Setting up NextPVR for Secure Remote Access - sub3/NextPVR GitHub Wiki

Setting up NextPVR and Apache for Secure Remote Access

Overview

In order to securely stream content from NextPVR back-end server, we need a three-tier topology of some kind (ideal topology is shown below):

  1. A client lying somewhere on the Internet/Cloud
  2. A reverse-proxy server
  3. NextPVR Back-end Server(s)
  4. A router/firewall between the Internet and the reverse-proxy server
  5. Optionally, a router/firewall between the reverse-proxy and the back-end servers

For the shake of simplicity, we will assume a topology in which there is only a router/firewall for the internet, with only one back-end server, and both reverse-proxy server and back-end server running on one windows machine. For reverse-proxy we will use Apache 2.4 with mod proxy module enabled. For the clients, we will configure access to the NextPVR web-interface and NextPVR Kodi Add-on. We will also use the default ports for HTTP (80) and SSL (443).

Please note that NextPVR, Apache 2.4 Installation and router/firewall configuration are out-of-scope of this guide.

Please also note that this guide describes installation considering Apache is on Windows O/S in the same machine as the NextPVR Server. Similarly however, with very little changes in a few configuration directory and file names, same configuration also applies to Apache hosted on UNIX (POSIX).

Last but not least, please take note that this guide assumes certificate from a Certificate Authority, in this case, Let’s encrypt. Please note that if you plan to use self-signed certificates there are considerations to be made, like, installing self-signed certificates in Kodi too. For more information, take a look at https://kodi.wiki/view/SSL_certificates, and note that installing these probably do require root/administrator access.

High-Level Steps

  1. Acquire a Domain Name (using either Dynamic or Static DNS) that will point to the external IP of the internet router/firewall.
  2. On the internet router, configure port forwarding of the TCP Ports 80, 443 from the windows machine which will host the NextPVR back-end server and Apache reverse-proxy server. If DNS is dynamic, there is a need for auto-update setup of some kind (some internet routers support automatic dynamic DNS updates)
  3. On the PC server, install NextPVR back-end server (see Install Information) and Apache 2.4 HTTP server (see Installing and Using Apache HTTP Server)
  4. Perform Apache for reverse-proxy setup
  5. Perform Apache SSL Setup using Let’s encrypt Service
  6. Perform NextPVR back-end server remote access setup
  7. Perform NextPVR Kodi add-on client setup

Detailed Steps

Perform Apache reverse-proxy setup

  1. Navigate to the following directory of Apache HTTP server installation:

APACHE_HOME/conf

  1. Open httpd.conf file for editing.
  2. Uncomment the following lines in httpd.conf:

LoadModule proxy_module modules/mod_proxy.so

LoadModule proxy_http_module modules/mod_proxy_http.so

LoadModule proxy_http2_module modules/mod_proxy_http2.sossl_module modules/mod_ssl.so

  1. Navigate to the following directory of Apache HTTP server installation:

APACHE_HOME/conf/extra

  1. Open httpd-vhosts.conf file for editing.
  2. Configure a virtual host listening at port 80 for ease of access to the NextPVR web interface and redirect all requests to the respective SSL port to automatically request browser to connect via SSL even if originally user requested HTTP. In file httpd-vhosts.conf add the following:

<VirtualHost *:80>

ServerAdmin

DocumentRoot "${SRVROOT}/htdocs"

ServerName :80

ErrorLog "logs/-error.log"

CustomLog "logs/.log" common

Redirect permanent / https:///

where,

  • is the email of the HTTP server administrator.
  • is the domain name that will be used externally by the clients to connect to the reverse-proxy.
  1. Save changes to the httpd-vhosts.conf file.

Perform Apache SSL Setup

  1. Obtain an SSL certificate for the domain name. Foe example if using Let’s encrypt to provide certificate see Certbot Instructions | Certbot (eff.org) for easy generation of SSL certificate on Windows.
  2. Navigate to the following directory of Apache HTTP server installation:

APACHE_HOME/conf

  1. Open httpd.conf file for editing.
  2. Uncomment (or add) the following line in file httpd.conf to include the SSL configuration file:

Include conf/extra/httpd-ssl.conf

  1. Save changes to the httpd.conf file.
  2. Navigate to the following directory of Apache HTTP server installation:

APACHE_HOME/conf/extra

  1. Open httpd-ssl.conf file for editing.
  2. Add the following contents:

<VirtualHost *:443>

SSLEngine On

ServerAdmin

ServerName :443

   SSLCertificateFile <File name_of_Server_public_certificate>

   SSLCertificateKeyFile <File name_of_Server_private_key>

ProxyPreserveHost On

   ProxyPass / http://localhost:8866/

   ProxyPassReverse / http://localhost:8866/

where,

  • is the email of the HTTP server administrator.
  • is the domain name that will be used externally by the clients to connect to the reverse-proxy.
  • < File name_of_Server_public_certificate > is the full path to the public certificate that includes the full chain all the way down to the server. Example using Let’s encrypt certificates downloaded by certbot (see Certbot Instructions | Certbot (eff.org) ):
    • SSLCertificateFile "${SRVROOT}/conf/ssl/fullchain.pem"
  • < File name_of_Server_private_key > is the full path to the is the full path to the private key. Example using Let’s encrypt certificates downloaded by certbot (see Certbot Instructions | Certbot (eff.org) ):
    • SSLCertificateFile "${SRVROOT}/conf/ssl/ privkey.pem "
  1. Save the changes to the httpd-ssl.conf file.

Perform NextPVR back-end-server remote access setup

  1. Setup an Access Pin (see Additional Setup )
  2. Check the Allow remote access check-box in Access Settings (see Additional Setup )

Perform NextPVR Kodi add-on client setup

  1. Open Kodi and navigate to settings
  2. From settings menu, navigate to File Manager
  3. On the left pane navigate to the following directory of Kodi installation:

Profile Directory/addon_data/pvr.nextpvr

  1. On the right pane navigate to a folder that is writeable and you can access somehow with a text editor
  2. On the left Pane locate instance-settings-#.xml and right click on it (or long press) for the context menu to appear, then press copy to copy to the folder in the right pane.
  3. Open settings.xml file from an editor for editing.
  4. Specify the following contents:

443

<access_pin>

https

where,

  • is the domain name that will be used externally by the clients to connect to the reverse-proxy.
  • <access_pin> is the access pin that we setup previously at the NextPVR back-end server using its web-interface.
  1. Save the changes to the instance-settings-#.xml file.
  2. Using Kodi File manager go to the same locations and now right click (or long-press) on the instance-settings-#.xml for the context menu to appear and then choose copy to copy it to the initial NextPVR folder in the machine where Kodi is installed.
  3. Restart Kodi to read the changes
⚠️ **GitHub.com Fallback** ⚠️