Paul Webster wrote:
> I have had this working with the free ngrok service in the early days of
> this Skill ... but always fancied trying to get it working using nginx
> so that I did not have to re-do linking on restarting ngrok (wasn't
> convinced I would use it enough to justify paying for ngrok service to
> avoid the relink on restart).
>
> Now I have it working with nginx as the proxy ... I should have made
> notes as I went through the steps and I still have a bit more to do ...
> mainly enabling the automatic renewal of the certificate every 60-90
> days.
>
> The software building blocks that I used ... (all free)
> dynu.com - Dynamic DNS to map my IP address to hostname which,
> importantly, has API to help generate certificates ("acme" process)
> acme.sh - script to generate and renew certificates (from Let's Encrypt
> in my case)
> ddclient - automatic renewal of dynamic hostname if my external IP
> address changes
> nginx - reverse proxy to authenticate inbound SSL connection and relay
> as http to LMS
>
> I used a non-standard port for the SSL connection (which I then
> forwarded to a Raspberry Pi where all the above software is running) so
> could not use the typical https process to generate the certificate ...
> which is why I went for dynu.com and its support the the "acme" method
> (see https://acme.sh ).
>
> In addition to the username/password, I have also enabled a check of the
> IP address that is issuing the request as an extra hurdle to be passed.
> However, I need to do some more research on this as I know that the
> skill can connect from a number of different Amazon IP addresses and
> these could change in the future. Maybe I need to have a check for a
> particular client certificate being presented but I have not checked to
> see if Amazon/Skill provides one.
>
> If the overall setup proves to be stable then I'll probably try to do it
> again and write up the steps.
Good stuff. As far as whitelisting Amazon IPs goes, they publish a daily
list with a few thousand entries that keep changing, so its not a
realistic check. What I did with my Apache equivalent of your approach
is to use a uuid in the path name being proxied from. So just guessing
my joebloggs part of joebloggs.sytes.net is not enough, you need to
guess the uuid too. Its an extra level of obscurity. And make sure to
block directory listing of the / directory root.
------------------------------------------------------------------------
philchillbill's Profile: http://forums.slimdevices.com/member.php?userid=68920
View this thread: http://forums.slimdevices.com/showthread.php?t=111016
_______________________________________________
plugins mailing list
plugins@lists.slimdevices.com
http://lists.slimdevices.com/mailman/listinfo/plugins
