kano would it be possible to include a secret key for RPC in the config.
something like:
"api-key" : "this-is-my-secret-it-must-be-included-in-all-API-calls-when-active".
I always hate when people use user/password when there is only one possible username so I think key works fine.
I would like to publicly host my monitoring webpages along with database for historical performance, etc. For privacy reasons I would prefer to put this on a webserver unrelated to my physical location/IP.
Also ANUBIS and "cgminer web monitor" seem to be popular but can be tough for newbies to setup. With breaking version changes staying up to date can add to workload. The authors could provide public hosting (as a paid service) but some level of security would be a good idea before punching holes in firewalls. IP Address limiting works but is harder to manage.
I don't image this being very difficult to implement:
a) api-key is off by default.
b) if api-key is set then any RPC call needs to include the key as a JSON parameter or the call fails.
Your thoughts?
I have already put up a pull request a while ago (4 hours) which is
somewhat related to this
Basically it restricts all RPC API access to only be allowed to run commands that return data.
If you use the --api-allow command you can put W: in front of any IP/subnets that you want to have privileged access (Write access)
This means that you can put something like W:MYIP,0/0 on --api-allow and then you can let anyone read it (that you tell) but only MYIP is allowed to send commands like 'switchpool', 'gpuintensity', 'save', 'quit' (i.e. all the commands that change something)
Of course you can have as many W:IP and W:IP/sub as you like - then put 0/0 on the end.
The first match decides the access.
To have true password access, I would implement a secure protocol in the API.
Passing clear text passwords/keys is rather pointless.
Yes I have been thinking about this for a few weeks and decided to implement the simplest of the two options already today
We'll see if ckolivas thinks it's OK or not tomorrow when he wakes up.
