Fri Jul 08, 2022 8:00 pm by MikeL
So I've found a few things out since I set things up for https access that I thought people might be interested in.
I run "Untangle" as a frontend firewall to my home network. That's where I set up the port forwarding rule for Serviio Mediabrowser. One of Untangles options allows me to flag the port forward events and add them into a report. I was surprised to see that I was getting multiple events occurring every hour. At first I thought they were due to some random port scanner but the fact that they were so consistent and always from the same IP address made me doubt that so I dug a little deeper.
The IP address is registered to Amazon, I think in W VA. Probably one of their cloud servers that websites are hosted on.
Turns out that the website "Cayouseeme.org" is hosted there. Looks like Zip's code is calling that site every hour (actual time depends on what time the Serviio service was started on the PC).
Normally this wouldn't be an issue but I wanted to add an extra layer of Security in my Port Forward rule by specifying a short list of valid source IP addresses that are allowed access. I can do this in Untangle but I have to specify actual addresses, I can't add CanyouSeeme by name. I could add the current IP address but I suspect that is liable to change also. However, blocking access from CanYouSeeme does not appear to have any adverse affects on the Serviio Service. I turned on debug logging to see if it would catch anything and it does seem to throw a handled java io exception - "Cannot Work out whether port 23524 is open or closed". But the Service continues to run and I can log into it.
I guess Zip is the only one that can confirm that constant failed checks will not be an issue.
I wrote a C# program for my PC to update the Serviio Firewall rules and move the source address checks to Windows. I can do a DNS query and get the latest address for CanYouSeeMe and add it to the list but I'm having an issue with the Firewall dropping local requests even though the firewall settings are to allow all local addresses. I think it's something to do with the self-signed certificate but not sure yet.