SSL enabled GBPVR web access? Interested?

[Networker]

Are you interested in wrapping SSL around your GBPVR web console access from outside of your firewall? Tomorrow I will have detailed HOW-TO for you to use. This is Windows-centric since it seems most users in the community are Windows users, I will note any difference for those of us, er you using Linux.

:o

John

[kayleigh]

I'd like to hear this idea; I've never used the web interface since I've had concerns about the security .

[Networker]

<disclaimer>
Okay here you go, remember this uses a third party program to provide the SSL security. Now remember, SSL only products the data in transport from your client to the server. It does not protect the server from any exploits that could come along, I intend to do a little more searching for vulnerabilities and the web server used in the GBPVR web interface.
</disclaimer>

Download these files:

STUNNEL
openSSL libraries

Create a Directory for stunnel, I put my under c:\program files\, and place the file stunnel-4.10.exe there, rename it to remove '-4.10' if you wish, or create a shortcut named stunnel.exe

Next unzip the openssl.zip file, extract the files to c:\windows\system32

If you have not done it already, open the GBPVR config program and in the MISC tab turn on the Web server, change the port if you wish (remember what you change it to) and the username/passwd as well. Save it, with an OK

Now you need to create an SSL certificate (cert) for use with stunnel, the
easiest way is to go here and generate a cert.

Fill in the blanks, none is acceptable so use it if needed. Please be sure to select NO for the DH parameters, it's not needed and the author of the software is generous enough to allow cert generation on his site. Click "Generate stunnel.pem File", copy and paste this information into a new notepad session, save to where you saved stunnel, make sure there is not TXT after the file it should be stunnel.pem.

Next you must create a config file for stunnel to read, this allows it to bind (listen) on the 443 port and redirect to 7647 or whatever port you changed your GBPVR web interface to.

In another notepad session create the file stunnel.conf and put this in it:

[GBPVRSSL]
accept=443
connect=7647

Save it where the stunnel executable is (for me c:\program files\stunnel\).

Now your ready! Do you trust me? Do you trust your work? Then you could just jump straight to starting this as a service, but now let's not get ahead of ourselves, let us test this. Copy a command line window (start -> run -> cmd <ENTER>)

cd "c:\program files\stunnel"

stunnel <enter>

If everything worked right you should see no errors, but you will see a little colored folder in your system try. Right click and you get the option to view the log, do that. Now if you really want to make sure it's working connect to it or run netstat -na to see the bound ports like this:

netstat -na <enter>

Proto Local Address Foreign Address State
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:7647 0.0.0.0:0 LISTENING

Now if you had done this before you ran stunnel you would not see the line with 443 on it. Yes this list is very short, you will have to scroll up to see this at the top of the list, or you could run netstat -na -p tcp.

Now, connect with a browser to: https://localhost/gbpvr/login.aspx

You will be greated with a warning regarding the SSL cert, the cert is not signed (self-signed actually) by a public CA (certificate authority) and therefore cannot be validated, it's okay as this is for your use and not public use anyway. Just remember the fingerprint or write it down so when you save this from a remote location, if it changes you'll get warned. Save this cert if you wish so you won't get the warning everytime you use it.

That's it!

Oh wait, you want this to be automatic and you want to access it from outside your LAN? Haven't I done enough? Okay just kidding....

to make this automatic do this from a command line:

stunnel -install <ENTER>

This only installs the service, to start it either go to the services tab or run this:

net start stunnel <ENTER>

As far as accessing this from outside your LAN, you must setup a port forward rule on your firewall, allow access to your WAN IP on port 443 (SSL or HTTPS) and forward to your GBPVR machine on port 443, no PAT (Port address translation) needed as stunnel is listening on 443 and then redirecting to 7647.


I will metion that I have only tried this from Windows IE and Windows version of Firefox. From a remote location you cannot stream the video, this would be cool, however the code that is used tries to connect to:

http://127.0.0.1:7647/blah..blah..blah...

So you would have to find the code, if possible (I'm sure it is) and modify it, however if your IP address at home changes it won't work. If you use a FQDN then you'd be set, I have a FQDN that get's set every hour.

RUNNING LINUX at home?

Well you probably already have stunnel installed, maybe not. Get it installed and instead of just putting in the conf file connect=7647 you must put in the IP address of your GBPVR box, something like this:

connect=my.gbpvr.machine.ip:7647

That's it pretty much, just make sure the service is running via inetd, xinetd or however you want to run it.. I'm expecting you to know how to do this if you run Linux..


Enjoy!

John

[Networker]

Did I mention that you can pretty much just use this for managing your recordings for now. I have tested and it would seem the Web Interface automatically setups the IP address and trusted port (7647/tcp default) based on the IP you connect to. As stunnel is using localhost (127.0.0.1) that's the IP given back.. Easy to fix if you modify the stunnel.conf file, in front of 443 put the assigned IP address of your GBPVR box (i.e 192.168.1.5:443), and the same for the connect port. Restart the stunnel service and all should be good, I have not tested this yet, but it would seem, in theory, to work. It won't fix your connection remotely, that's something you'll have to change in the m3u file.

John

[betlit]

thanks a lot, networker!

I've never used the web interface since I've had concerns about the security .

i don't really trust the '.net-webserver' either *g*

i'm using an apache webserver (running on my 'regular pc' acting as a reverse proxy) to connect my tv-compy for accessing the gbpvr-web-interface.
both are behind a router and only port 80 is opened (forwarded directly to my regular compy)
the whole thing is protected by password (.htacces, .hpasswd 'n stuff).

setting up ssl will now be the next step... *g*

sadly, my (cheap) WLAN-card does not support wake-on-lan (i heard that WOL in a WLAN network is possible in general)