-
qy7298
-
- Posts: 2
- Joined: Wed Jun 12, 2019 3:05 pm
by qy7298 » Mon Sep 30, 2019 9:51 am
Personally, I really like the way remote access is handled in SH, because it is compatible with a reverse proxy and I don't have to rely on a third party's cloud remote access solution and I don't have to effectively grant a third party access to my data.
What I've done is front-end SH with an nginx reverse proxy. The reverse proxy sits on the internet side of things in a DMZ and has access to the SH web interface. Since SH authenticates with basic auth, the mobile app will authenticate to the reverse proxy and the reverse proxy authenticates to SH. This allows me to only expose nginx (a very heavily used and scrutinized piece of software - this should reduce the likelyhood of exposing something vulnerable) and force the users to authenticate to it before even touching SH. This also lets me apply Lets Encrypt SSL certs and enforce IP bans on failed login attempts.
I don't mind a port scanner having it's way with something like nginx, but I would be concerned about a vulnerability scanner directly hitting SH's web UI.
[Mobile App] ---[HTTPS/443]---> [nginx] ---[HTTPS/SH Default port]---> [SightHound]
Traffic flows through a firewall entering nginx and entering SH. Servers on different VLANS.
If you check reddit /r/homelab there's a lot of examples of how to set this up.