[mythtv-users] Access new web app outside home network
Mark Cooke
mpc_mythtv at jts.homeip.net
Thu Jun 6 10:34:06 UTC 2024
On 06/06/2024 11:07, Paul Gardiner wrote:
> On 06/06/2024 02:57, Mike Hodson wrote:
>> On Wed, Jun 5, 2024, 17:53 Paul Gardiner <lists at glidos.net
>> <mailto:lists at glidos.net>> wrote:
>>
>>
>> On 05/06/2024 22:21, James Linder wrote:
>> >
>> > Methinks a ssh tunnel is much easier.
>> > ssh -p 1234 -R 1200:localhost:6544 me at tigger.ws
>> <mailto:me at tigger.ws>
>> >
>> > Then http://localhost:1200 <http://localhost:1200>
>> <http://localhost:1200/ <http://localhost:1200/>>
>> >
>> > I believe putty can do port forwarding
>>
>> That's a nice alternative, but I don't get how doing two things on
>> every
>> use is easier than one. It's not like one has to configure apache on
>> every use. If you're (say) in an internet cafe then that's google
>> putty
>> or plink, download it, then create your tunnel then open the
>> browser. Am
>> I missing something?
>>
>>
>> No, you're not missing anything in the actions involved, but there is
>> an unmentioned inherent risk of exposing 'too much' to the public
>> facing Internet.
>>
>> There is also the implied 'single command that works most places' vs
>> 'setting up an entirely new service with the configuration and
>> maintenance required thereafter'
>>
>> One could create a batch file / shell script that starts up the SSH
>> tunnel with a pubkey, and then launches the URL afterward.
>>
>>
>> If your proxy is secure, and you properly password protect it and use
>> SSL, you likely are secure enough, however having a [presumably]
>> battle-tested and secure SSH server open is a potentially smaller
>> ongoing risk/config/maintenance concern.
>>
>>
>> Then, there are VPN solutions like Zerotier and Tailscale that
>> provide a very simple to use and self-contained mesh network of your
>> hosts, no open ports needed. I use both myself on a daily basis for
>> work and personal uses.
>>
>>
>> Finally there is always the old standby of OpenVPN but I wager it is
>> potentially harder to get right than the entirety of other software
>> mentioned so far in this thread.
>>
>> I'm a fan of keeping as few open ports as possible accessible to the
>> public. [And on Lumen/CenturyLink/QuantumFiber some of their modems
>> change IPs every 2 hours... So dynamic DNS would be another concern
>> in my case.
>>
>> Lots of potentials here, and you've got a working setup. Changing to
>> another would be a question of risk presented now vs time involved to
>> switch to something different.
>
> I think that's a very nice overview of the issues. Certainly, I would
> have given up on the apache proxy if SSL and password protection had
> not been achievable. And for some, I agree the ongoing maintenance
> could be a pain. For me, not so much because that new conf file is a
> small increment to my existing config.
>
> Paul.
There's then the further extension where you come in over
SSH-port-tunnel (or OpenVPN or Wireguard) and then have the apache proxy
with a separate password in the mix as well. Then you need multiple
levels of compromise before things are really at risk, but it does
depend on your level of paranoia!
If you haven't looked at Wireguard for secure remote access, then it is
relatively trivial to setup compared to OpenVPN and may be worth a look,
and a much more compact code base.
As an aside - I recently did a v0.30 to v0.32 to v0.34 ppa upgrade along
with an Ubuntu 18.04 LTS to 20.04 LTS to 22.04 LTS upgrade. It went
incredibly smoothly thanks to everyone's hard work.
( Upgraded myth ppa on 18.04 as far as I could, did the 18.04 to 20.04
update. Upgraded myth ppa to the furthest I could. Upgraded 20.04 to
22.04. Upgraded myth to the furthest I could. I haven't yet done the
22.04 to 24.04 upgrade because of the release driver for TBS6205 not
supporting Ubuntu 24.04's 6.8.x linux kernel just yet, though there are
some relatively minor patches to make it work in the pipeline.
https://github.com/tbsdtv/linux_media/issues/344 )
Cheers,
Mark
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mythtv.org/pipermail/mythtv-users/attachments/20240606/1a5355e2/attachment.htm>
More information about the mythtv-users
mailing list