[syncthing] GUI authentication warnings

[salim-b]

Which addon?

syncthing

Problem description

After startup, Syncthing displays a big red non-dismissable "Danger!" banner saying its admin interface would be configured "to allow remote access without a password" and asking to set up a username and password.

This banner was added to Syncthing in syncthing/syncthing#2478 and is displayed whenever the Syncthing admin interface (GUI) is configured to listen on an address other than 127.0.0.1 (this add-on configures Syncthing to listen on 0.0.0.0:8384 and the normal GUI port is disabled and thus not reachable from outside the Home Assistant host).

As far as I understand, the danger banner is

1. incorrect in case of this add-on since the Syncthing GUI is only accessible from within the Home Assistant host and securely embedded into Home Assistant's GUI via Ingress.

   The Ingress doc explicitly states:

   Users are previously authenticated via Home Assistant. Authentication is not required.

   So there should be really no need to further secure access.

2. potentially dangerous since web browsers (at least Firefox) get confused and fail to properly load the Syncthing GUI embedded into Home Assistant's GUI if Syncthing GUI credentials are set (they mess up credentials caching or the like). At least this is what I experienced when I first set up a username and password for the Syncthing GUI: After reloading the Home Assistant GUI, the Syncthing GUI wasn't loaded anymore, but no password prompt was displayed either. Others apparently ran into the same issue.

Possible solution

There's an advanced config option insecureAdminAccess in Syncthing that disables the red danger banner and instead triggers a lower severity dismissable yellow warning about this option being enabled. We could set insecureAdminAccess="true" by default. The yellow warning would still be annoying (and confusing) but less dangerous since users are not inclined to configure another pointless layer of credentials which has the potential to (temporarily) lock them out of the Syncthing GUI.

In the medium term, Syncthing devs might even be open to add the possibility to completely suppress the warning. Maybe we should ask politely?

[salim-b]

Additional question: The Ingress doc also says that

Only connections from 172.30.32.2 must be allowed. You should deny access to all other IP addresses within your add-on server.

(cf. nginx example config)

But the currently configured address 0.0.0.0 means to listen on "all IPv4 addresses on the local machine", right? Could we change the startup option to --gui-address=172.30.32.2:8384 instead?

[Poeschl]

I will try both suggestions 😉

But it may take a while

[reedy]

But the currently configured address 0.0.0.0 means to listen on "all IPv4 addresses on the local machine", right? Could we change the startup option to -gui-address=172.30.32.2:8384 instead?

We can't hard code the IP to "172.30.32.2", but we can obviously get it from the system (something like ifconfig | grep "inet " | grep -Fv 127.0.0.1 | awk '{print $2}' from a quick search) and pass that through to the script as a parameter...?

ifconfig | grep "inet " | grep -Fv 127.0.0.1 | awk '{print $2}' | head -n 1 would get the first IP (if more than one)...

This is presuming the necessary tools are in the container, of course...

Would that be necessarily limiting? Presumably, forwarding/exposing 8384 (in the config, not done by default) still work on the HA IP?

[salim-b]

There's an advanced config option insecureAdminAccess in Syncthing that disables the red danger banner and instead triggers a lower severity dismissable yellow warning about this option being enabled. We could set insecureAdminAccess="true" by default. The yellow warning would still be annyoing (and confusing) but less dangerous since users are not inclined to configure another pointless layer of credentials which has the potential to (temporarily) lock them out of the Syncthing GUI.

This config option can be set via the following CLI command while Syncthing is running:

syncthing cli config gui insecure-admin-access set true

This always overwrites a possibly existing <insecureAdminAccess></insecureAdminAccess> configuration option¹ set by the user. But that shouldn't matter.

So I guess we could simply run that command right after launching syncthing. What do you think @Poeschl?

Footnotes

1. In the Syncthing configuration file, which is located at /config/config.xml in the add-on container or /mnt/data/supervisor/addon_configs/243ffc37_syncthing/config.xml on the host, respectively. ↩