Auth credentials inside vlc addon nginx config

[olegshilov]

I think this is not a place to store credentials

addons/vlc/rootfs/usr/share/tempio/nginx.conf

Line 52 in 9fd88b5

proxy_set_header Authorization "Basic OklOR1JFU1M=";

[joelmoses]

The actual exposure is limited because the same nginx.conf file locks the port access to the supervisor's docker internal IP. But I agree that it's not good practice to hardcode this.

Looks like the implementer is merely trying to lock VLC to the NGINX HA ingress mode for the VLC WebUI. This is clumsy, especially considering they're also generating a telnet secret elsewhere and using it for configuring "cvlc". All it would take is a base64 encoding of the secret prefixed by ":" and passing that value to be written to the resulting file.

[joelmoses]

My stab at a fix is here: #1878

[tofuSCHNITZEL]

I'm wondering... Does this even matter? The vlc port is not exposed outside the container so the only way to access it is via the ingress port of the nginx which is "protected" behind the Home Assistant login...

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.