Make exposing Valetudo to the internet harder #1286
Locked
ccoors
announced in
zzz_Archive
Replies: 1 comment
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Over the past weeks we repeatedly found Valetudo instances publicly available on the internet. People either configured some port forwarding or are using a reverse proxy.
While most people activate HTTP basic auth, some don't, allowing access to their vacuum robot to basically everyone.
I propose a new configurable Express middleware, checking the source address of a request and blocking it, if the source address is not in a private network area.
A basic middleware could look like this:
Which should be disableable like the basic auth.
It would also be required to configure a useful value for express
trust proxy
to get the correct address behind reverse proxies. That should also be user-configurable, since enabling it without using a reverse proxy would allow an attacker to spoof the HTTP headerX-Forwarded-For
.Beta Was this translation helpful? Give feedback.
All reactions