as in the subject line - I'm trying to install orenosp using the instructions listed here (http://www.tivohelp.com/archive/tivohelp.swiki.net/83.html) however the version o0f orenosp that I have downloaded seems to be 0.8.3 and the sproxy.conf file looks a bit different.

Does anyone have an idiot's guide which covers the changes that need to be made to this newer flavour of sproxy.conf file

I'm happy enough about the changes that need to be made to

# listen port
proxy_listen_name = lis-ssl 0.0.0.0@443 https

but everything else seems different

not quite what you asked - but here's the version I used.

orenosp038_e (www.steveconrad.co.uk/tivo/orenosp038_e.zip)

thanks very much - I'll give it a go tonight! I couldn't find an earlier version. I presume there's no problem using this as opposed to the latest all singing version?

Mine happily does the job and has never crashed as far as I'm aware.

btw - here's the CFG I use:

#
# Very simple orensp ssl reverse proxy configuration
# for 0.3.8 or later

# proxy listens on standard HTTPS port
# and forwards all requests to http://localhost:80

# listen port
proxy_listen_name = lis-ssl 0.0.0.0@443 https

# forward all requests received on lis-ssl to backend server (localhost:80)
proxy_pass_by = lis lis-ssl 192.168.1.200

#
# SSL: pass phrase for server private key
#
proxy_ssl_keypass = XXXXXXXX

# access log file
proxy_log_access_io = single logs/access.log

#proxy_auth_path = [options]
proxy_auth_path = / -u="LOGON_ID:XXXXXXXX" -rlm="Steve's TivoWeb Access"

#end



192.168.1.200 being my Tivo IP.
replace LOGON_ID and XXXXXXXX of course.

Has anyone had any joy getting the gtOrenoPC (the Orensop powered VNC/RDP proxy) to also do reverse proxying for Tivo?

Stephen

OK - well I think it's working now I can certainly go to
https://mydomain.dyndns.org:xxxx/ and get to TiVoWeb. But I do then get a message that says something along the lines of

"The server's certificate chain is incomplete, and the signer(s) are not registered. Accept?"

and then something about

"the certificate for "localhost" is signed by the unknown certificate authority "Orenosp Auto-Generated CA xxxxxxxxxxxx". It is not possible to verify that this is a valid ...

Should I worry about this?

Well I don't worry, I get the second message and it all still works fine with these browsers: IE 6, Firefox 1 and Pocket IE. The only problem it causes me is that my mobile phone browser (Nokia 5140) keeps re-displaying it throughout a manual record input. So it's just a nuisance on the odd occcasion I use the mobile. I have not seen the first message but maybe that’s because you are using later version of Orenosp to me.

Originally posted by CarlWalters
"the certificate for "localhost" is signed by the unknown certificate authority "Orenosp Auto-Generated CA xxxxxxxxxxxx". It is not possible to verify that this is a valid ...

Should I worry about this? That's because you haven't bought a site certificate from a trusted authority such as Verisign or Thawte. There's no point in wasting money by doing that, since you know that your site is a trusted one. If you wanted to, you could generate your own certificate using Microsoft tools, but it still wouldn't be trusted by anybody but you.

What's important is that you are using SSL, which negotiates a strong encryption key for hiding the entry of your username and password from nosy hackers.

OK - excellent. I shan't worry about that then :D

Now my next problem is when trying to access TiVoWeb from work (with Opera) which is the whole point - I navigate to

https://mydomain.dyndns.org:xxxxx

I get an error message

HTTP 502 Proxy Error - The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)
Internet Security and Acceleration Server.


Is this a problem with my work's setup or can I get around it by using the standard SSL port 443? I used a non standard port xxxxx as suggested in the orenosp set-up description.

The easy answer to this one is to try using 443!

My attempts to forward other ports through my Netgear router were unsuccessful and i figure it's secure enough.

Currenly i'm using the supplied Certificate. A brief look at the instructions for generating my own with the tools supplied with orenosp established that it would need a bit of time to work out. Is it worth the effort or is the orenosp "test" certificate enough?

does anyone have any idea how I could test whether an https://xxxxxx:443 address would work from here at my work PC? Is there a site I could browse to to check?

The only benefit of having a personalised certificate is that anybody connecting to your site with SSL is assured that they haven't been redirected to some other place, where somebody could attempt to grab your login or other details. However, unless you buy a trusted certificate, anybody could create a certificate with your details, and so that doesn't really solve anything. Apart from the cost, a trusted certicate is only issued when they have performed Dun & Bradstreet checks, etc, on your company to prove who you say you are.

Since there is no commercial reason for somebody to impersonate your site, I wouldn't worry.

You don't need to specify port 443 if you prefix the URL with htpps, since that is the default. Your company firewall will almost certainly allow port 443 out, since you wouldn't be able to use sites that require creditcard entry, etc, without it.

The problem with using non-standard ports sounds like it might be an issue with a software firewall on your home PC. Are you running Windows XP SP2 firewall, Norton Internet Security, or similar? It would be best if your router allows you to translate a high-numbered port to port 443 when you specify port redirection, since port scanners are less likely to check high-numbered ports.

If your work is anything like mine (bank) then you'll only have port access to 80 (http) 443 (https) and 21 (ftp).
This has forced me to set my router to accept 443 as an incoming port, forwarding it to the PC running orenosp.

I'd ensure your setup runs correctly on 443 before trying anything else.

internet https-->port 443 on router --> port x on pc via port forwarding on router --> port xx on Tivo via port forwarding on orenosp.

Actually, it's almost certainly a company firewall problem, since they appear to be using a proxy server to access the internet. Fatbloke is right in that you'll probably have to use port 443.

Originally posted by Fatbloke
If your work is anything like mine (bank) then you'll only have port access to 80 (http) 443 (https) and 21 (ftp).
This has forced me to set my router to accept 443 as an incoming port, forwarding it to the PC running orenosp.

I'd ensure your setup runs correctly on 443 before trying anything else.

internet https-->port 443 on router --> port x on pc via port forwarding on router --> port xx on Tivo via port forwarding on orenosp.

so I'd do something like


net stop orenosp
edit sproxy.conf to listen on port 443
net start orenosp?
change netgear router port forwarding to forward port 443 to orenosp
orenosp already forwards to TiVoWeb on port 80

That sounds right to me.

Agreed - the most important bit is that your router is listening to 443 from Internet traffic. This will (hopefully) be allowed by your work's firewall. Once it's in the router, that could then send in to port 666 for example where you could change orenosp to be listening. But tbh, it's more straight forward to keep them on the same ports :D

Anyone got tunnelling set up in orenosp? Tivo, xbox and router all available over my secure connection but I use remote ABC (a non http client for ABC) which I'd like to securely tunnel (and possibly telnet). My IP webcam also loses picture when I use orenosp to access it. Seems there's some way to run a Java applet from my server on my local machine and "VPN" via orenosp that way. Looks rather complicated though.

OK :) I have changed everything as suggested so that it all works from port 443. I can access TiVoWeb OK from my PC using https://mydomain.dyndns.org:443/ and
using my mobile phone (Sony Ericsson K700i) I can also go to https://mydomain.dyndns.org:443/ and I get asked to enter Username and Password (which can then be saved on the phone) and to my amazement I got the top level of TiVoWeb - on my phone!!! How cool is that! :D Dead exciting.

But - and there's always a but with me isn't there :) - I could navigate the top level of TiVoWeb but when I clicked on any of the main menus ("Search", "User Interface" etc) I just kept getting the top level menu. ie I couldn't navigate down to any of the useful bits.

I think my phone understands HTML (must do if it can see TiVoWeb menu I suppose). I'm not running TiVoWebWAP at all (and I don't think I need to). Any ideas why I can't go down a menu level?

Any difference if you ditch the ":443/"? You shouldn't need that.

DOH :o

As usual it's just me. Sorry. The menus were displaying properly - it's just that I hadn't scrolled doen to see them. So embarassed!

So I can get to my TiVo via my K700i phone OK and navigate the menus. But is there any advantage to doing this via WAP pages rather than via the normal HTML pages? I assume that WAP pages must be "lighter" and would therefore be cheaper to download?

A little. Many phones won't do HTML.

Changing the port to the standard 443 works. I can now access TiVo from work! Cool!

What next...... :D

Sorry to jump on your thread - may be someone here could help me?

I've install the orenosp .exe included above and copied and replaced the .conf file from above.

Changed the login / password and ip address - to my tivo's ip address (not this PC)

I restart the service

I pull up IE on and enter my ip address (this machine:443) - get the login & password prompt.

Enter them in, and get a 'standard' MS windows restricted access to protect me.

So I thought windows firewall (I'm on XP SP2 - with latest fixes installed) - switched if off (it's back on now!)

and still got the same - what do I have to do to tell IE 6 to stop protecting me?

I've trawled and trawled and this seems to be the thread closest to my problem :
I've been running orenosp quite happily for about a year, no problems, using much the same script as Fat Bloke. However, a friend of mine has gone over to Skyplus and I recently bought his TiVo. I've now installed the second box on my network.

I tried to follow the "install 2 TiVos info"here :
tivohelp.swiki.not allowed to type net/83

but I can't get the service to run. As soon as I add the last line in the above article
It won't start. If I leave these lines out then I can access the two boxes via the 2 ports used (443 and 80), but not having the password is a bit pointless. If I use the line from my original 1 TiVo setup which starts : proxy_auth_path and has my single username and password (The Forum won't let me post the lines here)
and then add the port numbers to the web URL, it works fine, I can access both boxes BUT using the same password.

Is it possible to have different passwords for each box or is the service actually working as it should ?

Any help would be great.

Just got through the stresses of moving house and upgrading the PC to something a little less clunky. All seems good so far - wireless network OK, can ping and telnet tivo OK, can access TiVoWeb locally fine.

When I upgraded to this new PC (still WinXP) I used a TransferMyPC program to automatically copy across all the useful data. This seemed to work fine. So I decided to install orenosp on the new PC and get TiVoWeb accessible from work again. But the TransferMyPC program already seems to have transferred the orenosp service onto the new PC. So I thought I'd remove the whole thing and re-install afresh using the instructions here (http://www.tivohelp.com/archive/tivohelp.swiki.net/83.html).

- installed orenosp083_e
- created my sproxy.conf which looks like this

#
# Very simple orensp ssl reverse proxy configuration
# for 0.3.8 or later

# proxy listens on standard HTTPS port
# and forwards all requests to http://localhost:80

# listen port
proxy_listen_name = lis-ssl 0.0.0.0@443 https

# forward all requests received on lis-ssl to backend server (localhost:80) proxy_pass_by = lis lis-ssl MyTiVoIPAddress

#
# SSL: pass phrase for server private key
#
proxy_ssl_keypass = MyPassword

# access log file
proxy_log_access_io = single logs/access.log

#proxy_auth_path = [options]
proxy_auth_path = / -u="MyUserName:MyPassword" -rlm="Carl's TivoWeb Access"

#end


- then ran "net start orenosp"

But I then get error messages like this


2006/03/23 20:41:46 [75484.75420](svmain)===== orenosp/0.8.3 starting up...
2006/03/23 20:41:46 [75484.75420](svmain)Couldn't read key file. key passphrase is wrong?
2006/03/23 20:41:46 [75484.75420](svmain)sslprof: failed to initialize SSL profile [svdflt]
2006/03/23 20:41:46 [75484.75420](svmain)orenosp svthread_init failed with status -1


Have I missed something obvious this time round (I usually do :D)

I've got, and WAS running OrenoSP 0.8.4

It was a sod to setup, but I did tie it into Windows authentication using IIS.

However, I STRONGLY recommend doing what I do now, and buying a Linksys WRT54G or WRT54GS router (circa £80), upgraded to the DD-WRT or Sveasoft firmware, and running a DropBear SSH server on the router. This gives you SSL level encryption, lets you into TiVO and anything else on your network, along with lots of other good stuff (and your PC doesnt have to be on)

Talk to me first if you go the router route, there are a couple of things to be careful of (like AVOID the WRT54GS V5 - if you can, get a V2)

the error message shows that orenops couldnt find the SSL certificate, you may have to re generate a new one, preferably using the same "keypass" name that used originally.

I've got, and WAS running OrenoSP 0.8.4

It was a sod to setup, but I did tie it into Windows authentication using IIS.

However, I STRONGLY recommend doing what I do now, and buying a Linksys WRT54G or WRT54GS router (circa £80), upgraded to the DD-WRT or Sveasoft firmware, and running a DropBear SSH server on the router. This gives you SSL level encryption, lets you into TiVO and anything else on your network, along with lots of other good stuff (and your PC doesnt have to be on)

Talk to me first if you go the router route, there are a couple of things to be careful of (like AVOID the WRT54GS V5 - if you can, get a V2)

Question about this, if anyone is listening. I have a cable modem hooked up to a Vonage WIRED router, then through a 16-port switch to all the rooms in my house. Upstairs, I have a WRT54G which acts as a wireless access point and switch in our upstairs office.

If I set up my Vonage router to forward incoming requests to the WRT54G, which is at 192.168.2.1 (as opposed to the default 192.168.1.1), can I run DropBear on it as you mentioned above? It sounds interesting to me. Alternately, if I cannot do that I think I will just run a server on one of my Linux boxes (like my storage server) that is always on.

Agreed - the most important bit is that your router is listening to 443 from Internet traffic. This will (hopefully) be allowed by your work's firewall. Once it's in the router, that could then send in to port 666 for example where you could change orenosp to be listening. But tbh, it's more straight forward to keep them on the same ports :D

Hey Guys:

This is going to fix the problem I am experiencing as well. I wonder why Orenosp does not mention the fact that many work computers restrict outgoing ports. This way, people would know why they cannot access it from work, etc. OK, enough ranting......

My question is:

I have 4 TiVos that I would like to be able to access remotely. Orenosp is supposed to be able to handle this, but you need to use different port numbers which it then forwards to different IP addresses on your network. How do you manage this if you can only use one port number (443, the default)?