Open ReK42 opened 2 years ago
@ReK42 Thanks so much for the compelling overview and proposed solutions. Those are the kind of messages mantainers love to see.
Most of the issues and suggestions you gave were already debated internally, and we always try to balance usability with security (that's the main reason some were not implemented).
I however agree there are some low-hanging fruits that we would love to start working on. If you would like to help us, I would suggest starting with point 1 and 2 (2 needs some further investigation if the client side accepts redirection to https). And later going to subsequent points.
My go to solution for point 1 and ideally 2 would be using caddy, as it has an out of the box auto-ssl feature which will greatly simplify the implementation. What is your take on this choice? Would you like to help us?
My go to solution for point 1 and ideally 2 would be using caddy, as it has an out of the box auto-ssl feature which will greatly simplify the implementation.
Caddy (v2) supports web sockets out of the box, so its reverse_proxy
setup makes it trivial to access your Volumio device across WAN as well :-)
If someone is happy to help with a POC, we'll be happy to work on it
There are several significant security concerns with the way this distribution has been implemented:
ufw
is as simple as:/etc/ufw/user.rules
which can be included in the image.cat /etc/services
. Custom ports can be added withufw allow 1234/udp
.