Posts: 16
Threads: 4
Joined: Oct 2018
Reputation:
0
02.02.2019, 09:42
(This post was last modified: 02.02.2019, 09:53 by Regis.)
Hi,
I am trying to eliminate passwords for visualization without compromising security too much. Would the LogicMachine be able to accept and use client certificates (mTLS) for the visualization/HTTPS access? I don't see any option in the GUI or in the manual, but perhaps there is a way to achieve this with custom scripts/configuration?
Thanks in advance.
EDIT: So I found LM is using Nginx as web server so it should be possible. Can I access the Nginx config file? I tried to SSH to the LM but I get connection refused to I assume SSH is disabled by default...?
Posts: 4646
Threads: 24
Joined: Aug 2017
Reputation:
207
Hi
Go to system->Services->HTTP SSL certificate this is where you have to paste your certificate.
PS. SSH acces is only for remote debugging and it should be disabled.
BR
------------------------------
Ctrl+F5
Posts: 7764
Threads: 42
Joined: Jun 2015
Reputation:
447
This can be implemented by modifying nginx config file but then you won't be able to have several users with different access rights.
Posts: 16
Threads: 4
Joined: Oct 2018
Reputation:
0
Thanks for the replies. For now I am willing to accept only single user for the visualization if it means no more password entry every time I need to access the visu.
Can you suggest a best way to modify the nginx config file? I tried FTP but that does not seem to be usable for this. I found a way to enable SSH however I cannot login - what is the username/password? I tired "admin", "user", "root" with the admin password for web access but it only results in "Permission denied, please try again."
Posts: 16
Threads: 4
Joined: Oct 2018
Reputation:
0
Anyone?
BTW it seems to be possible to still use user accounts - Nginx can pass the client certificate name to the script handling the web page (PHP, etc. - I am not sure what LM uses). This should be sufficient to correctly distinguish different client certificates and therefore different clients. However some changes in the scripts will be required.
Now that I am thinking about this, is it possible your reply meant that I as an user am not supposed to change the nginx config and therefore this is not possible? I might have misunderstood.