[CarlWalters]

as in the subject line - I'm trying to install orenosp using the instructions listed here however the version o0f orenosp that I have downloaded seems to be 0.8.3 and the sproxy.conf file looks a bit different.

Does anyone have an idiot's guide which covers the changes that need to be made to this newer flavour of sproxy.conf file

I'm happy enough about the changes that need to be made to

# listen port
proxy_listen_name = lis-ssl [email protected] https

but everything else seems different

 

[Fatbloke]

not quite what you asked - but here's the version I used.

orenosp038_e

 

[CarlWalters]

thanks very much - I'll give it a go tonight! I couldn't find an earlier version. I presume there's no problem using this as opposed to the latest all singing version?

 

[Fatbloke]

Mine happily does the job and has never crashed as far as I'm aware.

btw - here's the CFG I use:

#
# Very simple orensp ssl reverse proxy configuration
# for 0.3.8 or later

# proxy listens on standard HTTPS port
# and forwards all requests to http://localhost:80

# listen port
proxy_listen_name = lis-ssl [email protected] https

# forward all requests received on lis-ssl to backend server (localhost:80)
proxy_pass_by = lis lis-ssl 192.168.1.200

#
# SSL: pass phrase for server private key
#
proxy_ssl_keypass = XXXXXXXX

# access log file
proxy_log_access_io = single logs/access.log

#proxy_auth_path = [options]
proxy_auth_path = / -u="LOGON_ID:XXXXXXXX" -rlm="Steve's TivoWeb Access"

#end

192.168.1.200 being my Tivo IP.
replace LOGON_ID and XXXXXXXX of course.

 

[elvistheking]

Has anyone had any joy getting the gtOrenoPC (the Orensop powered VNC/RDP proxy) to also do reverse proxying for Tivo?

Stephen

 

[CarlWalters]

OK - well I think it's working now I can certainly go to
https://mydomain.dyndns.org:xxxx/ and get to TiVoWeb. But I do then get a message that says something along the lines of

"The server's certificate chain is incomplete, and the signer(s) are not registered. Accept?"

and then something about

"the certificate for "localhost" is signed by the unknown certificate authority "Orenosp Auto-Generated CA xxxxxxxxxxxx". It is not possible to verify that this is a valid ...

Should I worry about this?

 

[Fred Smith]

Well I don't worry, I get the second message and it all still works fine with these browsers: IE 6, Firefox 1 and Pocket IE. The only problem it causes me is that my mobile phone browser (Nokia 5140) keeps re-displaying it throughout a manual record input. So it's just a nuisance on the odd occcasion I use the mobile. I have not seen the first message but maybe that’s because you are using later version of Orenosp to me.

 

[iankb]

Originally posted by CarlWalters
"the certificate for "localhost" is signed by the unknown certificate authority "Orenosp Auto-Generated CA xxxxxxxxxxxx". It is not possible to verify that this is a valid ...

Should I worry about this?

That's because you haven't bought a site certificate from a trusted authority such as Verisign or Thawte. There's no point in wasting money by doing that, since you know that your site is a trusted one. If you wanted to, you could generate your own certificate using Microsoft tools, but it still wouldn't be trusted by anybody but you.

What's important is that you are using SSL, which negotiates a strong encryption key for hiding the entry of your username and password from nosy hackers.

 

[CarlWalters]

OK - excellent. I shan't worry about that then

Now my next problem is when trying to access TiVoWeb from work (with Opera) which is the whole point - I navigate to

https://mydomain.dyndns.org:xxxxx

I get an error message

HTTP 502 Proxy Error - The specified Secure Sockets Layer (SSL) port is not allowed. ISA Server is not configured to allow SSL requests from this port. Most Web browsers use port 443 for SSL requests. (12204)
Internet Security and Acceleration Server.

Is this a problem with my work's setup or can I get around it by using the standard SSL port 443? I used a non standard port xxxxx as suggested in the orenosp set-up description.

 

[B33K34]

The easy answer to this one is to try using 443!

My attempts to forward other ports through my Netgear router were unsuccessful and i figure it's secure enough.

Currenly i'm using the supplied Certificate. A brief look at the instructions for generating my own with the tools supplied with orenosp established that it would need a bit of time to work out. Is it worth the effort or is the orenosp "test" certificate enough?

 

[CarlWalters]

does anyone have any idea how I could test whether an https://xxxxxx:443 address would work from here at my work PC? Is there a site I could browse to to check?

 

[iankb]

The only benefit of having a personalised certificate is that anybody connecting to your site with SSL is assured that they haven't been redirected to some other place, where somebody could attempt to grab your login or other details. However, unless you buy a trusted certificate, anybody could create a certificate with your details, and so that doesn't really solve anything. Apart from the cost, a trusted certicate is only issued when they have performed Dun & Bradstreet checks, etc, on your company to prove who you say you are.

Since there is no commercial reason for somebody to impersonate your site, I wouldn't worry.

 

[iankb]

You don't need to specify port 443 if you prefix the URL with htpps, since that is the default. Your company firewall will almost certainly allow port 443 out, since you wouldn't be able to use sites that require creditcard entry, etc, without it.

The problem with using non-standard ports sounds like it might be an issue with a software firewall on your home PC. Are you running Windows XP SP2 firewall, Norton Internet Security, or similar? It would be best if your router allows you to translate a high-numbered port to port 443 when you specify port redirection, since port scanners are less likely to check high-numbered ports.

 

[Fatbloke]

If your work is anything like mine (bank) then you'll only have port access to 80 (http) 443 (https) and 21 (ftp).
This has forced me to set my router to accept 443 as an incoming port, forwarding it to the PC running orenosp.

I'd ensure your setup runs correctly on 443 before trying anything else.

internet https-->port 443 on router --> port x on pc via port forwarding on router --> port xx on Tivo via port forwarding on orenosp.

 

[iankb]

Actually, it's almost certainly a company firewall problem, since they appear to be using a proxy server to access the internet. Fatbloke is right in that you'll probably have to use port 443.

 

[CarlWalters]

Originally posted by Fatbloke
If your work is anything like mine (bank) then you'll only have port access to 80 (http) 443 (https) and 21 (ftp).
This has forced me to set my router to accept 443 as an incoming port, forwarding it to the PC running orenosp.

I'd ensure your setup runs correctly on 443 before trying anything else.

internet https-->port 443 on router --> port x on pc via port forwarding on router --> port xx on Tivo via port forwarding on orenosp.

so I'd do something like

• net stop orenosp
• edit sproxy.conf to listen on port 443
• net start orenosp?
• change netgear router port forwarding to forward port 443 to orenosp
• orenosp already forwards to TiVoWeb on port 80

 

[B33K34]

That sounds right to me.

 

[Fatbloke]

Agreed - the most important bit is that your router is listening to 443 from Internet traffic. This will (hopefully) be allowed by your work's firewall. Once it's in the router, that could then send in to port 666 for example where you could change orenosp to be listening. But tbh, it's more straight forward to keep them on the same ports

 

[steford]

Anyone got tunnelling set up in orenosp? Tivo, xbox and router all available over my secure connection but I use remote ABC (a non http client for ABC) which I'd like to securely tunnel (and possibly telnet). My IP webcam also loses picture when I use orenosp to access it. Seems there's some way to run a Java applet from my server on my local machine and "VPN" via orenosp that way. Looks rather complicated though.

 

[CarlWalters]

OK I have changed everything as suggested so that it all works from port 443. I can access TiVoWeb OK from my PC using https://mydomain.dyndns.org:443/ and
using my mobile phone (Sony Ericsson K700i) I can also go to https://mydomain.dyndns.org:443/ and I get asked to enter Username and Password (which can then be saved on the phone) and to my amazement I got the top level of TiVoWeb - on my phone!!! How cool is that! Dead exciting.

But - and there's always a but with me isn't there - I could navigate the top level of TiVoWeb but when I clicked on any of the main menus ("Search", "User Interface" etc) I just kept getting the top level menu. ie I couldn't navigate down to any of the useful bits.

I think my phone understands HTML (must do if it can see TiVoWeb menu I suppose). I'm not running TiVoWebWAP at all (and I don't think I need to). Any ideas why I can't go down a menu level?