SSL / Authentication

[treason 11]

I am going to be away from home for a few months and I plan on streaming my content remotely to a roku box.

 

If I am on a public wifi, or a hotel room, what stops someone from sniffing the traffic and pulling my API key, then accessing all of my content?

 

Is SSL an option to encrypt the requests?

 

I'd prefer if a third party (hotel room, my ISP) not to know "what" I am streaming if possible.

 

Thanks

Edited April 30, 2014 by treason

[Koleckai Silvestri 1150]

Currently, you would need to go through a VPN to your server. Hopefully this is added soon as it is very important for security and privacy.

[Beardyname 195]

Until this gets implemented you can totally do it with a reverse proxy and force ssl!

I'm currently doing this with Authentication on apache. Works like a charm

[treason 11]

Beardy,

 

Can you do this with IIS and not apache?

I also have DD-WRT but the VPN isn't very reliable (im not even sure roku supports VPN)

[Beardyname 195]

@@treason, should work.

 

I have not tested it myself, but try googling around for a guide of some sorts. I'm not really an expert on IIS though so i would not really know

[treason 11]

Ok so turns out I am already running a reverse proxy and didnt even know it..

IIS has url rewrite, which means I can say when a request goes to https://myhost.com/mediabrowser internally pull the traffic from http://interalip:8092/mediabrowser

 

I have that setup now, and it works fine for the web client, but I highly doubt a roku client or any client for that matter, allows you to change the protocal to https

 

So on my host i have like

https://myhost.com/torrent

https://myhost.com/sab

https://myhost.com/sickbeard

https://myhost.com/mediabrowser etc..

 

Unless there's a way to run SSL on port 80 and not 443? I dont know.. it doesnt seem possible

[Koleckai Silvestri 1150]

You would point your MediaBrowser Client to the server in its settings. The Roku doesn't handle that. You'd have to test it though. One thing about SSL is that the client needs to be able to decrypt what is sent and if your reverse proxy sends encrypted data, the MediaBrowser Client probably won't know how to decrypt it. The Roku does handle SSL and HTTPS though. For VPN, the Roku uses a mirrored connection through another device like a laptop or computer. That handles the decryption properly. 

 

MIght be easier to use a laptop and web browser. If you have one.

[treason 11]

The mirrored connection sounds like a drag to setup (too many points of failure), and you're right on the SSL, each client has to make mods to support SSL.

 

I guess I have to go insecure mode and hope the NSA isn't watching

[Luke 37272]

it's planned.

[altramarine 21]

SSL addition would be a killer feature:)

[mbnwa 49]

UPDATE: It seems if you log out of the iPad app (maybe others) you can not log back in the Web GUI seems to work just fine however App's do not seem to like the redirect for the auth token even though it would seem it works if you have the device registered before making the change. I am not sure this is something that can be resolved with out app developers help and seeing this is not an official fix I doubt that will happen.

 

What I have done is the following:

Reconfigure Media Browser Server to listen on 8095 and setup NginX to listen on 8096 redirecting all traffic that comes in as http ==> https (seems to work with all clients I have tested after the initial request is made via http) (I have a 3rd party SSL cert - I am using NameCheap for 9.95yr)

 

Install NginX from nginx/Windows-1.7.6 to c:\ and added a directory inside the NginX folder called ssl

 

take the below config and overwrite NginX/conf/nginx.conf

 

Create a self signed ssl cert or get a 3rd party SSL cert (Self Signed certs may not work with 3rd party clients due to the SSL warning that would be presented) and place into the NginX/ssl directory and update the config with the CRT and KEY names accordingly.

 

Start NginX and enjoy your SSL enabled streaming,

 

Config:

#user  nobody;

worker_processes  4;

 

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

 

#pid        logs/nginx.pid;

 

 

events {

    worker_connections  1024;

}

 

http {

 

types_hash_max_size 2048;

client_header_buffer_size 16k;

client_max_body_size 64m;

large_client_header_buffers 12 16k;

client_body_buffer_size 1024k;

 

tcp_nopush on;

keepalive_timeout 15;

tcp_nodelay on;

 

server {

        listen 8096  ssl;

        ssl_certificate /nginx-1.7.6/ssl/ssl_cert.crt;

        ssl_certificate_key /nginx-1.7.6/ssl/ss_cert_key.key;

 

 

        error_page 497  https://$host:$server_port$request_uri;

        location /{

            proxy_pass http://localhost:8095;

            proxy_redirect off;

            proxy_set_header Host $host:$server_port;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header X-Forwarded-Ssl on;

        }

}

 

}

Edited October 12, 2014 by mbnwa