Home of the Squeezebox™ & Transporter® network music players.
Page 5 of 5 FirstFirst ... 345
Results 41 to 45 of 45
  1. #41
    Junior Member
    Join Date
    Aug 2019
    Posts
    4
    Quote Originally Posted by Greg Erskine View Post

    You can't do this.

    Most people only change the LMS port if it clashes with other software. 9001 is usually used.
    I see LMS doesn't support 80 now. I was just trying to make a more user friendly url to get to the LMS server. I created a host file record in my pi-hole DNS server that redirects the domain: my.music to the IP of the PCP LMS server...I just can't redirect to a specific port using DNS. Maybe I can create a redirect with busybox httpd from 80 to 9000....will investigate. Thanks.

  2. #42
    Senior Member Greg Erskine's Avatar
    Join Date
    Sep 2006
    Location
    Sydney, Australia
    Posts
    1,915
    Some people consider using port 80 to be less secure because it is the http default.

    The LMS http port number is really not part of piCorePlayer security. It might confuse people talking about it in the same thread/post/paragraph as piCorePlayer http port.

  3. #43
    Junior Member
    Join Date
    Aug 2019
    Posts
    4
    Quote Originally Posted by Greg Erskine View Post
    Some people consider using port 80 to be less secure because it is the http default.
    Agreed which is why I replied here. I also agree the LMS stuff is off topic, sorry about that.

  4. #44
    Quote Originally Posted by Greg Erskine View Post
    This option will be available in pCP6.0.0 when we release it. Best to wait.
    I just wanted to say thanks to the pCP crew for adding the Security page to the Beta web UI for 6.0! I do hope you'll promote that to the mainstream admin UI, although I suggest you consider a few tweaks:
    1) add a Password Confirmation input on the httpd settings page
    2) add a note that the pCP settings will be saved as soon as the change is applied (I expected that they would NOT be, that I would be able to verify that I could still access the httpd and sshd after setting passwords and just power cycle the Pi if I goofed somehow)
    3) incorporate CSRF protection into the web UI, at least Referer checks. It seems too easy to use CSRF with mere GET requests to effect significant changes on the pCP. Even those w/ authentication required for the web UI are vulnerable to CSRF attacks.

    Thanks!
    owner of the stuff at https://tuxreborn.netlify.app/
    (which used to reside at www.tux.org/~peterw/)
    Note: The best way to reach me is email or PM, as I don't spend much time on the forums.
    Free plugins: AllQuiet Auto Dim/AutoDisplay BlankSaver ContextMenu DenonSerial
    FuzzyTime KidsPlay KitchenTimer PlayLog PowerCenter/BottleRocket SaverSwitcher
    SettingsManager SleepFade StatusFirst SyncOptions VolumeLock

  5. #45
    Senior Member Greg Erskine's Avatar
    Join Date
    Sep 2006
    Location
    Sydney, Australia
    Posts
    1,915
    Quote Originally Posted by peterw View Post
    I just wanted to say thanks to the pCP crew for adding the Security page to the Beta web UI for 6.0! I do hope you'll promote that to the mainstream admin UI, although I suggest you consider a few tweaks:
    1) add a Password Confirmation input on the httpd settings page
    2) add a note that the pCP settings will be saved as soon as the change is applied (I expected that they would NOT be, that I would be able to verify that I could still access the httpd and sshd after setting passwords and just power cycle the Pi if I goofed somehow)
    3) incorporate CSRF protection into the web UI, at least Referer checks. It seems too easy to use CSRF with mere GET requests to effect significant changes on the pCP. Even those w/ authentication required for the web UI are vulnerable to CSRF attacks.

    Thanks!
    Hi peterw,

    Thanks for the feedback. I've added your requests to my list of things todo.

    Regarding #3, there was a forth page that didn't make it into production that disabled the http server (after a few minutes). I think, you can manually change GUI_DISABLE="0" in the pcp.cfg to a few minutes. The CLI setup command ($ setup) has the option to turn off the GUI but it is either on or off, no grace period after reboot.

    regards
    Greg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •