Announcement

Collapse
No announcement yet.

control HS3 via external website (not myhs)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    control HS3 via external website (not myhs)

    I would like to set up my HS3 PC so I have external control, but not via myhs. One of the reasons is using PHLocation which requires a server address, but I cannot use mhys (yet). Another reason would be independence of myhs, if that is possible.
    So just to get an idea whats involved to start, how do I go about it ?
    Buy a domaine name would be the first step, wouldn't it ? Then I somehow have to link HS3 to that website ?

    #2
    Originally posted by mikee123 View Post
    I would like to set up my HS3 PC so I have external control, but not via myhs. One of the reasons is using PHLocation which requires a server address, but I cannot use mhys (yet). Another reason would be independence of myhs, if that is possible.
    So just to get an idea whats involved to start, how do I go about it ?
    Buy a domaine name would be the first step, wouldn't it ? Then I somehow have to link HS3 to that website ?
    Buy a domain name and point it to your public static ip address. Setup the required port forwarding in your router to forward those web requests to your server. You may need to reconfigure your window firewall as well.

    Sent from my SM-G935V using Tapatalk

    Comment


      #3
      OK that's roughly what I thought. One problem, I have a dynamic IP, should have mentioned that but forgot. Port forwarding and firewall is easy.

      Comment


        #4
        Originally posted by mikee123 View Post
        OK that's roughly what I thought. One problem, I have a dynamic IP, should have mentioned that but forgot. Port forwarding and firewall is easy.
        Just register a domain name through dyndns. You'll install a client that will run on your server that will keep your ip address updated on their server.

        Sent from my SM-G935V using Tapatalk

        Comment


          #5
          I use VNC as a backup to MyHS. It is encrypted and you can choose the port to use and your own pw. Since you can connect directly to the screen of your server you can do other things as well.

          Comment


            #6
            Originally posted by cowinger View Post
            I use VNC as a backup to MyHS. It is encrypted and you can choose the port to use and your own pw. Since you can connect directly to the screen of your server you can do other things as well.
            Just had a quick look, that looks a little like teamviewer, which I use to remotely control my PC.
            I think I need to go the domain route. That also gives me custom emails. The only little worry (apart from setting it all up) is security. Would that make my home network a more visible target ?

            Comment


              #7
              Originally posted by mikee123 View Post
              Just had a quick look, that looks a little like teamviewer, which I use to remotely control my PC.
              I think I need to go the domain route. That also gives me custom emails. The only little worry (apart from setting it all up) is security. Would that make my home network a more visible target ?
              No more visible than what it is already. Just remember that every port you open is a security vulnerability. Your best bet is to run HS on a virtual machine that has no access to other network resources. Just put the VM in a dmz.

              Sent from my SM-G935V using Tapatalk

              Comment


                #8
                Being that I use it as a backup I can only throw in a link to a pdf that will explain all the different ways to use VNC. It is port forwarded but uses 256 bit encryption (professional and enterprise).

                https://www.realvnc.com/documents/43...t-brochure.pdf

                Comment


                  #9
                  control HS3 via external website (not myhs)

                  Remember that myhs also secures the web traffic between the client connecting to hs3's management interface and HS3 across the public Internet. HS3 does not natively support SSL encryption out of the box. Entering your credentials on a non-secured connection across the public Internet is asking for trouble. My advise would be to find a way to secure that traffic across the Internet.

                  Personally, I have a Google domain that I bought for $12/yr. The service is pretty sweet. They offer DDNS subdomains, that support an API automatic update. They also allow you to manage your own external DNS records.

                  In my google domain management interface I created a DDNS custom record and tied it to a subdomain.
                  Example:
                  my-2nd-lvl-domain.net
                  Subdomain.my-2nd-lvl-domain.net

                  The google DDNS subdomain supports an API updating tool that lets my point it to my DHCP WAN IP address for services I make available on the Internet.

                  I also am using the Let's encrypt's free service to create SSL certificates for my internal sites that I have made accessible on the Internet. I had trouble tying this to DDNS service subdomains because I didn't own the 2nd level domain. With the google domain I own the 2nd level domain and I can relate the custom TXT DNS records on my external DNS to prove I own the domain to the Let's Encrypt service. Using my PFSense package add on (kids like an HS3 plugin). I even automated the certificate re-registration process that keeps my SSL certificates up to date.

                  I route all my in kind web from the public Internet traffic through a reverse proxy service. This allows me to:
                  1. only need to punch one hole into my firewall for secure web services. Then configure the reverse proxy to tie to any number of web based internal resources on different physical systems even.
                  2. Since I am binding the reverse proxy to a standard port (443 in my case) for secure web traffic I don't need to enumerate the port in the url (example:
                  https://subdomain.my-2nd-lvl-domain.net instead of https://subdomain.my-2nd-lvl-domain.net:8080.
                  3. I can configure SSL Management on one system and use my Let's Encrypt SSL rather than have to distribute it to each separate server.
                  4. provide SSL encrypted web support to services that would otherwise not have it (homeseer).
                  5. The reverse proxy I use even supports client authentication to make the websites only available when a client system provides a valid non-public SSL certificate.
                  6. The other nice part is that binding the reverse proxy to systems on multiple desperate servers is that I can differentiate them with a / at the end of the first level domain (example: https://subdomain.my-2nd-lvl-domain.net/homeseer can be linked to server 1 and https://subdomain.my-2nd-lvl-domain.net/securitycameras can be linked to server 2). From the outside this looks like the same place just a different sub-directory.

                  Currently, I have my media management service hosted on my reverse proxy. My hope is to get the reverse proxy client authentication setup in order to only allow access to systems I have disbursed a client certificate to.

                  I use PFSense to host all the packages (squid reverse proxy, dynamic DNS synch tool, Let's Encrypt ACME agent) necessary to work with my google domain, google subdomain, let's encrypt SSL service, and google external DNS.

                  You could likely replicate this to host HS3 deployment on the public Internet and ensure that it is secure

                  Sent from my iPhone using Tapatalk
                  Last edited by Kerat; May 16, 2017, 04:00 PM.

                  Comment

                  Working...
                  X