Serviio

Is there a way to set up Serviio to accept remote requests over https and disable http login?

Thanks
Mike

You can't disable HTTP login, but if you don't port forward your HTTP port it won't be accessible from outside your network. HTTP uses port 23424, while HTTPS uses port 23524. So only open port 23524 in your firewall/router and point it to your Serviio computer.

Note that you'll likely get a security certificate warning when you use HTTPS, since the Serviio web server doesn't have an SSL certificate that matches your public IP address/FQDN. I think there's a way to add your own certificate, but I don't know how it's done.

Dan, sorry for delay in responding. Changing the port number did the trick - I'm embarrassed I missed it. Thank you.
I was able to get the Firefox browser on the client side to accept the self signed certificate by clicking on the Advanced Button when the Security Alert popped up. From there I clicked on accept the risk and continue which adds an exception in the certificate store so the next time i use the link to login I do not get the security warning.

The certificate is linked to my external IP address so if this changes I will have to go through the above steps again.

Mike

I use a dynamic DNS service, so I have a FQDN that doesn't change. But yes, if it's attached to an IP address it's likely going to change fairly often.

So I've found a few things out since I set things up for https access that I thought people might be interested in.
I run "Untangle" as a frontend firewall to my home network. That's where I set up the port forwarding rule for Serviio Mediabrowser. One of Untangles options allows me to flag the port forward events and add them into a report. I was surprised to see that I was getting multiple events occurring every hour. At first I thought they were due to some random port scanner but the fact that they were so consistent and always from the same IP address made me doubt that so I dug a little deeper.
The IP address is registered to Amazon, I think in W VA. Probably one of their cloud servers that websites are hosted on.

Turns out that the website "Cayouseeme.org" is hosted there. Looks like Zip's code is calling that site every hour (actual time depends on what time the Serviio service was started on the PC).

Normally this wouldn't be an issue but I wanted to add an extra layer of Security in my Port Forward rule by specifying a short list of valid source IP addresses that are allowed access. I can do this in Untangle but I have to specify actual addresses, I can't add CanyouSeeme by name. I could add the current IP address but I suspect that is liable to change also. However, blocking access from CanYouSeeme does not appear to have any adverse affects on the Serviio Service. I turned on debug logging to see if it would catch anything and it does seem to throw a handled java io exception - "Cannot Work out whether port 23524 is open or closed". But the Service continues to run and I can log into it.

I guess Zip is the only one that can confirm that constant failed checks will not be an issue.

I wrote a C# program for my PC to update the Serviio Firewall rules and move the source address checks to Windows. I can do a DNS query and get the latest address for CanYouSeeMe and add it to the list but I'm having an issue with the Firewall dropping local requests even though the firewall settings are to allow all local addresses. I think it's something to do with the self-signed certificate but not sure yet.

Serviio can work with Amazon Alexa, so that's one possible reason why it's calling that site. There's no switch within Serviio to turn that function off, but I wouldn't be expecting an external source to be hitting that unless Alexa has been configured on the Amazon servers. You're right, only Zip would know the exact purpose of the callout.

No, I don't think you hurt any functionality with Serviio by blocking those pings. Based on that error message, it might simply be a check to see if the Serviio computer is online. Serviio does access themoviedb.org for retrieving media metadata, so it might be tied to that.

Well I was finally able to spend some time yesterday trying to finalize my remote https access.
As I said earlier I was trying to arrange a set up where my Untangle firewall would block port forward attempts except from a select number of IP addresses. I ultimately moved away from that approach because I had no way of updating the list programmatically. Instead I moved all the checks to the Windows machine that is hosting Serviio.
I got around the problem I was having with the firewall blocking access from local devices (i.e on the same subnet as Serviio) - turns out from the Windows firewall perspective those devices are also considered remote so had to be explicitly added to the allowed list.
So the Serviio firewall rules are now updated every hour to allow access to Serviio only from my approved list of addresses (and I did add the check to retrieve the current IP address of canyouseeme.org). So no more Serviio java exceptions !!

Mike