INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: Integrating webgizmo with nextcloud or owncloud  (Read 2322 times)

mwillems

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 5239
  • "Linux Merit Badge" Recipient
Integrating webgizmo with nextcloud or owncloud
« on: February 25, 2017, 07:53:00 am »

Webgizmo/panel is a fantastic JRiver feature, but at the moment it has some limitations with respect to access management and security, especially if you use public wifi.  For example, webgizmo doesn't support https, and only supports one set of authentication credentials. 

One way to work around those limitations is to embed webgizmo in another authentication/access system.  The easiest way to do that is to setup a home vpn, and many modern routers have vpn functionality built in.  If you're already running Nextcloud (or possibly owncloud) you can use it as an authentication front end too, which is what this post is about.  This post will not cover configuring nextcloud in general, or setting up media network: this is just about linking up a working nextcloud instance with a working webgizmo instance.  To my knowledge these instructions should work equally well with owncloud as this part of the code base hasn't been updated since the fork, but I can't test that personally. 

The first step is determining whether your nextcloud instance use https.  One limitation of the nextcloud integration is that sites linked through nextcloud must use https if the nextcloud instance uses https. 

a) If your nextcloud instance just uses normal unencrypted http, integration is very easy (but you lose out on one of the main benefits of this approach): just go to the "add apps" button (styled as a plus sign in the app drawer) and enable the "external sites" app.  Then go to the admin page, and find "external sites" under the "additional settings" tab (as I recall, owncloud didn't have tabbed browsing of the admin page, so you may just need to scroll until you see it).  There, just enter the ip address or domain name of your jriver instance (being sure to add the port to the end, i.e. ":52199").  Webgizmo will now show up in your app drawer, and all should work fine.

b) If your nextcloud instance uses https integration is harder, but has security benefits.  The key is setting up a reverse proxy to wrap webgizmo in https so it can interface with nextcloud. 

1) Certificates
You'll need certificates for https to work.  If you're already using https for nextcloud you know the drill on how to either make your own certs or get real ones (from e.g. letsencrypt).  You'll either need to make new certs for your jriver host, or add it to your existing real nextcloud cert.  Getting the certs set up is a little out of scope, but I will pass on one piece of advice.    Certs generally need to point to hostnames or public ips, but the point of this guide is to permit you to host webgizmo without exposing it directly to the web.  The fix is to choose a host/domain name for your webgizmo (i.e. jriver.yourcloud.com).  Then, add that host/domain to your nextclouds hosts file pointing to the correct local ip.  If you're doing self-signed certs that's all you need.  If you're using real certs, tell your DNS service to direct queries for jriver.yourcloud.com to your publicly accessible nextcloud ip address.  You can then use your nextcloud box to renew the certs for your jriver instance (but you'll need to move the certs yourself).

2) Reverse Proxy
I'll provide a sample configuration I use for an apache reverse proxy on linux, but the same basic config elements should work using apache on windows.  A forum user is working on a much easier windows reverse proxy solution, but I'm not sure that it's been made public yet.  Please note that my config includes some additional security tweaks from the CIS apache benchmark.  These may break compatibility with older browsers, and aren't necessary for a working config, but are more secure than the defaults.  In the code snippet all text enclosed like so <<text>> is a placeholder, you need to replace it with your own info.  If it's running on the same machine as jriver (which would be my advice), relace <<jriver-ip-address>> with "localhost"

On debian linux, the following config should go in a .conf file in the "sites-available" apache directory or replace the default ssl site in sites-available.  On other apache setups, it should go whereever you put site config.

Code: [Select]
<IfModule mod_ssl.c>
  <VirtualHost _default_:443>
  ServerAdmin webmaster@localhost
  ServerName <<hostname>>.<<domain>>
  ProxyPreserveHost On
  ProxyRequests off
  ProxyVia On
<Proxy *>
  Order deny,allow
  Allow from all
</Proxy>
  RewriteEngine On
  RewriteCond  %{QUERY_STRING}  ^$
  RewriteRule ^(.*)$ http://<<jriver-ip-address>>:52199$1 [P,L]
  ProxyPass / http://<<jriver-ip-address>>:52199/
  ProxyPassReverse / <<jriver-ip-address>>:52199/

# This is the recommended log level from the Benchmark
  LogLevel info ssl:info
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined
  SSLEngine on
#Restrict Protocols and Ciphers to only the most secure
#Can create compat problems with older browsers
  SSLProtocol TLSv1.1 TLSv1.2
  SSLHonorCipherOrder On
  SSLCipherSuite ALL:!EXP:!NULL:!ADH:!LOW:!SSLv2:!SSLv3:!MD5:!RC4
#This defeats certain kinds of attacks according to CIS
  SSLCompression Off
# Location of certs and key
  SSLCertificateFile  <<path-to-cert>>
  SSLCertificateKeyFile  <<path-to-key>>

  <FilesMatch "\.(cgi|shtml|phtml|php)$">
  SSLOptions +StdEnvVars
  </FilesMatch>
  <Directory /usr/lib/cgi-bin>
  SSLOptions +StdEnvVars
  </Directory>

 </VirtualHost>
 </IfModule>

You will also need to enable the ssl and proxy mods on your apache instance and then restart apache.  On debian, you do this by running the following commands as root or sudo.
Code: [Select]
a2enmod proxy
a2enmod proxy_http
a2enmod ssl
a2ensite <<the name of the .conf file you saved above>>
systemctl restart apache2

On other linux systems or windows you may need to use the apachectl command or other commands, but those three modules need to be enabled, and you need to turn on the site.

3) Nextcloud
Your reverse proxy should be working fine now.  Test it by going to https://your-proxy-ip-address in a browser.  You should see panel (or a scary but harmless browser warning if you use self-signed certs, just click through it).

The final step is to go to open nextcloud and go to the "add apps" button (styled as a plus sign in the app drawer) and enable the "external sites" app.  Then go to the admin page, and find "external sites" under the "additional settings" tab (as I recall, owncloud didn't have tabbed browsing of the admin page, so you may just need to scroll until you see it).  There, just enter https:// plus the ip address or host/domain name of your reverse proxy.  Webgizmo will now show up in your app drawer, and all should work fine.

4) JRiver authentication
One final tip:  if you use authentication in jriver, your nextcloud users will be prompted for credentials when they use webgizmo.  Since they've already logged into nextcloud you may want to bypass that for them.  Do that by entering the url for the external site in the admin panel as shown:
Code: [Select]
https://username:password@hostname.domain
In my setup I enable the new readonly credentials and use those in the url.  This prevents my cloud users from (even accidentally) changing anything in the jriver library exposed via webgizmo.

If anyone runs into issues I'm happy to help, but this is not for the faint of heart!
Logged

lepa

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 2036
Re: Integrating webgizmo with nextcloud or owncloud
« Reply #1 on: April 03, 2017, 09:52:08 am »

Most interesting. Thanks mwillems! I run Nextcloud on my raspberry Pi as a dropbox replacement so might try this some day
Logged
Pages: [1]   Go Up