Re: [slim] https connection to LMS ?
Roland0 wrote: > ownership isn't required, you can also use e.g. a duckdns subdomain > the subdomain / host name doesn't have to exist, and you can get > wildcard certificates (so one can use e.g. *.internal.domain.com with a > single SSL cert) > Letsencrypt only offers wildcard certificates using DNS-01 challenge, meaning that you must be able to control the DNS server to add/remove a TXT entry. > > The challenge takes a couple of seconds, so the webserver only has to be > online for that. could be done with e.g. some dyndns, or just point the > domain at the public ip for that time if you have one (or use a VPS, > which one can get for ~2 EUR/month) > Yes, but that requires more programming skills and the point here is that people appear to expect that this could work out-of-the-box. It doesn't. Also don't forget that Letsencrypt certificates are only valid for 90 days and thus you must repeat these actions regularly. > > A internal DNS proxy / server can map queries for the domain used in the > certificate to the correct LAN IPs (*.internal.domain.com -> 192...). No > public IP, and nothing is exposed to the outside. > You can also simply edit the hosts file (%windir%\system32\drivers\etc\hosts on Windows), either way I'm sure that by now we have lost the topic starter completely. > I thought about that (using 'mkcert' > (https://github.com/FiloSottile/mkcert)), but decided against it for a > number of reasons (mainly the one you mentioned, but also since it > generally seemed to be huge hassle ) (...) :confused: gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
gordonb3 wrote: > > to use Letsencrypt you must own a public domain and whatever name you > want a certificate for must be registered to that domain and > ownership isn't required, you can also use e.g. a duckdns subdomain the subdomain / host name doesn't have to exist, and you can get wildcard certificates (so one can use e.g. *.internal.domain.com with a single SSL cert) > > reference a plain HTTP server to complete the challenge. > The challenge takes a couple of seconds, so the webserver only has to be online for that. could be done with e.g. some dyndns, or just point the domain at the public ip for that time if you have one (or use a VPS, which one can get for ~2 EUR/month) > > Depending on what firewall you run in your main router you could also > use your public IP to access the HTTPS proxy, but that will obviously > also mean that this will be exposed to the entire internet (again > depending on your firewall and its configuration). > A internal DNS proxy / server can map queries for the domain used in the certificate to the correct LAN IPs (*.internal.domain.com -> 192...). No public IP, and nothing is exposed to the outside. > > An alternative option is to create your own Certificate Authority (CA) > and use that to sign certificates for e.g. lms.domain.local. This will > however require you to import the public key of that `SnakeOil` CA on > each device that you use to access LMS and may be something of an issue > on some of them (I'm still trying to figure out how to import an X509 on > an Android phone). > I thought about that (using 'mkcert' (https://github.com/FiloSottile/mkcert)), but decided against it for a number of reasons (mainly the one you mentioned, but also since it generally seemed to be huge hassle ) 'Various SW' (https://www.nexus0.net/pub/sw/): Web Interface | Text Interface | Playlist Editor / Generator | Music Classification | Similar Music | Announce | EventTrigger | Ambient Noise Mixer | DB Optimizer | Image Enhancer | Chiptunes | LMSlib2go | ... 'Various HowTos' (https://www.nexus0.net/pub/documents/LMS/): build a self-contained LMS | Bluetooth/ALSA | Control LMS with any device | ... Roland0's Profile: http://forums.slimdevices.com/member.php?userid=56808 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
Roland0 wrote: > Looks interesting, however seems to be mainly geared to exposing LAN > services to the Internet. Would need integrated DNS proxy / DHCP server > for the full package. > Might be an option for those brave enough to expose LMS to the outside > (as it seems to offer some sort of authentication mechanism) > > > The encryption part isn't that important to me (if there's someone > capable of reading traffic in my LAN, I have a much bigger problem than > someone playing music at my home), and even less so for audio data. > It's really more convenience / aesthetics (nice urls like > lms.domain.com, no browser warnings, able to use SSL everywhere etc.) To use Letsencrypt you must own a public domain and whatever name you want a certificate for must be registered to that domain and reference a plain HTTP server to complete the challenge. Depending on what firewall you run in your main router you could also use your public IP to access the HTTPS proxy, but that will obviously also mean that this will be exposed to the entire internet (again depending on your firewall and its configuration). An alternative option is to create your own Certificate Authority (CA) and use that to sign certificates for e.g. lms.domain.local. This will however require you to import the public key of that `SnakeOil` CA on each device that you use to access LMS and may be something of an issue on some of them (I'm still trying to figure out how to import an X509 on an Android phone). gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
mherger wrote: > > - a reverse proxy to terminate the SSL connections (e.g. nginx, HA > > Proxy) > > I've been using https://nginxproxymanager.com for a while now. > Relatively easy to set up (if you have Docker running anyway...), and is > > supposed to support Let's Encrypt. > Looks interesting, however seems to be mainly geared to exposing LAN services to the Internet. Would need integrated DNS proxy / DHCP server for the full package. Might be an option for those brave enough to expose LMS to the outside (as it seems to offer some sort of authentication mechanism) > > That said: LMS will still require port 9000 or whatever in non-encrypted > way, as the player can't handle https > The encryption part isn't that important to me (if there's someone capable of reading traffic in my LAN, I have a much bigger problem than someone playing music at my home), and even less so for audio data. It's really more convenience / aesthetics (nice urls like lms.domain.com, no browser warnings, able to use SSL everywhere etc.) 'Various SW' (https://www.nexus0.net/pub/sw/): Web Interface | Text Interface | Playlist Editor / Generator | Music Classification | Similar Music | Announce | EventTrigger | Ambient Noise Mixer | DB Optimizer | Image Enhancer | Chiptunes | LMSlib2go | ... 'Various HowTos' (https://www.nexus0.net/pub/documents/LMS/): build a self-contained LMS | Bluetooth/ALSA | Control LMS with any device | ... Roland0's Profile: http://forums.slimdevices.com/member.php?userid=56808 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
- a reverse proxy to terminate the SSL connections (e.g. nginx, HA Proxy) I've been using https://nginxproxymanager.com for a while now. Relatively easy to set up (if you have Docker running anyway...), and is supposed to support Let's Encrypt. That said: LMS will still require port 9000 or whatever in non-encrypted way, as the player can't handle https. ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
Somewhat related - I'm currently moving the web UIs of all apps I run in my LAN (including LMS) to https, so here's a short summary of my findings. A clean solution (i.e. one which works with all clients (browsers etc.)) out of the box is not trivial unless you have basic tech skills. You'll need - a domain under your control - a valid SSL certificate for this domain (preferably wildcard) You'll also need to run - a DNS server (e.g. unbound) or DNS proxy (e.g. dnsmasq) - a reverse proxy to terminate the SSL connections (e.g. nginx, HA Proxy) and finally configure everything (DNS, proxy + SSL, DHCP server, the webapps, ..) to work together. 'Various SW' (https://www.nexus0.net/pub/sw/): Web Interface | Text Interface | Playlist Editor / Generator | Music Classification | Similar Music | Announce | EventTrigger | Ambient Noise Mixer | DB Optimizer | Image Enhancer | Chiptunes | LMSlib2go | ... 'Various HowTos' (https://www.nexus0.net/pub/documents/LMS/): build a self-contained LMS | Bluetooth/ALSA | Control LMS with any device | ... Roland0's Profile: http://forums.slimdevices.com/member.php?userid=56808 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
RobbH wrote: > That's probably a very helpful explanation for the original poster and > anyone who finds this thread in the future. But you seem to have > interpreted my comment as critical of Logitech, and I would like to > state that that was not my intention. I don't care about the Logitech brand, `where technology goes to die`. OP posted a non-issue because browsers may prefer HTTPS but it is still the same protocol and so there is no question of them becoming unable to do HTTP. If Chrome should enforce HTTPS you need to get a different browser, because it will prevent you to access your NAS, your managed switch, any IoT device you might have in your house. You cannot equip a device with HTTPS, it is the owner that needs to enable and maintain it, and no person that doesn't suffer from paranoia will ever do this for home appliances that are not exposed to the internet. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
gordonb3 wrote: > Stop it. The level of support is just fine and probably even better than > any commercial party will offer. There is just no new development in > hardware, but even if there was it would still not include HTTPS support > for the simple reason that it is impossible for any manufacturer to know > what domain you run on your internal network, if any. What you are > failing to identify here is that the primary objective of HTTPS is not > so much about encryption but about peer identification. A certificate > thus always contains a name and if the name does not match then your > browser will reject the site completely rather than simply cause you > annoyance for needing to remove a `s` in the address field. Tip: create > a bookmark - then you will never have to correct the URI again. That's probably a very helpful explanation for the original poster and anyone who finds this thread in the future. But you seem to have interpreted my comment as critical of Logitech, and I would like to state that that was not my intention. LMS 8 nightly running on Raspberry Pi OS. Mostly virtual players, occasionally with SB Radio, Boom or Classic. RobbH's Profile: http://forums.slimdevices.com/member.php?userid=67008 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
RobbH wrote: > I'm trying to imagine a scenario in which Logitech did not buy Slim > Devices, fifteen years ago, and the hardware is still supported now. It > seems to me that it would be very unlikely that we would enjoy the level > of support we have now, in any case. Stop it. The level of support is just fine and probably even better than any commercial party will offer. There is just no new development in hardware, but even if there was it would still not include HTTPS support for the simple reason that it is impossible for any manufacturer to know what domain you run on your internal network, if any. What you are failing to identify here is that the primary objective of HTTPS is not so much about encryption but about peer identification. A certificate thus always contains a name and if the name does not match then your browser will reject the site completely rather than simply cause you annoyance for needing to remove a `s` in the address field. Tip: create a bookmark - then you will never have to correct the URI again. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
freelsjd wrote: > ...Once again constrained by the abandonment of the product by Logitech > after purchasing from slimserver leaving the customer base. I like the > logitech mice, but disdain what they did here. They could update the > firmware to fix. I'm trying to imagine a scenario in which Logitech did not buy Slim Devices, fifteen years ago, and the hardware is still supported now. It seems to me that it would be very unlikely that we would enjoy the level of support we have now, in any case. LMS 8 nightly running on Raspberry Pi OS. Mostly virtual players, occasionally with SB Radio, Boom or Classic. RobbH's Profile: http://forums.slimdevices.com/member.php?userid=67008 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
At least I now understand why LMS remains using http since the hardware (in my case a squeezebox-2) requires it. Once again constrained by the abandonment of the product by Logitech after purchasing from slimserver leaving the customer base. To be fair you have to accept the fact that there are technological constraints, too: it's unlikely https could have been added to those players for the simple lack of memory. When they were designed memory was still expensive and thus very limited. ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
AFAIK the players don't communicate with LMS over HTTP. This interface They do when playing local media files, or when streaming proxied and https online resources. ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
I think you should have searched better, because this seems like a duplicate entry to me. AFAIK the players don't communicate with LMS over HTTP. This interface is really only to allow you to control what is being played. The main point about using plain HTTP here instead of secure HTTPS is that it doesn't require a (commercial) certificate and because of this *every* home appliance that offers some web based interface will use plain HTTP. The thing here is that HTTPS is difficult and requires maintenance that a regular home user shouldn't and doesn't want to be bothered with. As such it would amaze me very much if Chrome would enforce HTTPS and by doing so make communication with such home appliances impossible. If you are willing to do the effort of maintaining the validity of the HTTPS certificate it is not that big a deal though. Simply place LMS behind a HTTP(S) proxy (e.g. lighttp, nginx, apache), but do note that these web server applications may (by default) prohibit some of the URI strings used by the LMS frontend. For instance if you use Apache frontend then some of the images will not be displayed unless you specify the override `AllowEncodedSlashes NoDecode` in the server config. gordonb3's Profile: http://forums.slimdevices.com/member.php?userid=71050 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
Apparently, with newer version of chrome, it must remember the response to the conflict (which is to go insecurely and override the need for https), because it is now not stopping but running as it should. Since I am behind my router, and within my lan, this should not be a security issue. I also found a LMS front-end that looked interesting and is designed just for this problem here: https://hub.docker.com/r/jgoerzen/logitech-media-server. I was thinking about trying this. Has anyone here tried this ? At least I now understand why LMS remains using http since the hardware (in my case a squeezebox-2) requires it. Once again constrained by the abandonment of the product by Logitech after purchasing from slimserver leaving the customer base. I like the logitech mice, but disdain what they did here. They could update the firmware to fix. freelsjd's Profile: http://forums.slimdevices.com/member.php?userid=4344 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
slartibartfast wrote: > I have no issue using Chrome for LMS. It tells me the connection is > insecure but that is all. What do you mean when you say you have to > force it to use the http favourite? Also works fine for me in both Chrome and the newer Chromium based Edge - Windows 10Pro. LMS 8.2.0 Main system - Rock Solid with LMS 8.2.0 on WHS 2011 - 2 Duets and Squeeseslave Cabin system - Rock solid with LMS 8.2.0 on Win10 Pro - 1 RPi 3 Model B/Hifiberry DAC+ Pro/PiCorePlayer and Squeezeslave Squeezebox Boom - "At Large" player around both home and cabin Headphones and car - Android phone/Bluetooth w/full library on MicroSD card - PowerAmp music player app (similar to Material Skin) w3wilkes's Profile: http://forums.slimdevices.com/member.php?userid=22973 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
freelsjd wrote: > I apologize up front if this is a FAQ, but I could not seem to find it > if it is. > > The newer versions of Google Chrome are essentially requiring https in > order to work. At the very least, I have to force it to use http; even > over the LAN to my favorite LMS (http://localhost:9000/). > > Is there any way to setup LMS to use https ? If so, where can I find > the howto ? If not, any plans to do so ? > > I am using LMS 8.3.0~1639114576 on my Linux/Debian/Bullseye/11.1 > server. > > Thanks I have no issue using Chrome for LMS. It tells me the connection is insecure but that is all. What do you mean when you say you have to force it to use the http favourite? Sent from my Pixel 3a using Tapatalk slartibartfast's Profile: http://forums.slimdevices.com/member.php?userid=35609 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss
Re: [slim] https connection to LMS ?
People asking for https does come up occasionally but given that the hardware players require http then it would be difficult for LMS to make a switch completely. However, you are not asking for that. I am running Chrome 96 and have no issues accessing localhost or 127.0.0.1 or 192.168.x.y Google are making changes in this area - but I think it is for requests that attempt to cross from public to private addresses and private or public to localhost. See https://developer.chrome.com/blog/private-network-access-update/ Do you have some sort of front-end that you access over https that then provides the link to LMS over http? You could run nginx or similar in front of LMS - as a reverse proxy. It could terminate https and then relay over http to LMS. I think that it really should not be necessary with Chrome at least up to and including the planned version 102. Paul Webster author of \"now playing\" plugins covering radio france (fip etc), planetradio (bauer - kiss, absolute, scala, jazzfm etc), kcrw, abc australia and cbc/radio-canada and, via the extra \"radio now playing\" plugin lots more - see https://forums.slimdevices.com/showthread.php?115201-announce-radio-now-playing-plugin Paul Webster's Profile: http://forums.slimdevices.com/member.php?userid=105 View this thread: http://forums.slimdevices.com/showthread.php?t=11 ___ discuss mailing list discuss@lists.slimdevices.com http://lists.slimdevices.com/mailman/listinfo/discuss