[mythtv-users] Access new web app outside home network

Thu Jun 6 10:07:43 UTC 2024

On 06/06/2024 02:57, Mike Hodson wrote:
> On Wed, Jun 5, 2024, 17:53 Paul Gardiner <lists at glidos.net 
> <mailto:lists at glidos.net>> wrote:
> 
> 
>     On 05/06/2024 22:21, James Linder wrote:
>      >
>      >
>      >
>      >
>      > Methinks a ssh tunnel is much easier.
>      > ssh -p 1234 -R 1200:localhost:6544 me at tigger.ws <mailto:me at tigger.ws>
>      >
>      > Then http://localhost:1200 <http://localhost:1200>
>     <http://localhost:1200/ <http://localhost:1200/>>
>      >
>      > I believe putty can do port forwarding
> 
>     That's a nice alternative, but I don't get how doing two things on
>     every
>     use is easier than one. It's not like one has to configure apache on
>     every use. If you're (say) in an internet cafe then that's google putty
>     or plink, download it, then create your tunnel then open the
>     browser. Am
>     I missing something?
> 
> 
> No, you're not missing anything in the actions involved, but there is an 
> unmentioned inherent risk of exposing 'too much' to the public facing 
> Internet.
> 
> There is also the implied 'single command that works most places' vs 
> 'setting up an entirely new service with the configuration and 
> maintenance required thereafter'
> 
> One could create a batch file / shell script that starts up the SSH 
> tunnel with a pubkey, and then launches the URL afterward.
> 
> 
> If your proxy is secure, and you properly password protect it and use 
> SSL, you likely are secure enough, however having a [presumably] 
> battle-tested and secure SSH server open is a potentially smaller 
> ongoing risk/config/maintenance concern.
> 
> 
> Then, there are VPN solutions like Zerotier and Tailscale that provide a 
> very simple to use and self-contained mesh network of your hosts, no 
> open ports needed.  I use both myself on a daily basis for work and 
> personal uses.
> 
> 
> Finally there is always the old standby of OpenVPN but I wager it is 
> potentially harder to get right than the entirety of other software 
> mentioned so far in this thread.
> 
> I'm a fan of keeping as few open ports as possible accessible to the 
> public. [And on Lumen/CenturyLink/QuantumFiber some of their modems 
> change IPs every 2 hours... So dynamic DNS would be another concern in 
> my case.
> 
> Lots of potentials here, and you've got a working setup. Changing to 
> another would be a question of risk presented now vs time involved to 
> switch to something different.

I think that's a very nice overview of the issues. Certainly, I would 
have given up on the apache proxy if SSL and password protection had not 
been achievable. And for some, I agree the ongoing maintenance could be 
a pain. For me, not so much because that new conf file is a small 
increment to my existing config.

Paul.