starred/AdGuardHome

Fork 0

mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00

Option to completely disable configuration via web UI #1827

New issue

Open

opened 2026-03-04 01:34:24 -05:00 by deekerman · 9 comments

deekerman commented

2026-03-04 01:34:24 -05:00

Owner

Originally created by @yuha0 on GitHub (Jul 27, 2020).

Prerequisites

Please answer the following questions for yourself before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

I am running the latest version
I checked the documentation and found no answer
I checked to make sure that this issue has not already been filed

Problem Description

Currently, an admin user can configure the instance via the web UI and it does not seem to possible to disable that. There are a few issues regarding this:

From a security perspective, if the web UI is compromised (e.g. password leak), the whole AdGuard Home instance is effectively taken over by the attacker, putting all the users in danger. If the user uses DoH, the interface may even be exposed to the internet, making it even more risky.
I guess allowing web configuration is the only reason why AdGuard Home requires write permission to the configuration file? If the config file is read-only, AdGuard Home complains about it and exits. I deploy AdGuard Home in Kubernetes, and use infrastructure-as-code concept to manage its configuration in git. As a result, AdGuard's configuration file is managed by a Kubernetes ConfigMap object, and it is dynamically mounted to the container on container startup time. ConfigMap is mounted as read-only, since the idea is that the content of the ConfigMap is managed by higher level Kubernetes API and should not be changed through mounted filesystem. To workaround this, I have to do some weird dances to make both Kubernetes and AdGuard happy: Before starts the container, start another "initContainer" to copy the content of the ConfigMap to a shared volume, and start the AdGuard container with that shared volume mounted at /opt/adguardhome/conf/AdGuardHome.yaml:
github.com/yuha0/home-infra@531a899a46/kubernetes/adguardhome/deploy.yaml (L58-L127)

Proposed Solution

Provide an option as command line argument or environment variable to disable web configuration, and when disabled, allow the config file to be read-only and do not attempt to write to it.

This mitigates the security risk since now, in order to make changes to AdGuard, the attacker has to gain access to the filesystem, which is a lot more difficult.

This also allow to use the web interface as a read-only stats dashboard. Unprivileged users or anonymous users can visualize interesting stats while being kept from having the ability to make change to the system.

Alternatives Considered

Additional Information

Originally created by @yuha0 on GitHub (Jul 27, 2020).  ### Prerequisites Please answer the following questions for yourself before submitting an issue. **YOU MAY DELETE THE PREREQUISITES SECTION.** - [x] I am running the latest version - [x] I checked the documentation and found no answer - [x] I checked to make sure that this issue has not already been filed ### Problem Description  Currently, an admin user can configure the instance via the web UI and it does not seem to possible to disable that. There are a few issues regarding this: 1. From a security perspective, if the web UI is compromised (e.g. password leak), the whole AdGuard Home instance is effectively taken over by the attacker, putting all the users in danger. If the user uses DoH, the interface may even be exposed to the internet, making it even more risky. 2. I guess allowing web configuration is the only reason why AdGuard Home requires write permission to the configuration file? If the config file is read-only, AdGuard Home complains about it and exits. I deploy AdGuard Home in Kubernetes, and use infrastructure-as-code concept to manage its configuration in git. As a result, AdGuard's configuration file is managed by a Kubernetes ConfigMap object, and it is dynamically mounted to the container on container startup time. ConfigMap is mounted as read-only, since the idea is that the content of the ConfigMap is managed by higher level Kubernetes API and should not be changed through mounted filesystem. To workaround this, I have to do some weird dances to make both Kubernetes and AdGuard happy: Before starts the container, start another "initContainer" to copy the content of the ConfigMap to a shared volume, and start the AdGuard container with that shared volume mounted at `/opt/adguardhome/conf/AdGuardHome.yaml`: https://github.com/yuha0/home-infra/blob/531a899a4617935a32f2fcce7c43f1e0ba93d092/kubernetes/adguardhome/deploy.yaml#L58-L127 ### Proposed Solution  Provide an option as command line argument or environment variable to disable web configuration, and when disabled, allow the config file to be read-only and do not attempt to write to it. This mitigates the security risk since now, in order to make changes to AdGuard, the attacker has to gain access to the filesystem, which is a lot more difficult. This also allow to use the web interface as a read-only stats dashboard. Unprivileged users or anonymous users can visualize interesting stats while being kept from having the ability to make change to the system. ### Alternatives Considered  ### Additional Information

deekerman added the

feature request

label

2026-03-04 01:34:24 -05:00

deekerman commented

2026-03-04 01:34:29 -05:00

Author

Owner

@Aikatsui commented on GitHub (Jul 27, 2020):

Related #1333 #1558

@Aikatsui commented on GitHub (Jul 27, 2020): Related #1333 #1558

deekerman commented

2026-03-04 01:34:29 -05:00

Author

Owner

@yuha0 commented on GitHub (Jul 27, 2020):

Alternatively, an easier but not-so-elegant solution: simply skipping the file permission check and allow writes to fail without exiting the process -- if a user attempt to save configuration change from the UI, provide proper error message.

@yuha0 commented on GitHub (Jul 27, 2020): Alternatively, an easier but not-so-elegant solution: simply skipping the file permission check and allow writes to fail without exiting the process -- if a user attempt to save configuration change from the UI, provide proper error message.

deekerman commented

2026-03-04 01:34:29 -05:00

Author

Owner

@ameshkov commented on GitHub (Jul 30, 2020):

I guess allowing web configuration is the only reason why AdGuard Home requires write permission to the configuration file?

There's one more reason for it. When AdGuard Home is updated, it tries to update the configuration file as well, we may need to add new properties or change some existing props at that time.

Regarding this feature request, let's wait until we finish with AGH refactoring, it'd be much easier to implement when it's done and config code is decoupled from everything else.

@ameshkov commented on GitHub (Jul 30, 2020): > I guess allowing web configuration is the only reason why AdGuard Home requires write permission to the configuration file? There's one more reason for it. When AdGuard Home is updated, it tries to update the configuration file as well, we may need to add new properties or change some existing props at that time. Regarding this feature request, let's wait until we finish with AGH refactoring, it'd be much easier to implement when it's done and config code is decoupled from everything else.

deekerman commented

2026-03-04 01:34:29 -05:00

Author

Owner

@bitfoo1 commented on GitHub (Mar 28, 2021):

Hi, I came across the same problem. Is there any eta on the refactoring to be finished and when this can be implemented? I would like to avoid a initContainer on K8s.
I think there are more pitfalls with the configuration file, eg. password and username within the configuration. A good solution would be to allow reading from a file or using environment variables.
Thanks!

@bitfoo1 commented on GitHub (Mar 28, 2021): Hi, I came across the same problem. Is there any eta on the refactoring to be finished and when this can be implemented? I would like to avoid a initContainer on K8s. I think there are more pitfalls with the configuration file, eg. password and username within the configuration. A good solution would be to allow reading from a file or using environment variables. Thanks!

deekerman commented

2026-03-04 01:34:29 -05:00

Author

Owner

@ameshkov commented on GitHub (Mar 28, 2021):

@dvonessen no ETA yet, there're not too many upvotes here. Please upvote this issue if you want it to be done sooner.

@ameshkov commented on GitHub (Mar 28, 2021): @dvonessen no ETA yet, there're not too many upvotes here. Please upvote this issue if you want it to be done sooner.

deekerman commented

2026-03-04 01:34:29 -05:00

Author

Owner

@bitfoo1 commented on GitHub (Mar 28, 2021):

@ameshkov thanks for your answere. I did that.
I think with this feature the kubernetes community would straight forward from pi-hole to adguard home.
Great work!

@bitfoo1 commented on GitHub (Mar 28, 2021): @ameshkov thanks for your answere. I did that. I think with this feature the kubernetes community would straight forward from pi-hole to adguard home. Great work!

deekerman commented

2026-03-04 01:34:30 -05:00

Author

Owner

@mikucat0309 commented on GitHub (Apr 1, 2022):

My current workaround is adding an entrypoint.sh to container image
which copy from CONFIG environment variable (e.g /opt/adguardhome/conf/AdGuardHome.yml.ro) to /opt/adguardhome/conf/AdGuardHome.yml first
then pass other arguments to /opt/adguardhome/AdGuardHome

Maybe splitting AGH into frontend and backend is a great idea ?

@mikucat0309 commented on GitHub (Apr 1, 2022): My current workaround is adding an entrypoint.sh to container image which copy from CONFIG environment variable (e.g `/opt/adguardhome/conf/AdGuardHome.yml.ro`) to `/opt/adguardhome/conf/AdGuardHome.yml` first then pass other arguments to `/opt/adguardhome/AdGuardHome` Maybe splitting AGH into frontend and backend is a great idea ?

deekerman commented

2026-03-04 01:34:30 -05:00

Author

Owner

@winston0410 commented on GitHub (Jul 2, 2024):

Another K8s user bothered by this issue passing here. Anyway thank you for your great work and hope to see this being addressed someday

@winston0410 commented on GitHub (Jul 2, 2024): Another K8s user bothered by this issue passing here. Anyway thank you for your great work and hope to see this being addressed someday

deekerman commented

2026-03-04 01:34:30 -05:00

Author

Owner

@especially-relative commented on GitHub (Jul 2, 2024):

My current solution:

In an init container just take the config which is stored as a configmap, and copy it into an emptyDir container

        command:
          - '/bin/sh'
          - '-c'
          - 'sed "s/PODNAME/$POD_NAME/" < /tmp/template/AdGuardHome-template.yaml | sed "s,ADGUARD_HOME_ADMIN_PASSWORD,$ADGUARD_ADMIN_PASSWORD," > /tmp/config/AdGuardHome.yaml '

Then mount that folder into /opt/adguardhome/conf in the main container. Adguard could write to it in the UI but it would be tossed, kinda weird but I basically have no reason to modify things now that it is setup, and as long as I don't forget how I deployed it ;)

@especially-relative commented on GitHub (Jul 2, 2024): My current solution: In an init container just take the config which is stored as a configmap, and copy it into an emptyDir container ``` command: - '/bin/sh' - '-c' - 'sed "s/PODNAME/$POD_NAME/" < /tmp/template/AdGuardHome-template.yaml | sed "s,ADGUARD_HOME_ADMIN_PASSWORD,$ADGUARD_ADMIN_PASSWORD," > /tmp/config/AdGuardHome.yaml ' ``` Then mount that folder into `/opt/adguardhome/conf` in the main container. Adguard could write to it in the UI but it would be tossed, kinda weird but I basically have no reason to modify things now that it is setup, and as long as I don't forget how I deployed it ;)

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/AdGuardHome#1827

No description provided.

Rows
Columns