@scriptmelvin - thanks, but as trying to indicate current set up is working "fine" ( meaning vlc not enigma2 client yet ), sure nginx can be set up as well for this matter .
Setup is working on a 512Mb neo2 equipped with debian, but idea is to get this one day permanent to a docker on my Synology
in my current apache2 setup I am using letsencrypt, which is default "one way" ( never found proper way to do 2way with them as there is no CA ) and added modules " a2enmod ssl proxy_balancer (proxy proxy_http) ",
as well these options to the sites config "Allow from" and " ProxyPass ", eg :
<Directory /var/www/html>
Order deny,allow
deny from all
Allow from myserver.dynu.net
</Directory>
ProxyPass "/" "http://192.168.10.4:8001/" connectiontimeout=5 timeout=30
ProxyPassReverse "/" "http://192.168.10.4:8001/"
Ideally I get rid of the Deny, Allow options and would do 2way ssl with a self signed certificate. As you can see in this posting even that I got to work testing connection with curl,
however I did not find a way to get the CA "recognised" in the store on my enigma2 box ( used /usr/share/ca-certificates,
but perhaps it should have been added to /etc/ssl/certs/ca-certificates.crt together with " update-ca-certificates ")
I get to that once my "letsencrypt" set-up is fully working...
From the URLbelow you can update the local IP to your "fqdn" easily and it has been proven to work ,
but you do not want to be exposed ( this requires 8001 to be portforwarded from your router to enigma2 box ... )
http://192.168.10.4:8001/1:0:1:20:E7:1:FFFF0000:0:0:0
I attached the openwebif configuration settings and from there you can see https ( with client certificate ) is possible,
Perhaps for the streaming part similar parameters could be added if you allow 2way SSL as an option, next to VPN...
--cacert : if CA cannot be added in store, but this is only if you want to go for 2way-ssl ( which eliminates the Allow From settings ).
--cert-type : or just assuming P12?
--cert
--pass
Even noticed the " enabled authentication for streaming " but let's forget about that for now.
in the end you should get following example URL while the optional 2way ssl parameters gets picked up from the config set in openwebif:
http://someaddress.dynu.net/1:0:1:20:E7:1:FFFF0000:0:0:0 # http gets redirected to https
This requires coding effort, and is not preferred as this is a lounge topic, thus most likely the "oneway" ssl route will the least effort and you get a satisfactory result :
https streams and limited access by Allow/ deny all , but once your client IP address changes apache requires a reload(restart) ( even that could be scripted, excluded for now )
As a side note, you could even "split" the webinterface ( 80/443 ) and streaming (8001) part , eg adding :
ProxyPass "/stream/" "http://192.168.10.4:8001/" connectiontimeout=5 timeout=30
ProxyPassReverse "/stream/" "http://192.168.10.4:8001/"
ProxyPass "/" "http://192.168.10.4/" connectiontimeout=5 timeout=30
ProxyPassReverse "/" "http://192.168.10.4/"
This should look a bit better, so you wont get an error displayed on your browser,
the stream should be updated then to " http://someaddress.dynu.net/stream/1:0:1:20:E7:1:FFFF0000:0:0:0 "
To summarise,, yes VPN is proven to work for many many years already, but maybe that can be "simplified" using nginx or apache.and ( 2 way ) ssl.
besides that, it seems an upward trend to do API calls over the internet , using https and (2way) ssl, except for using a VPN.
If I see how easy things can be set up with letsencrypt in comparison to setting up ovpn, it would be a pitty the last part just wont go ( referring to my post I got things to work in vlc but not on enigma2 box )
( let's exclude wireguard from this scenario for now )
Speed is not an issue here as max bandwidth would be 25-28Mbps nowadays ( 4k ) and maybe this is not an optimal way of streaming data, it should be working just fine imho.