[mythtv-users] Access new web app outside home network

James Abernathy jfabernathy at gmail.com
Thu Jun 6 10:22:37 UTC 2024


On Thu, Jun 6, 2024 at 6:09 AM Paul Gardiner <lists at glidos.net> wrote:
>
> On 06/06/2024 02:57, Mike Hodson wrote:
> > On Wed, Jun 5, 2024, 17:53 Paul Gardiner <lists at glidos.net
> > <mailto:lists at glidos.net>> wrote:
> >
> >
> >     On 05/06/2024 22:21, James Linder wrote:
> >      >
> >      >
> >      >
> >      >
> >      > Methinks a ssh tunnel is much easier.
> >      > ssh -p 1234 -R 1200:localhost:6544 me at tigger.ws <mailto:me at tigger.ws>
> >      >
> >      > Then http://localhost:1200 <http://localhost:1200>
> >     <http://localhost:1200/ <http://localhost:1200/>>
> >      >
> >      > I believe putty can do port forwarding
> >
> >     That's a nice alternative, but I don't get how doing two things on
> >     every
> >     use is easier than one. It's not like one has to configure apache on
> >     every use. If you're (say) in an internet cafe then that's google putty
> >     or plink, download it, then create your tunnel then open the
> >     browser. Am
> >     I missing something?
> >
> >
> > No, you're not missing anything in the actions involved, but there is an
> > unmentioned inherent risk of exposing 'too much' to the public facing
> > Internet.
> >
> > There is also the implied 'single command that works most places' vs
> > 'setting up an entirely new service with the configuration and
> > maintenance required thereafter'
> >
> > One could create a batch file / shell script that starts up the SSH
> > tunnel with a pubkey, and then launches the URL afterward.
> >
> >
> > If your proxy is secure, and you properly password protect it and use
> > SSL, you likely are secure enough, however having a [presumably]
> > battle-tested and secure SSH server open is a potentially smaller
> > ongoing risk/config/maintenance concern.
> >
> >
> > Then, there are VPN solutions like Zerotier and Tailscale that provide a
> > very simple to use and self-contained mesh network of your hosts, no
> > open ports needed.  I use both myself on a daily basis for work and
> > personal uses.
> >
> >
> > Finally there is always the old standby of OpenVPN but I wager it is
> > potentially harder to get right than the entirety of other software
> > mentioned so far in this thread.
> >
> > I'm a fan of keeping as few open ports as possible accessible to the
> > public. [And on Lumen/CenturyLink/QuantumFiber some of their modems
> > change IPs every 2 hours... So dynamic DNS would be another concern in
> > my case.
> >
> > Lots of potentials here, and you've got a working setup. Changing to
> > another would be a question of risk presented now vs time involved to
> > switch to something different.
>
> I think that's a very nice overview of the issues. Certainly, I would
> have given up on the apache proxy if SSL and password protection had not
> been achievable. And for some, I agree the ongoing maintenance could be
> a pain. For me, not so much because that new conf file is a small
> increment to my existing config.
>
> Paul.


My 2 cents; I have a Cable modem and my 3rd party wifi router. But I
have a Raspberry PI 3B+ running Pi-hole ad-blocker and it also does
OpenVPN/Wireguard serving. That was easy to set up and creates the
keys I need for my Cell phone and laptop I use on the road. For me
that's the easiest I've tried and it leaves all ports closed except
the VPN port.  I simply click on the network icon in my Laptop's task
bar and turn on the VPN. Then I point my browser to: <mythtv backend
ip>:6544

Jim A


More information about the mythtv-users mailing list