18 replies to this topic

[dolphs]

Hi,

 

 

I am thinking to get a separate apache2 https "server" which is actually a proxy to the 8001 port on my enigma2 box.

Replacing http to https ( one way ssl ) should not be a biggie and that can achieved ( easily ) with letsencrypt imho.

Eg " https://your.dns.server/blahdieblah " guides you to BBC1 on your enigma2 box, even if you do http it can be redirected to https before it "proxies" to the enigma2 box..

 

Yet it is needed to add some more security, so " noone " can access unless client has CA and key ( two way ssl ) so client can connect to the "apache server"

imho you should replace your "http"-string ( in /etc/enigma2 ) to the apache server , but keys need to be added.

 

I remember curl is ( or can be installed ) on the enigma2 box so you can test at least the connection, but after testing it would be nice to get it to work on your enigma2 box directly using the proper string ...

Ideally "remotestream convert" gets an update to load the ca and client key.

 

Ideally no more VPN is needed and you can do things through https and 2way ssl.

 

Chaps this is just a thought, perhaps anyone similar experience ?

 

 

Cheers!

 

[WanWizard]

Technically possible, if you have the right skills.

 

I only wonder what you will gain compared to OpenVPN, which is a lot easier to setup, more stable, more standard, more secure, and solves the NAT problem in relation to m3u(8) content.

[dolphs]

speed ( though 20Mbit continuously works most of the time over VPN as well ) but perhaps I am wrong, again the idea is on a coaster and perhaps I'll mess around with it coming days

Edited by dolphs, 4 July 2022 - 13:20.

[WanWizard]

OpenVPN is much more efficient than introducing a proxy with per packet TLS overhead.

 

If you have the hardware to run an apache instance, and you have an issue with the commandline config of OpenVPN, get yourself a GUI, or even something like Sophos UTM Home Edition (which is free).

[dolphs]

Last night fiddled around a bit with this matter and established connection using following curl command on enigma2 box

curl -vvI https://someserver.dynu.net --cacert ca.cer --key client.key --cert-type P12 --cert clienbt.p12 --pass "password"

This shows a proper handshake

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
> HEAD / HTTP/1.1
> Host: someserver.dynu.net
> User-Agent: curl/7.66.0
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 05 Jul 2022 05:21:38 GMT
Date: Tue, 05 Jul 2022 05:21:38 GMT
< Server: Apache/2.4.53 (Debian)
Server: Apache/2.4.53 (Debian)
< Last-Modified: Sun, 05 Jul 2022 02:15:20 GMT
Last-Modified: Sun, 05 Jul 2022 02:15:20 GMT
< ETag: "29cd-5e2dd30fb698d"
ETag: "29cd-5e2dd30fb698d"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Length: 10701
Content-Length: 10701
< Vary: Accept-Encoding
Vary: Accept-Encoding
< Content-Type: text/html
Content-Type: text/html

<

Now let's find out how to transform following example to 2wayl ssl

http://192.168.10.9:8001/1:0:1:20:E7:1:FFFF0000:0:0:0

Edited by dolphs, 5 July 2022 - 06:32.

[dolphs]

rats I am almost there but just not yet.

Went for "simple" SSL with " deny / allow " options.

 

Yet: vlc OK 

MYIPADDRESS - - [12/Jul/2022:23:46:17 +0200] "GET /1:0:19:4B60:813:600:FFFF0000:0:0:0 HTTP/1.1" 301 586 "-" "VLC/3.0.17.4 LibVLC/3.0.17.4"

Enigma2 box NOK, Results in " No data on transponder! ( Timeout reading PAT ) however in access.log can see its call :

MYIPADDRESS - - [12/Jul/2022:23:45:33 +0200] "GET /1:0:19:4B60:813:600:FFFF0000:0:0:0 HTTP/1.1" 301 605 "-" "Enigma2 HbbTV/1.1.1 (+PVR+RTSP+DL;OpenPLi;;;)"

These calls are similar to ( http gets redirected to https ): 

http://MYADDRESS.dynu.net/1:0:19:4B60:813:600:FFFF0000:0:0:0

Would be great to get the missing piece

 

Edited by dolphs, 12 July 2022 - 22:55.

[dolphs]

forgot to include debug logs ...

 

First channel works ( using my local IP and 8001 ),

now second channel NOK ( my DYNU address which proxies to my enigma2 main box ) :  ProxyPass "/" "http://192.168.10.4:8001"  )

 

Attached Files

•  enigma.20220713.zip   2.26KB   1 downloads

Edited by dolphs, 12 July 2022 - 23:17.

[WanWizard]

The webif returns an m3u8 file on a stream request, and it contains the stream url with your internal IP.

 

Like wrote here...

 

.. and solves the NAT problem in relation to m3u(8) content.

[dolphs]

ok so back to square one again ...

lovely, it will stick to (o)vpn then

( unless the http stream may contain one day parameters: --cacert , --cert and --pass )

cheers :-)

[WanWizard]

I don't know if there are ways to change the embedded IP address, I vaguely remember that was possible (as exposing the box via a NAT router has the same issue). But no clue how...

[scriptmelvin †]

( unless the http stream may contain one day parameters: --cacert , --cert and --pass )

You could set up nginx or apache as reverse proxy on a raspberry pi for example to require SSL, cacert, cert and pass. You may even be able to change the IP in the m3u8 that way.

Edit: yes, it's possible. Might require nginx compilation by you.

I can understand your use case: set up once, then simply use at will without connecting the VPN each time.

Edited by scriptmelvin, 13 July 2022 - 19:19.

[scriptmelvin †]

Might require nginx compilation by you.

No compilation needed, on raspbian, nginx is built with ngx_http_sub_module.

[dolphs]

@scriptmelvin - thanks, but as trying to indicate current set up is working "fine" ( meaning vlc not enigma2 client yet ), sure nginx can be set up as well for this matter .

Setup is working on a 512Mb neo2 equipped with debian, but idea is to get this one day permanent to a docker on my Synology

 

in my current apache2 setup I am using letsencrypt, which is default "one way" ( never found proper way to do 2way with them as there is no CA ) and added modules " a2enmod ssl proxy_balancer (proxy proxy_http)  ",

as well these options to the sites config "Allow from" and " ProxyPass ", eg :

<Directory /var/www/html>
      Order deny,allow
      deny from all
      Allow from myserver.dynu.net
</Directory>


ProxyPass "/" "http://192.168.10.4:8001/" connectiontimeout=5 timeout=30
ProxyPassReverse "/" "http://192.168.10.4:8001/"

Ideally I get rid of the Deny, Allow options and would do 2way ssl with a self signed certificate. As you can see in this posting even that I got to work testing connection with curl,

however I did not find a way to get the CA "recognised" in the store on my enigma2 box ( used /usr/share/ca-certificates,

but perhaps it should have been added to /etc/ssl/certs/ca-certificates.crt together with " update-ca-certificates ")

I get to that once my "letsencrypt" set-up is fully working...

 

 

From the URLbelow you can update the local IP to your "fqdn" easily and it has been proven to work ,

but you do not want to be exposed  ( this requires 8001 to be portforwarded from your router to enigma2 box ... )

http://192.168.10.4:8001/1:0:1:20:E7:1:FFFF0000:0:0:0

I attached the openwebif configuration settings and from there you can see https ( with client certificate )  is possible,

Perhaps for the streaming part similar parameters could be added if you allow 2way SSL as an option, next to VPN...

--cacert : if CA cannot be added in store, but this is only if you want to go for 2way-ssl ( which eliminates the Allow From settings ).
--cert-type : or just assuming P12?
--cert 
--pass

Even noticed the " enabled authentication for streaming "  but let's forget about that for now. 

in the end you should get following example URL while the optional 2way ssl parameters gets picked up from the config set in openwebif:

http://someaddress.dynu.net/1:0:1:20:E7:1:FFFF0000:0:0:0 # http gets redirected to https

This requires coding effort, and is not preferred as this is a lounge topic, thus most likely the "oneway" ssl route will the least effort and you get a satisfactory result :

https streams and limited access by Allow/ deny all , but once your client IP address changes apache requires a reload(restart) ( even that could be scripted, excluded for now )

 

 

As a side note, you could even "split" the webinterface ( 80/443 ) and streaming (8001) part , eg adding :

ProxyPass "/stream/" "http://192.168.10.4:8001/" connectiontimeout=5 timeout=30
ProxyPassReverse "/stream/" "http://192.168.10.4:8001/"

ProxyPass "/" "http://192.168.10.4/" connectiontimeout=5 timeout=30
ProxyPassReverse "/" "http://192.168.10.4/"

This should look a bit better, so you wont get an error displayed on your browser,

the stream should be updated then to " http://someaddress.dynu.net/stream/1:0:1:20:E7:1:FFFF0000:0:0:0 "

 

 

To summarise,, yes VPN is proven to work for many many years already, but maybe that can be "simplified" using nginx or apache.and ( 2 way ) ssl.

besides that, it seems an upward trend to do API calls over the internet , using https and (2way) ssl, except for using a VPN. 

 

If I see how easy things can be set up with letsencrypt in comparison to setting up ovpn, it would be a pitty the last part just wont go ( referring to my post I got things to work in vlc but not on enigma2 box )

( let's exclude wireguard from this scenario for now )

 

Speed is not an issue here as max bandwidth would be 25-28Mbps nowadays ( 4k ) and maybe this is not an optimal way of streaming data, it should be working just fine imho.

 

Attached Files

•  settings.jpg   116.86KB   1 downloads

[dolphs]

hurah this seems to be the piece that was missing , if bouquets on client side get updated with similar URL it seems to work.

Now time for me to recap en reproduce, have been using lots of coasters recently ;-) 

https://someserver.dynu.net:443/stream/1:0:19:4B60:813:600:FFFF0000:0:0:0

[dolphs]

so find below my notes to set up your apache2 "server"

 

 

pre-reqs:

- free dynamic DNS provider to register address, eg " myaddress.dynu.net "    # In this example dynu.com is used  

- configure your router to keep your dDNS updated, alternatively use ddclient

- open firewall ports, open at least 443 in your router ( optional also 80 to redirect to 443/ https )

 

used:

- SBC with Gig LAN port 

# In this example a nanopi neo2 v1 board is used: 512Mb, 816MHZ 

# with Advanced Encryption Standard (AES) 

 

- flashed 16Gb sdcard with debian 11 and kernel 5.18.x, using Etcher

 

- installed : apache2.4.x, letsencrypt certbot for SSL (http-> https)

 

 

 

--debian 11--
sudo su -


# set proper timezone
dpkg-reconfigure tzdata


# add your domains to /etc/hosts
87.69.115.133  myaddress.dynu.net


# update packages installed
apt update && apt -y upgrade


apt -y install apache2 dnsutils ufw certbot python3-certbot-apache software-properties-common
--/debian 11--






--apache2/letsencrypt--
cd /etc/apache2/sites-available


sed -i 's/#ServerName/ServerName/g' 000-default.conf
sed -i 's/www.example.com/myaddress.dynu.net/g' 000-default.conf


a2enmod ssl proxy_balancer proxy_http 


# Open your firewall NOW! 443(+ 80)


certbot --apache
  - enter email address


  - Y: agree # to register with the ACME server.
  - N: no # do not share your email address with the Electronic Frontier Foundation


  - select name you registred earlier, eg: "1: myaddress.dynu.net"


Created an SSL vhost at /etc/apache2/sites-enabled/000-default-le-ssl.conf


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://myaddress.dynu.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


nano /etc/apache2/sites-available/000-default-le-ssl.conf


<Location />
        ProxyPass "http://192.168.10.4/" connectiontimeout=5 timeout=30
        ProxyPassReverse "http://192.168.10.4/"


        Require host myaddress.dynu.net
#       Require ip 87.69.115.133 # this would be your IPv4 address
</Location>


<Location /stream/>
        ProxyPass "http://192.168.10.4:8001/" connectiontimeout=5 timeout=30
        ProxyPassReverse "http://192.168.10.4:8001/"


        Require host myaddress.dynu.net
#       Require ip 87.69.115.133
</Location>
--/apache2/letsencrypt--


reboot

 

[dolphs]

and now the client sides :

 

 

CLIENT ( in home )

ssh root@your-enigma2-box
# install extension remotestreamconvert
opkg update && opkg install enigma2-plugin-extensions-remotestreamconvert


# configure remotestreamconvert and download bouquet(s) from master box
# in your "User bouquets" locally you will see eg " Last scanned ( remote of 192.168.10.4 )" containing channels and you should be good to zap through these


# Use a tool , eg dreamboxEDIT, to download your channels

 

 

 

CLIENT ( remotely, eg your cottage )

# load your tool, eg dreamboxEDIT, which is previously used for your client 
# configure a new profile
# upload your bouquet/channels 


# change local IP to your dDNS address and instead of http use https


ssh root@your-enigma2-box
cd /etc/enigma2 


grep 24Kitchen userbouquet.*
# which should result in
# userbouquet.rcsc.192_168_10_4.userbouquet.LastScanned.tv:#SERVICE 1:0:19:4CF5:81C:600:FFFF0000:0:0:0:http%3A//192.168.10.4%3A8001/1%3A0%3A19%3A4CF5%3A81C%3A600%3AFFFF0000%3A0%3A0%3A0:24Kitchen HD
# userbouquet.rcsc.192_168_10_4.userbouquet.LastScanned.tv:#DESCRIPTION 24Kitchen HD


#update http to https
sed -i 's/http/https/g' userbouquet.rcsc.192_168_10_4.userbouquet.LastScanned.tv


#update local ip to your dDNS 
sed -i 's/192.168.10.4/someaddress.dynu.net/g' userbouquet.rcsc.192_168_10_4.userbouquet.LastScanned.tv


#update 8001 to port 443 and add /stream
sed -i 's/8001/443\/stream/g' userbouquet.rcsc.192_168_10_4.userbouquet.LastScanned.tv


# The URLs should be similar to:
# https://someaddress.dynu.net:443/stream/1:0:19:4B60:813:600:FFFF0000:0:0:0


killall enigma2

 

 

[dolphs]

so without any changes to enigma2 you should be able to watch over https and close the door a bit more (  Require host and Require ip are the ones that have access ), rest will see "Forbidden"

 

sure it is not 2way SSL, but for me it is good enough and could be an alternative to a VPN ...

Edited by dolphs, 14 July 2022 - 20:38.

[scriptmelvin †]

I would suggest doing access control on the iptables level, so ports appear to be not listening for everything but an allowed IP. This would of course use IP's, not hostnames. I wrote a cron job once for two hosts to inform each other of their respective IP's, shouldn't be too hard. It all depends on how dynamic the IP's are, it would fail if they both change at the same time.

 

Whatever you do, keep an eye on the number of Stream Clients in the webif

[dolphs]

@scriptman - thanks for your recommandation , ufw is indeed a package that I kept in this "tutorial" but its configuration is not included.

This is solely meant as a base, also if you want to swap apache2 for nginx, by all means go for it :-)