Ummm.... With basic authentication, my server is open to the world without a password???

[LavaTiger99]

So I have my server setup on https via a URL so I can view from anywhere. I used to use the "secure session keys and login" option, however I recently unchecked that so I could pass triggers w/ passwords via URL (

https://myurl.com/admin?trigger&camera=cam1&user=username&pw=password

), which uses basic authentication.
Come to find out, my server has been accessible to the world from myurl.com without any type of authentication! Even tested accessing it from a tor browser outside my home network to confirm!
Why is this, that seems to defeat the whole purpose of authentication!
v 5.3.2.2

 

[mat200]

Welcome LavaTiger99....

hint: See the VPN notes...

 

[biggen]

So you port forward directly to your BI machine? That's bad. When you pass triggers like that is it passing your username and password in the clear as well?

You need a VPN server. You connect to that from outside your network first and then access BI.

 

[LavaTiger99]

No, sorry, triggers are only from the internal network, that should have read:
https://X.X.X.X:81/admin?trigger&camera=cam1&user=username&pw=password
I have NAT loopback for my URL, so I type it in all the time internally knowing that it is only routing locally.

 

[LavaTiger99]

I port forward 443/80 only for accessing the webUI