simon/docker-ddns-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
docker-ddns-server/dyndns/views/login.html
w3K 7983a3fb49 v2.0.0 
# Complete Enhancement Package - Major Feature Update

Comprehensive enhancement package for docker-ddns-server including security features, modern authentication, UI/UX improvements, and production-ready deployment features.

## 🔒 Security & Authentication

### IP Blocking System
- Implemented automatic IP blocking after 3 failed authentication attempts within 72 hours
- Added 7-day block duration with automatic expiration
- Created `blocked_ips` database table for tracking blocked addresses
- Added automatic cleanup of expired blocks
- Implemented manual IP unblock capability via security dashboard

### Failed Authentication Logging
- Added comprehensive failed authentication logging system
- Created `failed_auths` database table storing IP, timestamp, username, and password
- Implemented threat intelligence features for password pattern analysis
- Added automatic cleanup of old authentication records
- Logs intentionally include passwords for single-user security analysis

### Session-Based Authentication
- Replaced HTTP Basic Auth with modern session-based authentication for admin panel
- Integrated gorilla/sessions library for secure session management
- Added configurable session secrets via `DDNS_SESSION_SECRET` environment variable
- Implemented "Remember Me" functionality with 30-day session duration
- Added proper session destruction on logout
- Session cookies configured with HttpOnly, Secure, and SameSite attributes
- Maintained HTTP Basic Auth for DynDNS API endpoints (device compatibility)

### HTTPS Enforcement
- Added intelligent HTTPS detection via multiple header checks
- Implemented automatic HTTPS redirect for admin panel when available
- Graceful HTTP fallback when HTTPS unavailable
- Supports reverse proxy configurations (nginx, Caddy, Traefik)
- Detects SSL via X-Forwarded-Proto, X-Forwarded-Ssl, X-Url-Scheme headers
- API endpoints remain HTTP-compatible for device support

## 🎨 UI/UX Enhancements

### Authentication UI
- Created modern login page with gradient background and clean design
- Added HTTPS security indicator (✓ green / ⚠ yellow)
- Implemented auto-focus on username field
- Added clear error messages for failed login attempts
- Created logout confirmation page with redirect options
- Removed browser authentication dialog popups

### Navigation & Layout
- Changed admin panel URL from `/admin` to `/@` for uniqueness
- Updated navigation with unicode icons (🏠 Dashboard, 🔒 Security, ⏏️ Logout)
- Added tooltips to all navigation icons
- Implemented sticky header that remains visible on scroll
- Enhanced responsive design for mobile/tablet access

### Logo Support
- Added automatic logo detection and display
- Supports PNG, WebP, and SVG formats
- Checks `/static/icons/` for logo files
- Graceful fallback to text title if no logo found
- Maintains aspect ratio and responsive sizing

### Security Dashboard
- Created comprehensive security overview page at `/@/security`
- Added statistics cards showing active blocks, failed attempts, and total blocks
- Implemented recent failed attempts table with sortable columns
- Added password reveal/hide functionality with confirmation prompts
- Created detailed blocked IPs management page with unblock capability
- Created detailed failed authentication logs page with full history
- Added visual indicators for security status

## 📊 Data Management

### Data Consistency & Normalization
- Implemented automatic lowercase conversion for all usernames and hostnames
- Prevents case-sensitivity issues in DNS lookups and authentication
- Ensures consistent data storage and retrieval
- Handles mixed-case legacy data gracefully

### Automatic Migration
- Added on-the-fly migration system for legacy uppercase entries
- Migration triggers automatically on first `/@/hosts` page visit
- Handles hostname conflicts by appending sequential numbers
- Provides detailed migration report in UI showing all changes
- Non-destructive migration preserves all host data
- One-time execution with persistent migration status tracking

### Validation Updates
- Reduced minimum hostname length to 1 character (allows single-letter subdomains)
- Reduced minimum username length to 1 character
- Reduced minimum password length to 6 characters
- Maintained security while improving flexibility

### Username Uniqueness
- Removed uniqueness constraint on usernames
- Allows multiple hosts to share the same username
- Supports different passwords for same username across hosts
- Enables more flexible credential management strategies

## 🛡️ Middleware & Request Handling

### IP Blocker Middleware
- Created IPBlockerMiddleware to check requests against blocked IPs
- Automatic redirect to 127.0.0.1 for blocked addresses
- Lightweight performance impact with database lookup
- Positioned early in middleware chain for efficiency

### Session Authentication Middleware
- Created SessionAuthMiddleware for admin panel protection
- Skips authentication check for /login and /logout routes
- Redirects unauthenticated users to login page
- Validates session integrity on every request
- Compatible with reverse proxy configurations

### HTTPS Redirect Middleware
- Created HTTPSRedirectMiddleware for admin panel security
- Intelligent detection of HTTPS availability
- Skips redirect for API endpoints
- Handles X-Forwarded-* headers from reverse proxies
- Graceful operation when HTTPS unavailable

## 🗄️ Database & Models

### New Tables
- Added `failed_auths` table for authentication logging
- Added `blocked_ips` table for IP block tracking
- Proper foreign key relationships and indexes
- Automatic timestamps on all records

### Cleanup Functions
- Implemented automatic cleanup of expired IP blocks
- Implemented automatic cleanup of old authentication logs
- Configurable retention periods
- Background cleanup execution

## 🔧 Technical Improvements

### Dependencies
- Added `github.com/gorilla/sessions@v1.2.2` for session management
- Updated go.mod with proper version constraints
- Maintained compatibility with existing dependencies

### Handler Architecture
- Separated security logic into dedicated handler files
- Created `security.go` for blocking logic and logging
- Created `security_dashboard.go` for UI handlers
- Created `auth.go` for login/logout and session management
- Created `session.go` for session store implementation
- Improved code organization and maintainability

### Main Application
- Updated routing to support session-based authentication
- Added session initialization on startup
- Configured route groups for admin panel and API
- Middleware ordering optimized for performance and security

## 🐳 Docker & CI/CD

### Multi-Platform Builds & Automated Releases
- Created GitHub Actions workflow (`BuildEmAll.yml`) for automated Docker builds
- Supports linux/amd64, linux/386, linux/arm/v7, and linux/arm64 platforms
- Automatic builds on push to master with dyndns/ directory changes
- Intelligent version tagging system:
  - Extracts version from commit message (e.g., "v1.2.3 Feature description")
  - Auto-increments patch version from latest git tag
  - Falls back to date-based versioning (vYY.MM.DD-HHMM) if no tags exist
- Tags images with both `:latest` and semantic version tags (`:vX.Y.Z`)
- Automatic GitHub release creation with each build
- Release includes Docker image reference and commit message as notes
- Publishes to Docker Hub (w3kllc/ddns)
- Cross-platform compatibility for ARM devices (Raspberry Pi, etc.)
- Workflow can be triggered manually via GitHub Actions UI

### Deployment
- Enhanced docker-compose.yml example with all new features
- Added documentation for environment variable configuration
- Included reverse proxy configuration examples
- Added security best practices for production deployment
- Semantic versioning with automatic release management

## 📝 Documentation

### README Enhancements
- Added comprehensive Security Features section
- Added Environment Variables reference with descriptions
- Added Admin Panel Access documentation
- Added Data Consistency & Migration guide
- Added API Endpoints documentation
- Added UI/UX Enhancements overview
- Added Reverse Proxy Configuration examples
- Added Docker Configuration best practices
- Added CI/CD & Multi-Platform Support details with versioning strategy
- Added Semantic Versioning documentation
- Added GitHub Release automation details
- Added Security Best Practices recommendations
- Added Threat Intelligence rationale
- Added Migration Guide from original project
- Added Troubleshooting section
- Added API Reference documentation
- Added Roadmap for future features
- Updated Credits section
- Added Support and Community links

## 🔄 Backward Compatibility

### Maintained Features
- DynDNS API endpoints remain unchanged (/update, /nic/update, etc.)
- HTTP Basic Auth still supported for API (device compatibility)
- Existing host configurations continue working without changes
- Database schema additions are non-breaking
- All original functionality preserved

### Breaking Changes
- Admin panel URL changed from `/admin` to `/@` (intentional, more unique)
- Admin authentication method changed (sessions vs basic auth)
- Requires `DDNS_SESSION_SECRET` environment variable for session security

##  Performance Considerations

- IP blocker checks are optimized with database indexing
- Session validation cached in memory
- Automatic cleanup runs asynchronously
- Minimal overhead on API endpoint performance
- Efficient middleware ordering

## 🎯 Testing Considerations

Recommended testing areas:
- Login/logout flow with and without HTTPS
- IP blocking after 3 failed attempts
- Session persistence with remember me
- API endpoint authentication (device compatibility)
- HTTPS redirect with reverse proxy headers
- Password reveal/hide in security dashboard
- Hostname migration for legacy uppercase entries
- Multi-platform Docker image functionality

---

**Total Changes:**
- **21 files modified**
- **20 new files created**
- **~2000+ lines of code added**
- **100+ hours of development time**

**Compatibility:**
-  Backward compatible for DynDNS API
- ⚠️ Admin panel URL changed (bookmark update needed)
-  All existing hosts continue working
-  Database schema additions are additive

**Credits:**
- Original project: dprandzioch/docker-ddns
- Web UI Fork: benjaminbear/docker-ddns-server
- Enhanced fork: w3K-one/docker-ddns-server
- Major enhancements and security features added

This represents a significant enhancement to the original project while maintaining the core DynDNS functionality and adding modern security, authentication, and user experience improvements suitable for production deployment.
2025-10-11 16:07:36 -04:00

212 lines
5.7 KiB
HTML
Raw Blame History

{{define "content"}}
<style>
/* Hide the header/navigation on login page */
.header {
display: none !important;
}
/* Override container styles for full-page login */
.container {
max-width: 100% !important;
padding: 0 !important;
}
/* Full-page background */
body {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%) !important;
min-height: 100vh;
}
.login-wrapper {
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
padding: 2rem;
}
.login-container {
background: white;
border-radius: 10px;
box-shadow: 0 10px 40px rgba(0,0,0,0.2);
padding: 2rem;
width: 100%;
max-width: 400px;
}
.logo-container {
text-align: center;
margin-bottom: 2rem;
}
.llogo {
max-height: 80px;
max-width: 200px;
}
.login-title {
text-align: center;
margin-bottom: 1.5rem;
color: #333;
}
.login-icon {
font-size: 48px;
text-align: center;
margin-bottom: 1rem;
}
.form-control:focus {
border-color: #667eea;
box-shadow: 0 0 0 0.2rem rgba(102, 126, 234, 0.25);
}
.btn-login {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
border: none;
color: white;
padding: 12px;
font-weight: 500;
transition: transform 0.2s;
}
.btn-login:hover {
transform: translateY(-2px);
box-shadow: 0 5px 15px rgba(102, 126, 234, 0.4);
color: white;
}
.alert {
margin-bottom: 1.5rem;
}
.remember-me {
margin-top: 1rem;
margin-bottom: 1rem;
}
.security-note {
margin-top: 1.5rem;
padding-top: 1.5rem;
border-top: 1px solid #e5e5e5;
text-align: center;
font-size: 0.85rem;
color: #666;
}
.https-indicator {
display: inline-flex;
align-items: center;
padding: 0.25rem 0.75rem;
background: #d4edda;
color: #155724;
border-radius: 4px;
font-size: 0.5rem;
margin-top: 1rem;
}
.https-indicator.insecure {
background: #fff3cd;
color: #856404;
}
/* Hide footer on login page */
.footer {
display: none !important;
}
</style>
<div class="login-wrapper">
<div class="login-container">
<div class="logo-container">
{{if .logoPath}}
<img src="{{.logoPath}}" alt="{{.title}}" class="llogo">
{{else}}
<div class="login-icon">🔐</div>
<h2 class="login-title">{{.title}}</h2>
{{end}}
</div>
{{if .error}}
<div class="alert alert-danger" role="alert">
{{if eq .error "invalid_credentials"}}
<strong>Login Failed!</strong> Invalid username or password.
{{else if eq .error "authentication_error"}}
<strong>Error!</strong> Authentication system error. Please try again.
{{else if eq .error "session_error"}}
<strong>Error!</strong> Could not create session. Please try again.
{{else}}
<strong>Error!</strong> {{.error}}
{{end}}
</div>
{{end}}
<form method="POST" action="/@/login">
<div class="form-group">
<label for="username">Username</label>
<input type="text"
class="form-control"
id="username"
name="username"
required
autofocus
placeholder="Enter username"
autocomplete="username">
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password"
class="form-control"
id="password"
name="password"
required
placeholder="Enter password"
autocomplete="current-password">
</div>
<div class="remember-me">
<div class="custom-control custom-checkbox">
<input type="checkbox"
class="custom-control-input"
id="remember_me"
name="remember_me">
<label class="custom-control-label" for="remember_me">
Remember me for 30 days
</label>
</div>
</div>
<button type="submit" class="btn btn-login btn-block">
Login
</button>
</form>
<div class="security-note">
<small>
🔒 Your credentials are protected<br>
Session expires after 24 hours (or 30 days if remembered)<br>
<div id="https-status"></div>
</small>
</div>
</div>
</div>
<script>
// Check if HTTPS is enabled
(function() {
var isHTTPS = window.location.protocol === 'https:';
var statusDiv = document.getElementById('https-status');
if (isHTTPS) {
statusDiv.innerHTML = '<div class="https-indicator">✓ Secure HTTPS Connection</div>';
} else {
statusDiv.innerHTML = '<div class="https-indicator insecure">⚠ HTTP Connection (HTTPS Recommended)</div>';
}
})();
// Focus on username field
document.getElementById('username').focus();
</script>
{{end}}
Reference in New Issue View Git Blame Copy Permalink