Access webapps through WAN IP/Port?

[ipdemons]

Hi, I was wondering if it is at all possible to broadcast my webapps through my WAN IP somehow. Obviously if I port forward to my server, I can connect to my HDA and it's setup (through port 80). but I want to be able to access things like AjaXplorer and webVNC without joining the VPN. Is this possible? Thanks

[gmw]

Possible, but very risky!
You would have to expose port 80 on your Amahi install to the wild internet.

Since Amahi has not (yet) been secured for this you are opening yourself up to hackers.
If you are a security expert you might be able to sort this out yourself, but it is still a big risk.

Bottomline: stick to the VPN for now.

[ipdemons]

Yes, but I'm sure you can understand the immense convenience of being able to access your files from a friend's computer or have them listen to one of your songs real quick without actually installing the vpn software. I guess it's just a waiting game though. Thanks

[noahod]

personally I think this is a huge thing missing from amahi too, though it may not be as hard to implement as you think.

Why not just change apache to use SSL with digest authentication for all web content, and set up the user with a self-signed SSL certificate? The only port the user would have to forward is port 443, which would assure that all data goes over SSL. Amahi could also optionally sell the user an SSL cert for XXX.yourhda.com as part of the pre-install details process, or after installation - actually raising some money for the amahi project.

Amahi really is incomplete with web-apps that can only be accessed at home or through a vpn - The whole point of a web application is anywhere access - if you have to run a VPN, you may as well use remote desktop / vnc and use the real application on your PC.

[bsk]

The thing that needs to be noted on this is that Amahi is a HOME SERVER and not a Web server.

To run your home server as a web server is all up to you.

Also, adito OpenVPN ALS is currently in beta and should be avaliable soon. This app is a web-based vpn program that runs in java, you access it by https://user.yourhda.com with the port it specifies and have logins. That way, no installing software.

[noahod]

Also, adito OpenVPN ALS is currently in beta and should be avaliable soon. This app is a web-based vpn program that runs in java, you access it by https://user.yourhda.com with the port it specifies and have logins. That way, no installing software.

Good work on picking Adito, I have used SSL-Explorer in a commercial setting before, it's a good product. Definitely a great idea to use for people who also want to do non web stuff over SSL, such as FreeNX, VNC, Remote desktop etc.

I'm interested in what the security / practical difference would be to using Adito vs Apache digest auth though,

In my mind you'd have higher security with apache, as you will get all security updates automatically through the fedora project, and there is more eyes on the code of apache (with it's majority market share) than on Adito, which has been abandoned by the company that created it.

I suppose one of the main barriers to implementation would be the way Amahi takes over DNS & DHCP, instead of using subfolders eg https://hda/musicplayer, which I'm not sure how you would do in the Apache configuration. I can't really say I agree with this way of doing things, as it is not typical behavior for a host (server) device, but more of a router / gateway device - which is confusing to a lot of users including one I saw who mistook Amahi for a router..

The thing that needs to be noted on this is that Amahi is a HOME SERVER and not a Web server.

To run your home server as a web server is all up to you.

The thing is, What is a home server these days? There are plenty of home server products where remote access is a core part of the offering.. Windows Home Server is an example. Remote access is available over HTTPS. I see netgear has something similar, though it might currently be VPN based. People have gotten used to the cloud way of doing things where their data is available anywhere using services such as Gmail, Windows Live Sync, Dropbox, or the new media streaming introduced in Media Player in Windows 7.

I should add I really love the project, and think it's fantastic what Amahi and the community has done so far. I hope my comments are taken constructively rather than antagonistically, I really do love the project.

[gmw]

Good comments -- and good discussion.

I am not an apache expert, but what you suggest sounds like a robust and practical solution!

[lou1z]

In my mind you'd have higher security with apache, as you will get all security updates automatically through the fedora project, and there is more eyes on the code of apache (with it's majority market share) than on Adito, which has been abandoned by the company that created it.

ssl-explorer wasn't abandoned. baracudda only wanted to invest in hardware and ssl-explorer forked from there and is still developed by one of the original programmers.
as for security, you may find that openvpn als (as it is now) has a lot more features and security than apache itself.
having said that, a straight forward ssl server such as apache is easier to use so my foot is in both camps here.
netgear does have some ssl vpn offerings but they are based on activex and from my experience, most corporates block this but allow java. getting activex installed without admin privileges can be a pain and limits you to certain browsers.

and you could use virtual servers with ssl-explorer so i would imagine you can with openvpn als, which would be a good balance for web-apps and normal apps.