server-docker icon indicating copy to clipboard operation
server-docker copied to clipboard
verified publisher icon Stremio

FR: Better security when hosting the server

Open jkaberg opened this issue 2 years ago • 2 comments

As I gather currently the server is meant to be used only while on LAN. However obviously one can circumvent that, and while doing so you take a risk with regard to exposing the server on WAN.

An simple solution to fix this would be set an environment variable which would work as an authentication token, and the server would require the token to authenticate the streams. This would require some work on the clients.

Why do I expose the server on WAN you might ask? While quite frankly its easier than setting up VPN on each client (which commonly routes all traffic instead of only Streamio traffic), and I can share one server properly setup with VPN with several clients of my choosing.

Here's an simple example, obviously I've got letsencrypt setup etc but to get an gist of what I'm currently doing.

version: "3.4"

services:
  traefik:
    image: traefik
    restart: unless-stopped
    command:
      - "--providers.docker=true"
      - "--entrypoints.web.address=:80"
    ports:
      - "80:80"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - traefik
 
  vpn:
    image: ghcr.io/qdm12/gluetun
    restart: always
    cap_add:
      - net_admin
    volumes:
      - ${CONFIG_DIR}/vpn/client.conf:/gluetun/custom.conf
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - VPN_SERVICE_PROVIDER=custom
      - OPENVPN_CUSTOM_CONFIG=/gluetun/custom.conf
      - OPENVPN_USER=${OVPN_USER}
      - OPENVPN_PASSWORD=${OVPN_PWD}
      - FIREWALL_INPUT_PORTS="11470"
    labels:
      - "traefik.http.routers.streamio.rule=PathPrefix(`/`)"
      - "traefik.http.routers.streamio.entrypoints=web"
      - "traefik.http.routers.streamio.service=stremio"
      - "traefik.http.services.streamio.loadbalancer.server.port=11470"
    networks:
      - traefik

  stremio:
    image: stremio/server
    restart: unless-stopped
    environment:
      - NO_CORS=1
      - APP_PATH=/config
    volumes:
      - ${CONFIG_DIR}/stremio:/config
    devices:
      -  /dev/dri:/dev/dri
    network_mode: "service:vpn"

networks:
  traefik

jkaberg avatar Nov 02 '23 09:11 jkaberg

Have you tried to add an authentication middleware with traefik?

rpersee avatar Jan 20 '24 13:01 rpersee

However obviously one can circumvent that, and while doing so you take a risk with regard to exposing the server on WAN.

This is why we tell all users that exposing the server to the web is a security risk and should not be done until officially supported.

As it stands the server is meant for local and LAN use only, while it is (obviously) possible to circumvent this, we expect users that do have the skill to do it to also handle the security of the server themselves.

It is a valid request, and we have been thinking of options to secure the server for external use, but this task is set as low priority for now.

jaruba avatar Jan 20 '24 20:01 jaruba