Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FR: Better security when hosting the server #22

Open
jkaberg opened this issue Nov 2, 2023 · 2 comments
Open

FR: Better security when hosting the server #22

jkaberg opened this issue Nov 2, 2023 · 2 comments

Comments

@jkaberg
Copy link

jkaberg commented Nov 2, 2023
edited
Loading

As I gather currently the server is meant to be used only while on LAN. However obviously one can circumvent that, and while doing so you take a risk with regard to exposing the server on WAN.

An simple solution to fix this would be set an environment variable which would work as an authentication token, and the server would require the token to authenticate the streams. This would require some work on the clients.

Why do I expose the server on WAN you might ask? While quite frankly its easier than setting up VPN on each client (which commonly routes all traffic instead of only Streamio traffic), and I can share one server properly setup with VPN with several clients of my choosing.

Here's an simple example, obviously I've got letsencrypt setup etc but to get an gist of what I'm currently doing.

version: "3.4"

services:
  traefik:
    image: traefik
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik
 
  vpn:
    image: ghcr.io/qdm12/gluetun
    restart: always
    cap_add:
      - net_admin
    volumes:
      - ${CONFIG_DIR}/vpn/client.conf:/gluetun/custom.conf
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - OPENVPN_USER=${OVPN_USER}
      - OPENVPN_PASSWORD=${OVPN_PWD}
      - FIREWALL_INPUT_PORTS="11470"
    labels:
      - "traefik.http.routers.streamio.rule=PathPrefix(`/`)"
      - "traefik.http.routers.streamio.entrypoints=web"
      - "traefik.http.routers.streamio.service=stremio"
      - "traefik.http.services.streamio.loadbalancer.server.port=11470"
    networks:
      - traefik

  stremio:
    image: stremio/server
    restart: unless-stopped
    environment:
      - NO_CORS=1
      - APP_PATH=/config
    volumes:
      - ${CONFIG_DIR}/stremio:/config
    devices:
      -  /dev/dri:/dev/dri
    network_mode: "service:vpn"

networks:
  traefik
@rpersee
Copy link

rpersee commented Jan 20, 2024

Have you tried to add an authentication middleware with traefik?

@jaruba
Copy link
Member

jaruba commented Jan 20, 2024

However obviously one can circumvent that, and while doing so you take a risk with regard to exposing the server on WAN.

This is why we tell all users that exposing the server to the web is a security risk and should not be done until officially supported.

As it stands the server is meant for local and LAN use only, while it is (obviously) possible to circumvent this, we expect users that do have the skill to do it to also handle the security of the server themselves.

It is a valid request, and we have been thinking of options to secure the server for external use, but this task is set as low priority for now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jkaberg @jaruba @rpersee