Is there no other way than Port Forwarding for remote access with the mobile app?
Port forwarding is a security issue and all the reading I have done says that it should be avoided. Moving to a non-standard port is better, but eventually you will likely get found. I am not interested in letting a port scanner find my machine and then have their way with it.
Is there an alternative to Port Forwarding?
Moderator: Staff
3 posts
• Page 1 of 1
-
qy7298 - Posts: 2
- Joined: Wed Jun 12, 2019 3:05 pm
Re: Is there an alternative to Port Forwarding?
Personally, I really like the way remote access is handled in SH, because it is compatible with a reverse proxy and I don't have to rely on a third party's cloud remote access solution and I don't have to effectively grant a third party access to my data.
What I've done is front-end SH with an nginx reverse proxy. The reverse proxy sits on the internet side of things in a DMZ and has access to the SH web interface. Since SH authenticates with basic auth, the mobile app will authenticate to the reverse proxy and the reverse proxy authenticates to SH. This allows me to only expose nginx (a very heavily used and scrutinized piece of software - this should reduce the likelyhood of exposing something vulnerable) and force the users to authenticate to it before even touching SH. This also lets me apply Lets Encrypt SSL certs and enforce IP bans on failed login attempts.
I don't mind a port scanner having it's way with something like nginx, but I would be concerned about a vulnerability scanner directly hitting SH's web UI.
[Mobile App] ---[HTTPS/443]---> [nginx] ---[HTTPS/SH Default port]---> [SightHound]
Traffic flows through a firewall entering nginx and entering SH. Servers on different VLANS.
If you check reddit /r/homelab there's a lot of examples of how to set this up.
What I've done is front-end SH with an nginx reverse proxy. The reverse proxy sits on the internet side of things in a DMZ and has access to the SH web interface. Since SH authenticates with basic auth, the mobile app will authenticate to the reverse proxy and the reverse proxy authenticates to SH. This allows me to only expose nginx (a very heavily used and scrutinized piece of software - this should reduce the likelyhood of exposing something vulnerable) and force the users to authenticate to it before even touching SH. This also lets me apply Lets Encrypt SSL certs and enforce IP bans on failed login attempts.
I don't mind a port scanner having it's way with something like nginx, but I would be concerned about a vulnerability scanner directly hitting SH's web UI.
[Mobile App] ---[HTTPS/443]---> [nginx] ---[HTTPS/SH Default port]---> [SightHound]
Traffic flows through a firewall entering nginx and entering SH. Servers on different VLANS.
If you check reddit /r/homelab there's a lot of examples of how to set this up.