[mythtv-users] Access new web app outside home network
Kevin Johnson
iitywygms at gmail.com
Thu Jun 6 02:08:36 UTC 2024
On Wed, Jun 5, 2024 at 9:58 PM Mike Hodson <mystica at gmail.com> wrote:
> On Wed, Jun 5, 2024, 17:53 Paul Gardiner <lists at glidos.net> wrote:
>
>>
>> On 05/06/2024 22:21, James Linder wrote:
>> >
>> >
>> >
>> >
>> > Methinks a ssh tunnel is much easier.
>> > ssh -p 1234 -R 1200:localhost:6544 me at tigger.ws
>> >
>> > Then http://localhost:1200 <http://localhost:1200/>
>> >
>> > I believe putty can do port forwarding
>>
>> That's a nice alternative, but I don't get how doing two things on every
>> use is easier than one. It's not like one has to configure apache on
>> every use. If you're (say) in an internet cafe then that's google putty
>> or plink, download it, then create your tunnel then open the browser. Am
>> I missing something?
>>
>
> No, you're not missing anything in the actions involved, but there is an
> unmentioned inherent risk of exposing 'too much' to the public facing
> Internet.
>
> There is also the implied 'single command that works most places' vs
> 'setting up an entirely new service with the configuration and maintenance
> required thereafter'
>
> One could create a batch file / shell script that starts up the SSH tunnel
> with a pubkey, and then launches the URL afterward.
>
>
> If your proxy is secure, and you properly password protect it and use SSL,
> you likely are secure enough, however having a [presumably] battle-tested
> and secure SSH server open is a potentially smaller ongoing
> risk/config/maintenance concern.
>
>
> Then, there are VPN solutions like Zerotier and Tailscale that provide a
> very simple to use and self-contained mesh network of your hosts, no open
> ports needed. I use both myself on a daily basis for work and personal
> uses.
>
>
> Finally there is always the old standby of OpenVPN but I wager it is
> potentially harder to get right than the entirety of other software
> mentioned so far in this thread.
>
> I'm a fan of keeping as few open ports as possible accessible to the
> public. [And on Lumen/CenturyLink/QuantumFiber some of their modems change
> IPs every 2 hours... So dynamic DNS would be another concern in my case.
>
> Lots of potentials here, and you've got a working setup. Changing to
> another would be a question of risk presented now vs time involved to
> switch to something different.
>
> Mike
>
A lot of this discussion is over my pay grade.
But if all you have on the exposed server is the myth backend, are all the
extra steps/security necessary?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20240605/12c9f58f/attachment.htm>
More information about the mythtv-users
mailing list