login credentials for desktop interface

[scratch009]

Maybe I'm overlooking something, tried to lookup on the forum and manual. But is there a way to secure the dashboard with login/password credentials? I host teslamate on docker on a network where other users also have access to. Rather not have other people look at my whereabouts :)

[ngardiner]

I've put mine behind an nginx reverse proxy using vouch-proxy for authentication.

Others may have a better setup.

[DrMichael]

I tried to use a reverse proxy with Apache2:

<VirtualHost *:80>
    ProxyPreserveHost On
    ServerName teslamate.yourdomain.com 
    ProxyPass / http://127.0.0.1:4000/
    ProxyPassReverse / http://127.0.0.1:4000/
    CustomLog /var/log/apache2/access.teslamate.log combined
    <Proxy *>
        Authtype Basic
        Authname "Password Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Proxy>
</VirtualHost>

<VirtualHost *:80>
    ServerName grafana.yourdomain.com 
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
    CustomLog /var/log/apache2/access.teslamate.log combined
</VirtualHost>

You need to point grafana.yourdomain.com and teslamate.yourdomain.com to your host and you need to create a .htpasswd with htpasswd.

Works fine for Grafana, hangs with Teslamate after loading the text, before loading the map. Any idea?

Access to ports 3000 and 4000 could then be restricted with ufw or through another firewall, e.g.. in the router.

[spacecosmos]

You may get some tips here as well:
Docker step-by-step guide

[DrMichael]

Sure, but you cannot get away with port 80, because letsencrypt needs it. When you got Apache running on port 80, you cannot use that.

[timguy99]

For Grafana is there any reason why its built-in security isn't being used: https://grafana.com/docs/auth/overview/

I know it might not be enough for some but could be very useful to most.

[adriankumpf]

For Grafana is there any reason why its built-in security isn't being used: https://grafana.com/docs/auth/overview/

I know it might not be enough for some but could be very useful to most.

The focus is on getting new users up and running as quickly as possible :-) Grafana comes with the following env variables / settings by default:

GF_AUTH_BASIC_ENABLED=false
GF_AUTH_ANONYMOUS_ENABLED=true
GF_SECURITY_ADMIN_PASSWORD=admin
GF_SECURITY_ADMIN_USER=admin
GF_USERS_ALLOW_SIGN_UP=false

You can customize them as you like.

[scratch009]

aah that looks like what I need :) I found some info on grafana build in security settings, but haven't tried it yet. Can these variables be adjusted afterwards, and run the docker-compose up again?
cheers! really like teslamate so far :)

[DrMichael]

Ok, the issue with the Apache reverse proxy is resolved. It was an issue with websockets:

<VirtualHost *:80>
    ProxyPreserveHost On
    ServerName teslamate.yourdomain.com
    ProxyPass /live/websocket ws://127.0.0.1:4000/live/websocket
    ProxyPassReverse /live/websocket ws://127.0.0.1:4000/live/websocket
    ProxyPass / http://127.0.0.1:4000/
    ProxyPassReverse / http://127.0.0.1:4000/
    CustomLog /var/log/apache2/access.teslamate.log combined
    <Proxy *>
        Authtype Basic
        Authname "Password Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Proxy>
</VirtualHost>

<VirtualHost *:80>
    ServerName grafana.yourdomain.com
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/
    CustomLog /var/log/apache2/access.teslamate.log combined
</VirtualHost>

Both teslamate.yourdomain.com and grafana.yourdomain.com must point to the server. Works like a charme.

To restrict ports 3000 and 4000 to localhost on the server, do the following (if ufw is enabled):

ufw allow from 127.0.0.1 to 127.0.0.1 port 3000proto tcp
ufw allow from 127.0.0.1 to 127.0.0.1 port 4000 proto tcp

[scratch009]

just to add my experience. I opened my existing docker-compose.yml and added following lines under grafana environment:

  - GF_AUTH_BASIC_ENABLED=true
  - GF_AUTH_ANONYMOUS_ENABLED=false
  - GF_SECURITY_ADMIN_PASSWORD=admin
  - GF_SECURITY_ADMIN_USER=admin
  - GF_USERS_ALLOW_SIGN_UP=false

and ran docker-compose up again. Even though I had some warning messages, and in docker (which I run on a synology NAS) I had to restart the services again. Everything seemed to work as I wanted. When opening the my.ip:3000 page I have a login screen. Now I only wanted to hide the main teslamatepage (port 4000). So in the synology NAS firewall rules I added a rule to trafic to port 4000. Now nobody can see my current location at least. Not sure this is the right way of doing it but seems to work so far.

thanks!

[DrMichael]

@adriankumpf Wouldn't it be possible to protect teslamate by perhaps the Tesla credentials?

[gundalow]

The Advanced Docker setup guide https://github.com/adriankumpf/teslamate/blob/master/docs/installation/docker_advanced.md uses htpasswd to protect teslamate, as other have said you can use the built-in Grafana user-management

[DrMichael]

Please find attached a configuration for Apache to run teslamate and grafana in parallel to Apache. It uses https and assumes, that you have a certificate, here from Let's Encrypt, and a .htpasswd set up. Please fill in your domain name in the file.

You still need to restrict access to ports 3000 and 4000.

teslamate.zip

[DrMichael]

Restricting access to 3000 and 4000 on the host does not work. Probably it needs to be done via docker-compose.yml.

Question: How would I restrict the access to 3000 resp. 4000 to only the server docker is running on?
Answer: replace
- 4000:4000
with
- 127.0.0.1:4000:4000
in the ports section of the service and same for 3000.

[Dulanic]

I dont want to open a new ticket for this since its prob a issue on my side... my teslamate has issues loading the main page because it cant seem to load the grafana things on the main page, but the dashboard links work fine... This seems mostly relevant discussion so Im tagging onto this.

These are my settings... grafana has anonymous access allowed...