[mythtv-users] MythWeb over HTTPS using mod_rewrite
joe at joenyland.co.uk
Fri May 25 15:21:47 UTC 2012
> From:Simon Hobson <linux at thehobsons.co.uk>
> Sent: Fri 25-May-2012 15:42
> To: Discussion about MythTV <mythtv-users at mythtv.org>
> Subject: Re: [mythtv-users] MythWeb over HTTPS using mod_rewrite
> Can't directly help with the problem, but ...
> I assume you've considered the security implications ? Is the
> password being requested by the proxy or your MythWeb site behind it ?
> If you leave an open proxy then sooner or later you will find someone
> using it to proxy connections to outside sites (to attack them while
> hiding their origin). I see requests probing my servers to see if
> mod-rewrite is active on a regular basis.
> Ah, just had a thought on your problem.
> I'd have a look at the source and see what is in the function
> "list_update" which is called by the time navigation buttons and
> menus. I'm just thinking that if the "http" is hard coded (rather
> than using the protocol from the page request) then the time
> navigation would be trying to use http instead of https.
> You could also try using wireshark or similar to see what traffic is
> actually being sent between your machine and the server.
> Simon Hobson
Thanks for the input.
Yes, I've considered the security risks of running a reverse proxy and I appreciate your concern. I am however denying normal forward proxy attempts and purely allowing *reverse* proxy attempts - i.e. connections from the internet in to my LAN. I could be wrong, but as this is reverse proxying, this does not mean I am leaving an open proxy for the internet to use.
(Don't get me wrong - If I could afford the option of running multiple IP addresses for the few services I run from my home servers, then I would by all means run a dedicated hardware firewall and separate router to secure this *properly*, but unfortunately I haven't, nor do I see the worth in doing this for my own home use :-).)
I'll have a look at the source later on and see if I can spot anything along the lines that you've suggested.
The Wireshark suggestion is a good one - thanks. Would SSL not get in the way of seeing what was actually requested from the client browser though?
Thanks for your help.
More information about the mythtv-users