MinimServer Forum / MinimServer / General v / MinimServer behind reverse proxy

Post Reply 
MinimServer behind reverse proxy
27-01-2023, 01:11 (This post was last modified: 27-01-2023 01:40 by wotgorilla.)
Post: #1
wotgorilla Offline
Junior Member
**
 		Posts: 10
Joined: Mar 2021
Reputation: 0
MinimServer behind reverse proxy
Hello,

I am thinking of hiding the MinimServer webserver behind a reverse proxy (nginx) with TLS and basic authentication to ensure that people on my network cannot change my settings. I don't see an option to password protect the settings directly in MinimServer, and even if there was it wouldn't be very secure without encryption.

How can I achieve this while allowing DLNA clients to connect the usual way? Can I just block port 9790 on my firewall and have nginx reverse proxy port 9790? Will this interfere with normal DLNA operations?

I suspect other people have done this in the past.

Thanks in advance.

Eric
Find all posts by this user
Quote this message in a reply
27-01-2023, 09:54 (This post was last modified: 27-01-2023 09:54 by simoncn.)
Post: #2
simoncn Offline
MinimServer author
*****
 		Posts: 18,401
Joined: Dec 2011
Reputation: 119
RE: MinimServer behind reverse proxy
MinimServer settings can also be changed from MinimWatch which doesn't use port 9790 to do this.

UPnP/DLNA was not designed as a secure protocol and no control points or renderers are able to securely access a UPnP/DLNA server. When a renderer streams audio from MinimServer, it is doing this using an insecure http connection to port 9790. This means that putting MinimServer port 9790 behind a secure reverse proxy would prevent a renderer from streaming audio.

The best solution is to create a separate subnet or VLAN for MinimServer and your trusted devices and allow insecure UPnP/DLNA communication within that subnet/VLAN only.
Find all posts by this user
Quote this message in a reply
27-01-2023, 12:53
Post: #3
wotgorilla Offline
Junior Member
**
 		Posts: 10
Joined: Mar 2021
Reputation: 0
RE: MinimServer behind reverse proxy
(27-01-2023 09:54)simoncn Wrote:  MinimServer settings can also be changed from MinimWatch which doesn't use port 9790 to do this.

UPnP/DLNA was not designed as a secure protocol and no control points or renderers are able to securely access a UPnP/DLNA server. When a renderer streams audio from MinimServer, it is doing this using an insecure http connection to port 9790. This means that putting MinimServer port 9790 behind a secure reverse proxy would prevent a renderer from streaming audio.

The best solution is to create a separate subnet or VLAN for MinimServer and your trusted devices and allow insecure UPnP/DLNA communication within that subnet/VLAN only.

I see. Maybe in the future there could be a way to secure the settings directly on the server to avoid any changes?
Find all posts by this user
Quote this message in a reply
27-01-2023, 13:56
Post: #4
simoncn Offline
MinimServer author
*****
 		Posts: 18,401
Joined: Dec 2011
Reputation: 119
RE: MinimServer behind reverse proxy
This would not prevent someone from using one of the remote interfaces (MinimWatch, mscript, the web API) to change settings.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | MinimServer Home | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication