Logitech Media Server web UI https with certificates ?

[field64]

Is it possible to configure the web UI itself to use https with a server certificate ?
Even better, perhaps allow certificate based authentication, instead of username/password ?

[michaelherger]

Not easily, because the players access it on the same port, and they can't handle HTTPS.

LMS is not supposed to be used in "unfriendly" environments (aka. the internet). Use a VPN if you want to remotely access it? Or SSH tunneling?

[terual]

Of course you can also configure a reverse proxy on the same system which listens on port 443 en serves port 9000. This setup works fine for me the last couple of years. If you have a NAS you could also check if a reverse proxy is built-in (on Synology it is).

[field64]

Actually used socat to accomplish something like this. I need to triple check the options to ensure the client auth is working.
Browser has an x509 cert/key pair as does the server. squeezebox server demands username/password auth for the UI.

socat OPENSSL-LISTEN:9001,cert=server-cert.pem,cafile=client-cert,key=server-key.pem,fork,verify=0 TCP4:serverip:9000

From the client :
curl -v https://server.domain.org:9001

<TITLE>401 Authorization Required</TITLE> 401 Authorization is Required to access this Logitech Media Server <----- proves forwarding working * Closing connection 0 * TLSv1.2 (OUT), TLS alert, close notify (256):

Server allows 9000 only from the same IPv4 network where the squeezeboxes are, clients routed can only reach 9001

Not sure how difficult it would be to improve the UI portion to use https.

Thank you to everyone for the input and ideas !

[michaelherger]

But it wouldn't allow you to stream over that connection. And if you have to leave the default port open for your player to be able to play, then the "protected" port doesn't add any security. Your solution is only to remotely access a service, but not to stream remotely, isn't it?

[terual]

But it wouldn't allow you to stream over that connection. And if you have to leave the default port open for your player to be able to play, then the "protected" port doesn't add any security. Your solution is only to remotely access a service, but not to stream remotely, isn't it?

No, it's just for the web interface. I made everything on the lan accessible via https to remove those pesky security warnings in every browser nowadays.

[field64]

The entire system here is nicely confined to a "trusted' network, but the http triggers the IDS system, more the point of reducing annoyance, if the UI (easier than moving the players) were moved to another port, and used TLS , and perhaps client certificate auth, this would increase security (an option if people wanted the extra work).