+- MinimServer Forum (https://forum.minimserver.com)
+-- Forum: MinimServer (/forumdisplay.php?fid=1)
+--- Forum: General (/forumdisplay.php?fid=2)
+--- Thread: MinimServer behind reverse proxy (/showthread.php?tid=6816)
MinimServer behind reverse proxy - wotgorilla - 27-01-2023 01:11
Hello,
I am thinking of hiding the MinimServer webserver behind a reverse proxy (nginx) with TLS and basic authentication to ensure that people on my network cannot change my settings. I don't see an option to password protect the settings directly in MinimServer, and even if there was it wouldn't be very secure without encryption.
How can I achieve this while allowing DLNA clients to connect the usual way? Can I just block port 9790 on my firewall and have nginx reverse proxy port 9790? Will this interfere with normal DLNA operations?
I suspect other people have done this in the past.
Thanks in advance.
Eric
RE: MinimServer behind reverse proxy - simoncn - 27-01-2023 09:54
MinimServer settings can also be changed from MinimWatch which doesn't use port 9790 to do this.
UPnP/DLNA was not designed as a secure protocol and no control points or renderers are able to securely access a UPnP/DLNA server. When a renderer streams audio from MinimServer, it is doing this using an insecure http connection to port 9790. This means that putting MinimServer port 9790 behind a secure reverse proxy would prevent a renderer from streaming audio.
The best solution is to create a separate subnet or VLAN for MinimServer and your trusted devices and allow insecure UPnP/DLNA communication within that subnet/VLAN only.
RE: MinimServer behind reverse proxy - wotgorilla - 27-01-2023 12:53
(27-01-2023 09:54)simoncn Wrote: MinimServer settings can also be changed from MinimWatch which doesn't use port 9790 to do this.
UPnP/DLNA was not designed as a secure protocol and no control points or renderers are able to securely access a UPnP/DLNA server. When a renderer streams audio from MinimServer, it is doing this using an insecure http connection to port 9790. This means that putting MinimServer port 9790 behind a secure reverse proxy would prevent a renderer from streaming audio.
The best solution is to create a separate subnet or VLAN for MinimServer and your trusted devices and allow insecure UPnP/DLNA communication within that subnet/VLAN only.
I see. Maybe in the future there could be a way to secure the settings directly on the server to avoid any changes?
RE: MinimServer behind reverse proxy - simoncn - 27-01-2023 13:56
This would not prevent someone from using one of the remote interfaces (MinimWatch, mscript, the web API) to change settings.