Home of the Squeezebox™ & Transporter® network music players.
Page 48 of 48 FirstFirst ... 38464748
Results 471 to 473 of 473
  1. #471
    Senior Member
    Join Date
    Apr 2005
    Location
    UK/London
    Posts
    2,010
    I have had this working with the free ngrok service in the early days of this Skill ... but always fancied trying to get it working using nginx so that I did not have to re-do linking on restarting ngrok (wasn't convinced I would use it enough to justify paying for ngrok service to avoid the relink on restart).

    Now I have it working with nginx as the proxy ... I should have made notes as I went through the steps and I still have a bit more to do ... mainly enabling the automatic renewal of the certificate every 60-90 days.

    The software building blocks that I used ... (all free)
    dynu.com - Dynamic DNS to map my IP address to hostname which, importantly, has API to help generate certificates ("acme" process)
    acme.sh - script to generate and renew certificates (from Let's Encrypt in my case)
    ddclient - automatic renewal of dynamic hostname if my external IP address changes
    nginx - reverse proxy to authenticate inbound SSL connection and relay as http to LMS

    I used a non-standard port for the SSL connection (which I then forwarded to a Raspberry Pi where all the above software is running) so could not use the typical https process to generate the certificate ... which is why I went for dynu.com and its support the the "acme" method (see https://acme.sh ).

    In addition to the username/password, I have also enabled a check of the IP address that is issuing the request as an extra hurdle to be passed. However, I need to do some more research on this as I know that the skill can connect from a number of different Amazon IP addresses and these could change in the future. Maybe I need to have a check for a particular client certificate being presented but I have not checked to see if Amazon/Skill provides one.

    If the overall setup proves to be stable then I'll probably try to do it again and write up the steps.
    Paul Webster
    http://dabdig.blogspot.com
    Author Radio France (FIP etc) plugin

  2. #472
    Senior Member philchillbill's Avatar
    Join Date
    Jan 2019
    Location
    The Netherlands
    Posts
    243
    Quote Originally Posted by Paul Webster View Post
    I have had this working with the free ngrok service in the early days of this Skill ... but always fancied trying to get it working using nginx so that I did not have to re-do linking on restarting ngrok (wasn't convinced I would use it enough to justify paying for ngrok service to avoid the relink on restart).

    Now I have it working with nginx as the proxy ... I should have made notes as I went through the steps and I still have a bit more to do ... mainly enabling the automatic renewal of the certificate every 60-90 days.

    The software building blocks that I used ... (all free)
    dynu.com - Dynamic DNS to map my IP address to hostname which, importantly, has API to help generate certificates ("acme" process)
    acme.sh - script to generate and renew certificates (from Let's Encrypt in my case)
    ddclient - automatic renewal of dynamic hostname if my external IP address changes
    nginx - reverse proxy to authenticate inbound SSL connection and relay as http to LMS

    I used a non-standard port for the SSL connection (which I then forwarded to a Raspberry Pi where all the above software is running) so could not use the typical https process to generate the certificate ... which is why I went for dynu.com and its support the the "acme" method (see https://acme.sh ).

    In addition to the username/password, I have also enabled a check of the IP address that is issuing the request as an extra hurdle to be passed. However, I need to do some more research on this as I know that the skill can connect from a number of different Amazon IP addresses and these could change in the future. Maybe I need to have a check for a particular client certificate being presented but I have not checked to see if Amazon/Skill provides one.

    If the overall setup proves to be stable then I'll probably try to do it again and write up the steps.
    Good stuff. As far as whitelisting Amazon IPs goes, they publish a daily list with a few thousand entries that keep changing, so itís not a realistic check.

    What I did with my Apache equivalent of your approach is to use a uuid in the path name being proxied from. So just guessing my joebloggs part of joebloggs.sytes.net is not enough, you need to guess the uuid too. Itís an extra level of obscurity. And make sure to block directory listing of the / directory root.
    Last edited by philchillbill; 2020-01-16 at 00:13.

  3. #473
    Senior Member
    Join Date
    Apr 2005
    Location
    UK/London
    Posts
    2,010
    Quote Originally Posted by philchillbill View Post
    What I did with my Apache equivalent of your approach is to use a uuid in the path name being proxied from. So just guessing my joebloggs part of joebloggs.sytes.net is not enough, you need to guess the uuid too. Itís an extra level of obscurity. And make sure to block directory listing of the / directory root.
    Good idea - I have done that now.
    Paul Webster
    http://dabdig.blogspot.com
    Author Radio France (FIP etc) plugin

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •