Access to settings pages is now restricted?

**ltsv38** · 2018-01-21, 17:21

Access to settings pages is now restricted?

Hello

I've upgraded my LMS, running on an Ubuntu Server, to v7.9.1 build 1516346293
And I have a new issue when tying to access to settings using an internet connection (no problem when browsing on my local network)

Code:

Slim::Web::HTTP::generateHTTPResponse (975) Access to settings pages is restricted to the local network or localhost: 192.168.0.254 -> settings/index.html

192.168.0.254 is the IP address of my router on the local network

Is it a new function of LMS?
Is it possible, using a setting, to allow or not to use setting as yesterday?

Thanks
Pierre

**mherger** · 2018-01-21, 18:20

Access to settings pages is now restricted?

> Code:
> --------------------
> Slim::Web::HTTP::generateHTTPResponse (975) Access to settings pages is restricted to the local network or localhost: 192.168.0.254 -> settings/index.html
> --------------------
>
> 192.168.0.254 is the IP address of my router on the local network
>
> Is it a new function of LMS?

Yes, it's a new feature. Can you tell us more about your system?

- on what system is your LMS running?
- what's your LMS' IP address?
- how do you get access to your network from the outside? SSH tunnel?
VPN? Or did you simply port forward your LMS to the internet?

--

Michael

**ltsv38** · 2018-01-21, 23:04

Originally posted by mherger

> Code:[color=blue]
Can you tell us more about your system?
- on what system is your LMS running?
- what's your LMS' IP address?
- how do you get access to your network from the outside? SSH tunnel?
VPN? Or did you simply port forward your LMS to the internet?
Michael

Hi Michael
- LMS is running on Ubuntu Server
- IP @ of LMS server is 192.168.0.1
- I forward my LMS 9000 port to the internet ... of course using a non standard port (differs from 9000)

But this new feature is a good thing: in the pass I had attacks on my LMS server (before I changed the port)... just stupid guys that changed the skin and some basic settings

Pierre

**mherger** · 2018-01-22, 14:56

Access to settings pages is now restricted?

> - LMS is running on Ubuntu Server
> - IP @ of LMS server is 192.168.0.1
> - I forward my LMS 9000 port to the internet ... of course using a non
> standard port (differs from 9000)

Ok, a perfect test for the new code :-). Yes, that way the settings are
no longer accessible from the internet. And the most important aspect of
this feature is that it lets us tell you that you should must not port
forward LMS. It's dangerous. Just don't. Not even on a non-standard port.

--

Michael

**WilbertS** · 2018-09-04, 12:28

Originally posted by mherger

> Code:
> --------------------
> Slim::Web::HTTP::generateHTTPResponse (975) Access to settings pages is restricted to the local network or localhost: 192.168.0.254 -> settings/index.html
> --------------------
>
> 192.168.0.254 is the IP address of my router on the local network
>
> Is it a new function of LMS?

Yes, it's a new feature. Can you tell us more about your system?

- on what system is your LMS running?
- what's your LMS' IP address?
- how do you get access to your network from the outside? SSH tunnel?
VPN? Or did you simply port forward your LMS to the internet?

--

Michael

Hi,

I upgraded to 7.9.2-0.1.1535981655 and I can't access settings page from local net anymore.
LMS is running on Fedora 27 with 2 NICs: Internet (dhcp) and local network (192.168.147.1). When I tried to access settings from 192.168.147.2:

Code:

[18-09-04 10:22:41.2305] Slim::Web::HTTP::generateHTTPResponse (991) Access to settings pages is restricted to the local network or localhost: 192.168.147.2 -> 84.251.xx.xxx (settings/server/basic.html)

LMS seems to listen all interfaces:

Code:

[root@gw ~]# netstat -an | grep 9000
tcp        0      0 0.0.0.0:9000            0.0.0.0:*               LISTEN

Is there settings to bind LMS to specific IP/interface only?

**mherger** · 2018-09-04, 15:49

Originally posted by WilbertS

Is there settings to bind LMS to specific IP/interface only?

Use the --httpaddr startup parameter (most likely in /etc/sysconfig/squeezeboxserver)

**WilbertS** · 2018-09-06, 06:17

Thanks Michael, that worked!

I tried earlier to add httpaddr to /etc/squeezeboxserver/server.conf but that didn't help.

BR
--
Wille

**aidy_w** · 2018-10-26, 20:16

Hmmm really, and on Ubuntu?

Originally posted by mherger

Use the --httpaddr startup parameter (most likely in /etc/sysconfig/squeezeboxserver)

Hi thanks for the tip, but this file and nothign like it exists on my Ubuntu.

If I look at the server process then I see it is using a file /var/lib/squeezeboxserver/prefs/server.prefs.

In here I find

allowedHosts: x.x.x.x

and just below

bindAddress: 127.0.0.1

In this file after install there is a direct reference to my public IP interface. (allowedHosts: <mypublicaddress>). This is hardcoded when the package gets installed. NICE! Thank God for iptables!

If you try and change this, and restart the server it simply ignores the change. The bind setting on the other hand....if I try changing to any local interface address the server refuses to start.

So finally the only way I could get this to work was to also dodging a setting for allowedHosts to 127.0.0.1. But the only way I could make this change and get the server to start was to de-install and purge the deb package. Unplug the public interface, install the package without the Internet connection active and then the loopback address was written into the prefs file and the server started.

What the hell is that all about?

Some feature! Inverted security.

**DJanGo** · 2018-10-27, 13:24

Hi,

Originally posted by aidy_w

Hi thanks for the tip, but this file and nothign like it exists on my Ubuntu.

If I look at the server process then I see it is using a file /var/lib/squeezeboxserver/prefs/server.prefs.

In here I find

allowedHosts: x.x.x.x

Some feature! Inverted security.

please calm down and take a look at this

after that just make sure:

Code:

grep ^allowed /var/lib/squeezeboxserver/prefs/server.prefs
allowedHosts: 192.168.199.*

If you take a look in your init.script -> the file for the startup paramaters in debian/ubuntu is this one

Code:

 /etc/default/logitechmediaserver

**DJanGo** · 2018-10-27, 18:01

Originally posted by aidy_w

So finally the only way I could get this to work was to also dodging a setting for allowedHosts to 127.0.0.1. But the only way I could make this change and get the server to start was to de-install and purge the deb package. Unplug the public interface, install the package without the Internet connection active and then the loopback address was written into the prefs file and the server started.

What the hell is that all about?

Some feature! Inverted security.

Hi again,

Code:

cat /etc/debian_version
buster/sid

Code:

 grep ^bind /var/lib/squeezeboxserver/prefs/server.prefs
bindAddress: 127.0.0.1

Code:

service logitechmediaserver stop

Code:

sed -i 's|bindAddress: 127.0.0.1|bindAddress: 192.168.199.11|g' /var/lib/squeezeboxserver/prefs/server.prefs

Code:

grep ^bind /var/lib/squeezeboxserver/prefs/server.prefs
bindAddress: 192.168.199.11

Code:

service logitechmediaserver start

Code:

tail /var/log/squeezeboxserver/server.log
2018-10-27 18:55:22 squeezeboxserver_safe stopped.
2018-10-27 18:58:09 squeezeboxserver_safe started.
[18-10-27 18:58:10.0442] main::init (387) Starting Logitech Media Server (v7.9.2, 1539967036, Fri Oct 19 19:15:30 CEST 2018) perl 5.026001 - x86_64-linux-gnu-thread-multi

What the hell is that all about?

**Mr. Floppy** · 2019-07-01, 19:02

Hi,

this topic is old but for me new. I try to install LMS on a docker image which have the IP 172.17.0.2 (on synology). I add the port 9000 to th edocker container. If I try to configure the LMS over the GUI from my normal network 192.168.1.0/24 I get an 403 Forbidden: settings/server/wizard.html

LMS logfile said:
Slim::Web::HTTP::generateHTTPResponse (991) Access to settings pages is restricted to the local network or localhost: 172.17.0.1 -> 172.17.0.2 (settings/server/wizard.html)

How can I disable that new "feature"?

Edit: I understand that this is not given if you protect the lms. But a fresh installed system starts with a wizard and you have no chance to enable security. And in additional, I don't like a security which is not needed if you stay inside your network. Please add a fix for docker.

**mherger** · 2019-07-02, 05:53

Access to settings pages is now restricted?

> this topic is old but for me new. I try to install LMS on a docker image
> which have the IP 172.17.0.2 (on synology).

Just use the Synology package and get rid of the hassle with Docker...

--

Michael

**Mr. Floppy** · 2019-07-02, 07:20

Yes that's easier. But their is one plug in that doesn't work which I need. Bookmark history is a great plug in for audio books. But that doesn't work in my install and I don't get any support. Wrote two times in the forum. It always starts the album from the beginning and not from bookmark.
I try to use that bookmark on a Ubuntu installation and here it's working. So my plan was to use it under docker . But as you see here, it have some different problems.

I don't like the new security Funktion if you cannot disable it.

Gesendet von meinem SM-G930F mit Tapatalk

**edwin2006** · 2019-07-02, 11:30

Is it possible (and how) to add a second subnet to the allowed host so it works when connected via vpn?

Access to settings pages is now restricted?

Access to settings pages is now restricted?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment