Thank you

Thanks for the info.

Regards

Can confirm this is a real issue - I ignored the warnings because I couldn't find any decent instructions on how to set up a VPN tunnel (and not knowledgeable about the difference between a commercial VPN provider, such as www.privateinternetaccess.com, which was the only type of VPN I knew about, and confused it with the type of VPN server you need for LMS, on your router for example, I am now using an Asus router with Merlin firmware VPN server, that you need to set up to access LMS remotely and securely). Setting up the VPN server takes five clicks on the router and then you download the OpenVPN Connect Android app on the remote device you wish to use - export an .ovpn configuration file from your router interface - import this into the Android device - and you're done. When I had port forwarding on I got hacked after about a month - woke up at 5am to the sounds of some sweet Cuban music - shut down everything - set up the VPN approach next day.

One of the thing I would like to do is set LMS behind a reverse proxy with SSL and user name and password, but LMS only supports basic auth.

Would it be feasible to add form authentication?

Do the auth in your proxy.
However, how would you handle slimproto since the players do not know how to authenticate?

If you want to connect a player externally, then I'd strongly suggest you use VPN or SSH tunneling at the very least. The players can't do https nor form auth.

If it's about control (web UI) only you might want to look into something like the free (for basic use) Cloudflare Zero Trust Tunnel (https://developers.cloudflare.com/cl.../connect-apps/). I does reverse proxy and I think form base auth.

In my case it would just be the web interface I want to expose.

Main reason for this request is that this way it is a "normal" URL with valid certificate for the rest of the family member who are not so tech savvy, and don't really understand webservers on a different port than normal.
I know they can safe it in their favorites but with Firefox it will keep saying, this is not a secure site (if you're running in HTTPS mode)

I can setup either basic auth on LMS or even on my nginx reverse proxy but that will be basic auth which does not play nice with mobile browsers, and for instance 1password for auto filling and again the not so technically savvy family members

The sqeezeboxes are fine connecting internally to port 9000 of the local server.

How do I block external access to this port in my Sky router configuration webpage ?

Is this the page I need ?

I am not familiar with the Sky Router, but I am pretty sure that you don't need to do anything to block access to your LMS. Only if you you would want to access your LMS over the internet, you would need to configure your router to forward ports 3843 (TCP+UDP) and 9000 (TCP) to the IP address of the server that runs LMS: That would not be safe. But to keep those ports closed you don't need to do anything.

But I can access my players via MySB.com from anywhere using SqueezeCntrl on my Samsung phone - isn't this what this thread is referring to ?

No - that is a bit of magic* from MySB

* the players contact MySB directly and that opens up a way for MySB to control them back through the same route but it does not open it up for everyone else on the internet

Thanks - that is reassuring

PS I guess this function will be lost if players connected to LMS rather than MySB.com ?

Players that are connected to LMS running in your local network do not connect over the internet.

Note that this topic is about not forwarding ports on your router to the server that runs LMS. If you forward/open ports used by LMS on your router, it is possible to connect your player to your LMS over the internet, basically from anywhere in the world. But it would also enable hackers to operate your local players and change settings in LMS.

For example, in the past I had the SqueezePlay software player installed on my work laptop, and that player could connect to my LMS at home from the office at work. I did have my LMS username+password protected, but as far as I know LMS username and password are send unencrypted over the internet, so from security point of view this setup is not safe.

In case that you want to be able to connect your player to your LMS over the internet (i.e. in case that you are travelling or from work), and avoid that hackers can access your server, that is still possible by setting up a VPN server in your local network. The procedure is rather complicated and described somewhere on this forum.

You could always use VPN or SSH tunnelling or similar to get to your remote LMS.