Read the statement by Michael Teeuw here.
Reverse Proxy and Private Modules
-
Hi,
-
is possible if you use subdomains, e.g. https://magicmirror.yourdomain.com
It does’nt work with subpaths at the moment, e.g. https://yourdomain.com/magicmirror
There is an open issue and a corresponding pull request. If this pr is merged, subpath is also possible. -
Don’t know what you mean exactly, the content of the config.js is (normally) not reachable from the browser. Or should these private calendar items not appear on the website?
Karsten.
-
-
Hi Karsten,
Thank you for the advice on the subdomains & subpaths. I need to chew on this one a bit and also play a bit more with apache, but I think I’m able to figure it out. It’ll also be easy for me once the pr is merged, as I then just copy the setup I have for NextCloud.
With regards to the private modules; you state that the browser does not see the content of the config.js. Does this mean that when I open an external browser, the calendar items are provided by the Magic Mirror instead from Google Calendar directly (and thus, my calendar url stays a secret)?
Even if this is the case, I don’t know if this is a solution I like to have. This still means that a potential hacker can very easily see if I’m on a vacation or not, which is not something I want to compromise.
If it’s possible, I would like these calendar items not to appear on the website at all, but still have them shown on my mirror at home (as the kids do need to know when we are going on holiday! :) ). I don’t want my calendar URL to be sent to the browser in any way or that my calendar items are sent in any way other than to the localhost.Jesper
-
config.js is accessible from browser. You can test this in your local network by accessing MM from a browser on another computer, view source and find out the URL of config.js. Then paste that URL into the browser and you get the whole config in plain text.
So to make a module private, you have to find a way around this, like reprogram the module to not use the config from client-side.
-
@retroflex thank you, your’re right.
Checked this again with this unmerged pr. With this pr, the config.js is no longer reachable per browser, so we have to wait for the next release where this is hopefully merged.
@Jessendelft other possibilities:
- you can whitelist the ip adresses which are allowed to access the mirror
- you run 2 instances of the mirror, one private restricted to localhost access and one public with content everyone is allowed to see
-
@karsten13 Running 2 instances, ofcourse! And then in the config I can easily restrict the current setup to localhost only, while the second one can be an open version.
When I read it, I really wondered why I haven’t thought of this myself. Thank you! :) -
@Jessendelft It receives and relays all your requests to the resource you want to access. The proxy server can change your IP address, country of location, and region in the process. Try https://soax.com/911-proxy-socks and make a reverse connection. The outgoing IP addresses of most free proxies have long been listed in various SPAM databases and blocklists. These addresses will be blocked on most popular resources, so there is no way to use these proxies for mailing lists or mass registration on social networks.