auth” option. You can see an example of both options further down below…
Give your self a nice clean (but personalized) username and password. Make sure it’s a safe password, if you need help you could try the Roboform password generator: https://www.roboform.com/password-generator
Once you enable authentication and you visit Domoticz from a non-exempted IP address, you are required to authenticate:
To reset authentication in case of a boo-boo:
To reset the website username/password in case this is lost there are two options:
Source: https://www.domoticz.com/wiki/Application_Settings
– Specify –nowwwpwd as command line argument
– Place a file labeled ‘resetpwd’ inside the root Domoticz installation folder (takes up to a minute to reset).