AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard
verified publisher icon AdguardTeam

Option to completely disable configuration via web UI

Open yuha0 opened this issue 5 years ago • 9 comments

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • [x] I am running the latest version
  • [x] I checked the documentation and found no answer
  • [x] I checked to make sure that this issue has not already been filed

Problem Description

Currently, an admin user can configure the instance via the web UI and it does not seem to possible to disable that. There are a few issues regarding this:

  1. From a security perspective, if the web UI is compromised (e.g. password leak), the whole AdGuard Home instance is effectively taken over by the attacker, putting all the users in danger. If the user uses DoH, the interface may even be exposed to the internet, making it even more risky.

  2. I guess allowing web configuration is the only reason why AdGuard Home requires write permission to the configuration file? If the config file is read-only, AdGuard Home complains about it and exits. I deploy AdGuard Home in Kubernetes, and use infrastructure-as-code concept to manage its configuration in git. As a result, AdGuard's configuration file is managed by a Kubernetes ConfigMap object, and it is dynamically mounted to the container on container startup time. ConfigMap is mounted as read-only, since the idea is that the content of the ConfigMap is managed by higher level Kubernetes API and should not be changed through mounted filesystem. To workaround this, I have to do some weird dances to make both Kubernetes and AdGuard happy: Before starts the container, start another "initContainer" to copy the content of the ConfigMap to a shared volume, and start the AdGuard container with that shared volume mounted at /opt/adguardhome/conf/AdGuardHome.yaml: https://github.com/yuha0/home-infra/blob/531a899a4617935a32f2fcce7c43f1e0ba93d092/kubernetes/adguardhome/deploy.yaml#L58-L127

Proposed Solution

Provide an option as command line argument or environment variable to disable web configuration, and when disabled, allow the config file to be read-only and do not attempt to write to it.

This mitigates the security risk since now, in order to make changes to AdGuard, the attacker has to gain access to the filesystem, which is a lot more difficult.

This also allow to use the web interface as a read-only stats dashboard. Unprivileged users or anonymous users can visualize interesting stats while being kept from having the ability to make change to the system.

Alternatives Considered

Additional Information

yuha0 avatar Jul 27 '20 06:07 yuha0

Related #1333 #1558

Aikatsui avatar Jul 27 '20 15:07 Aikatsui

Alternatively, an easier but not-so-elegant solution: simply skipping the file permission check and allow writes to fail without exiting the process -- if a user attempt to save configuration change from the UI, provide proper error message.

yuha0 avatar Jul 27 '20 21:07 yuha0

I guess allowing web configuration is the only reason why AdGuard Home requires write permission to the configuration file?

There's one more reason for it. When AdGuard Home is updated, it tries to update the configuration file as well, we may need to add new properties or change some existing props at that time.

Regarding this feature request, let's wait until we finish with AGH refactoring, it'd be much easier to implement when it's done and config code is decoupled from everything else.

ameshkov avatar Jul 30 '20 10:07 ameshkov

Hi, I came across the same problem. Is there any eta on the refactoring to be finished and when this can be implemented? I would like to avoid a initContainer on K8s. I think there are more pitfalls with the configuration file, eg. password and username within the configuration. A good solution would be to allow reading from a file or using environment variables. Thanks!

dvonessen avatar Mar 28 '21 12:03 dvonessen

@dvonessen no ETA yet, there're not too many upvotes here. Please upvote this issue if you want it to be done sooner.

ameshkov avatar Mar 28 '21 12:03 ameshkov

@ameshkov thanks for your answere. I did that. I think with this feature the kubernetes community would straight forward from pi-hole to adguard home. Great work!

dvonessen avatar Mar 28 '21 12:03 dvonessen

My current workaround is adding an entrypoint.sh to container image which copy from CONFIG environment variable (e.g /opt/adguardhome/conf/AdGuardHome.yml.ro) to /opt/adguardhome/conf/AdGuardHome.yml first then pass other arguments to /opt/adguardhome/AdGuardHome

Maybe splitting AGH into frontend and backend is a great idea ?

mikucat0309 avatar Apr 01 '22 05:04 mikucat0309

Another K8s user bothered by this issue passing here. Anyway thank you for your great work and hope to see this being addressed someday

winston0410 avatar Jul 02 '24 19:07 winston0410

My current solution:

In an init container just take the config which is stored as a configmap, and copy it into an emptyDir container

        command:
          - '/bin/sh'
          - '-c'
          - 'sed "s/PODNAME/$POD_NAME/" < /tmp/template/AdGuardHome-template.yaml | sed "s,ADGUARD_HOME_ADMIN_PASSWORD,$ADGUARD_ADMIN_PASSWORD," > /tmp/config/AdGuardHome.yaml '

Then mount that folder into /opt/adguardhome/conf in the main container. Adguard could write to it in the UI but it would be tossed, kinda weird but I basically have no reason to modify things now that it is setup, and as long as I don't forget how I deployed it ;)

especially-relative avatar Jul 02 '24 20:07 especially-relative