Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict log access #17

Open
mhellmeier opened this issue Aug 22, 2021 · 4 comments · Fixed by #18
Open

Restrict log access #17

mhellmeier opened this issue Aug 22, 2021 · 4 comments · Fixed by #18
Labels
enhancement New feature or request

Comments

@mhellmeier
Copy link
Contributor

When running the application, everyone can get detailed information like personal IP address, failures etc. by accessing the log files (just visit /log.json in a browser). Access to the log file should be restricted and only visible by admins.
@mhellmeier mhellmeier mentioned this issue Aug 22, 2021
Merged
@fernwerker
Copy link
Owner

I understand your point. Some thoughts on this:

  • Public IP address will be published anyways as A/AAAA record of your DNS. So this is actually intended behavior of the dyn DNS. So if this is just written in the log.json as well, I wouldn't mind.
  • The history of IP addresses on the other side, is sensible and shouldn't be in there - I agree
  • The other information: yes, could be discussed but not that sensible, but thats where you can disable the log functionality

Suggestion:

  • We add the htaccess as an example configuration but I wouldn't add it as a default file

@mhellmeier
Copy link
Contributor Author

Thanks a lot for your response!

We add the htaccess as an example configuration but I wouldn't add it as a default file

Since you are the owner of the project, it is your decision if you add it as a default case or not. In my opinion, restricted access should be the default case following the Privacy by Default principles. Otherwise, the following thought wouldn't be satisfied:

The history of IP addresses on the other side, is sensible and shouldn't be in there - I agree

Moreover, I don't see the advantages of having a publicly available log.json file.

@fernwerker
Copy link
Owner

As said:
intended use of this tool is, to have my IP adress publicly available and use it within DNS. Therefore having this information public is a must criteria otherwise the tool would be useless.

Reason for log.json file is:

  1. DNS is slow system, therefore the update of an entry needs some time. If you need to have this information ASAP, you can look it up in the json.log
  2. If your DNS API or something else on DNS side fails, the json.log still holds your IP address

After you usually use this, when you are not in the subnet of the dynamic IP address this might be helpful.

If you don't need this, please use .env to turn logging and debugging of. Et voila, no more information.

I'll leave this open to investigate on the history a little further as soon as I find some time, because a feature to restrict historian access is necessary.

@fernwerker fernwerker reopened this Aug 24, 2021
@fernwerker fernwerker added the enhancement New feature or request label Feb 15, 2022
@NiiWiiCamo
Copy link

Personal choice imho, as for the feature: I added a configuration script to my fork / PR that interactively asks you many of those questions. Also added a deny block for nginx users to the examples and as message in the script.

As for me, default should imho be to discourage public log access but inform and empower the user to do whatever they please.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Restrict access to log file
3 participants
@mhellmeier @fernwerker @NiiWiiCamo