Custom Web Page for TELEM-GWM

From Phobos Wiki
Jump to navigation Jump to search

This is a basic guideline for developing custom web pages for TELEM-GWM. It is assumed that reader is familiar with TELEM-GWM configuration software gws.exe and understands how to secure the device. Securing the device is described in Basic Security. An example of custom developement can be found here GW6 web schema.

What Features to Enable?

On figure 1 there are features than can be configured for web server. Under “IP settings” you can select firewall settings. On which interface the web server should be enabled and if there is a IP address that should have the exclusive access to the web page. Then the TCP port selection.

Under http one can disable dynamic server features. “Forbid output control” if checked disables control operations through web server. “Enable GW application logs ..” if checked instructs the web server to send content from log files. “Enable syslog” if checked permits sending of /var/log/messages to the web client. “Enable general information ..” if checked permits sending of firmware revision and some additional info about the device to the web client. “Enable configuration ...” if checked permits sending of the configuration file of the main application to the web client. “Enable events ..” if checked permits sending of events to the web client. Events are encoded in XML.

Under “User” and “Password” an authorization can be enabled. TELEM-GWM uses digest access authentication.

Under “Custom” a custom web content can be selected. You have to select folder. All content from that folder is sent to the TELEM-GWM to be displayed to the web client.

Under “SSL” secure socket layer can be enabled. There are two options to use: in device generated keys or, user generated keys.

Figure 1: Web Server Settings

Caveats

Three Password Attempts

Server uses session ID's to keep track of authenticated accesses to the server. Sessions timeout within 60 seconds. If you connect to server and set password wrongly for three times the used IP gets banned by firewall. Note this IP gets panned not only from web page but from the whole device.

If user forgets the password he can look it up from setup as it is in plain text. Alternative is to close the browser after two attempts and then retry. However server supports only 200 sessions and 50 connections per IP address(4 clients with 50 sessions each). Per client count can be further minimised by manually configuring the firewall. Note firewall state count differs from server IP count. That is if you remove the restrictions from firewall, web server will only support 50 connections per IP address and total of 200 sessions.

All in all it means that only dummy users hitting 4 times the OK button in loging popup are rejected. Scripts like this work ok:

#!/bin/bash

echo "Get TELEM-GW content!"

array=( pass 12345 54321 martem123456 password qwerty kjhgfd )

for i in "${array[@]}"
do   
    echo "Trying $i"
    
    rm index.html
    curl -s -S --user martem:$i --digest http://10.0.0.29 -o index.html
    
    status=`diff -s -q index.html error.html`
    
    if [ "$status" = "Files index.html and error.html differ" ]; then
        echo "Found, password=$i"
        exit 0
    fi
        
done
    
echo "Done, no password match"

exit -1

And the output:

$ date ; ./telem-gw.sh ; date
Fri Aug 16 13:43:36 EEST 2013
Get TELEM-GW content!
Trying pass
rm: cannot remove `index.html': No such file or directory
Trying 12345
Trying 54321
Trying martem123456
Trying password
Trying qwerty
Trying kjhgfd
Trying martem
Found, password=martem
Fri Aug 16 13:43:53 EEST 2013
$

No Automatic index.html from Subfolder(s)

Web server will not load automatically index.html or index.htm from subfolder(s).

No HTTP to HTTPS Redirection

You need to know which protocol is used. Don't worry the browser remembers the url's.