search

Stremio / server-docker

Builds and publishes Docker image for new releases of server.js
GNU General Public License v2.0
113 stars 20 forks source link

FR: Better security when hosting the server #22

Open jkaberg opened 11 months ago

jkaberg commented 11 months ago

As I gather currently the server is meant to be used only while on LAN. However obviously one can circumvent that, and while doing so you take a risk with regard to exposing the server on WAN.

An simple solution to fix this would be set an environment variable which would work as an authentication token, and the server would require the token to authenticate the streams. This would require some work on the clients.

Why do I expose the server on WAN you might ask? While quite frankly its easier than setting up VPN on each client (which commonly routes all traffic instead of only Streamio traffic), and I can share one server properly setup with VPN with several clients of my choosing.

Here's an simple example, obviously I've got letsencrypt setup etc but to get an gist of what I'm currently doing.

version: "3.4"

services:
  traefik:
    image: traefik
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik

  vpn:
    image: ghcr.io/qdm12/gluetun
    restart: always
    cap_add:
      - net_admin
    volumes:
      - ${CONFIG_DIR}/vpn/client.conf:/gluetun/custom.conf
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - OPENVPN_USER=${OVPN_USER}
      - OPENVPN_PASSWORD=${OVPN_PWD}
      - FIREWALL_INPUT_PORTS="11470"
    labels:
      - "traefik.http.routers.streamio.rule=PathPrefix(`/`)"
      - "traefik.http.routers.streamio.entrypoints=web"
      - "traefik.http.routers.streamio.service=stremio"
      - "traefik.http.services.streamio.loadbalancer.server.port=11470"
    networks:
      - traefik

  stremio:
    image: stremio/server
    restart: unless-stopped
    environment:
      - NO_CORS=1
      - APP_PATH=/config
    volumes:
      - ${CONFIG_DIR}/stremio:/config
    devices:
      -  /dev/dri:/dev/dri
    network_mode: "service:vpn"

networks:
  traefik
rpersee commented 8 months ago

Have you tried to add an authentication middleware with traefik?

jaruba commented 8 months ago

However obviously one can circumvent that, and while doing so you take a risk with regard to exposing the server on WAN.

This is why we tell all users that exposing the server to the web is a security risk and should not be done until officially supported.

As it stands the server is meant for local and LAN use only, while it is (obviously) possible to circumvent this, we expect users that do have the skill to do it to also handle the security of the server themselves.

It is a valid request, and we have been thinking of options to secure the server for external use, but this task is set as low priority for now.