<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 5, 2024 at 9:58 PM Mike Hodson <<a href="mailto:mystica@gmail.com">mystica@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jun 5, 2024, 17:53 Paul Gardiner <<a href="mailto:lists@glidos.net" rel="noreferrer" target="_blank">lists@glidos.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>On 05/06/2024 22:21, James Linder wrote:<br>
> <br>
> <br>
><br>
> <br>
> Methinks a ssh tunnel is much easier.<br>
> ssh -p 1234 -R 1200:localhost:6544 <a href="mailto:me@tigger.ws" rel="noreferrer noreferrer" target="_blank">me@tigger.ws</a><br>
> <br>
> Then <a href="http://localhost:1200" rel="noreferrer noreferrer noreferrer" target="_blank">http://localhost:1200</a> <<a href="http://localhost:1200/" rel="noreferrer noreferrer noreferrer" target="_blank">http://localhost:1200/</a>><br>
> <br>
> I believe putty can do port forwarding<br>
<br>
That's a nice alternative, but I don't get how doing two things on every <br>
use is easier than one. It's not like one has to configure apache on <br>
every use. If you're (say) in an internet cafe then that's google putty <br>
or plink, download it, then create your tunnel then open the browser. Am <br>
I missing something?<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"></blockquote></div></div><div dir="auto">No, you're not missing anything in the actions involved, but there is an unmentioned inherent risk of exposing 'too much' to the public facing Internet.</div><div dir="auto"><br></div><div dir="auto">There is also the implied 'single command that works most places' vs 'setting up an entirely new service with the configuration and maintenance required thereafter'</div><div dir="auto"><br></div><div dir="auto">One could create a batch file / shell script that starts up the SSH tunnel with a pubkey, and then launches the URL afterward.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">If your proxy is secure, and you properly password protect it and use SSL, you likely are secure enough, however having a [presumably] battle-tested and secure SSH server open is a potentially smaller ongoing risk/config/maintenance concern.</div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">Then, there are VPN solutions like Zerotier and Tailscale that provide a very simple to use and self-contained mesh network of your hosts, no open ports needed. I use both myself on a daily basis for work and personal uses. <br></div><div dir="auto"><br></div><div dir="auto"><br></div><div dir="auto">Finally there is always the old standby of OpenVPN but I wager it is potentially harder to get right than the entirety of other software mentioned so far in this thread.</div><div dir="auto"><br></div><div dir="auto">I'm a fan of keeping as few open ports as possible accessible to the public. [And on Lumen/CenturyLink/QuantumFiber some of their modems change IPs every 2 hours... So dynamic DNS would be another concern in my case.</div><div dir="auto"><br></div><div dir="auto">Lots of potentials here, and you've got a working setup. Changing to another would be a question of risk presented now vs time involved to switch to something different.</div><div dir="auto"><br></div><div dir="auto">Mike</div></div></blockquote><div><br></div><div>A lot of this discussion is over my pay grade.</div><div>But if all you have on the exposed server is the myth backend, are all the extra steps/security necessary? </div><div><br></div><div><br></div></div></div>