Hack 80. Putting Your TiVo on the Web

Hack 80 Putting Your TiVo on the Web

All your TiVoWeb usage thus far has probably been done from the comfort of your own home network. But the true magic lies in reaching your TiVo from anywhere in the world .

You're probably itching to put your TiVo on the Web so that it can be accessed from anywhere in the world. Otherwise, why would you go through the trouble of web-enabling your TiVo box, rather than simply standing in front of your television set, remote control in hand?

While you have about all you need to put your TiVo on the Web, beware of the dragons there. Simply giving your TiVo one of your broadband account's static IP addresses and opening it to the world is fraught with dangers. While I have been crowing the TiVo as a Linux PC's little brother, I've been glazing over the fact that the TiVo's networking is not quite up to the level of its big brother. The simplest denial-of-service attack against your TiVo can take it out of commission. There's no built-in firewall, and it has not been battle- hardened against network intrusions. Authenticationallowing only discriminating access to your programmingis primitive at best.

And this assumes you even have the ability to run servers on your broadband connection, know something about IP addresses and port-forwarding, and so forth.

For these reasons, it's best to leave your TiVo behind your home network's firewall. Just access it from the inside, where things are safe and friendly.

Where's the fun in that?

There are three real options for getting your small box to a place that the Web can see it, and each option has its pros and cons. Think of these options as a continuum, trying to balance the simplest to setup with the most secure infrastructure.

Port Forwarding and Security by Obscurity

If you have a broadband router (DSL or cable modem) in your home that can connect multiple computers to the Internet, chances are that your router can do something called port-forwarding . This means telling your router to route requests received on a particular port (think of channels) to a particular computer on your home network.

You can use this functionality to route requests on a particular port to your networked TiVo. Choose a port number that you will remember but that most people won't guess; my personal favorites are numbers like 8080, 8008, or the more obscure 8013, to pick one at random. Tell your router to forward all such requests to port 80the standard web server port on which TiVoWeb runson your TiVo box, and access TiVoWeb by pointing your web browser at your router's IP address and port you chose to forward.

Bear in mind that security by obscurity is in no way real security. If someone guesses your IP address and port at which your TiVo is reachable , they're in like Flynn.

TiVoWeb's Rudimentary Password Protection

For a little more protection from somebody who stumbles upon your Internet-accessible TiVo and decides to queue up lots of television shows for you to watch, TiVoWeb does have some rudimentary password-control mechanisms built into it. Set up your TiVo and router for port-forwarding, but then coerce your TiVoWeb to ask for a password every time.

To assign a username/password pair to your TiVoWeb server, you need to change the first two lines of your tivoweb.cfg file in the /var/hack/tivoweb-tcl directory:

 Username = Password =

You actually need to assign a username and a password on these two lines. If you have an editor on your TiVo [Hack #39] then you can just edit that file directly. No editor? No problem! Just execute the following commands on your TiVo:

 bash-2.02#  cd /var/hack/tivoweb-tcl  bash-2.02#  echo Username = raffik >> tivoweb.cfg.hold  bash-2.02#  echo Password = pass >> tivoweb.cfg.hold  bash-2.02#  cat tivoweb.cfg  tail -5 >> tivoweb.cfg.hold  bash-2.02#  mv tivoweb.cfg.hold tivoweb.cfg

But you probably want to change the username/password pair from raffik / pass to something else. The preceding commands create a temporary file named tivoweb.cfg.hold , whose first two lines are the username and password lines. Now, if you look at the tivoweb.cfg file, you'll notice that it is seven lines long. The second-to-last line will append to the tivoweb.cfg.hold file the last five lines of tivoweb.cfg . Good to go. Now, just copy your new file over the old one.

Once you have made these changes, reset your TiVoWeb ( Restart Quick Reload ). If all goes well, the next time you try to access TiVoWeb, you'll be prompted for a username and password before being able to go any further.

Proxy Pass-Through with Apache

Now, while port-forwarding with passwords works and is probably safe, it still exposes the TiVoWeb and the TiVo itself directly to the vagaries of the Internetsomething that should not necessarily be done lightly. In almost every case, it is probably OK to do so. But if you want to be extra secure, or if you are running PPP over the serial port, then setting up the Apache web server (downloadable from http://www.apache.org) to proxy pass-through is the way for you. In reality, any modern web server should be able to be configured for proxy pass-throughs.

Doing this will certainly take more hardware than the other two options. You are going to need another computer somewhere on your network that is prepared to be exposed to the Internet. That machine will accept all messages on the TiVo's behalf and then make the TiVo's request on the behalf of the requestor on the Internet. Because the computer's TCP/IP stack is more robust, it can handle erroneous or malicious connections. The computer processes connections that it deems as OK, and then it establishes its own connections to the TiVo (which are almost guaranteed not to be malicious) and passes the data back and forth.

Think of this process like having a body guard: your body guard makes sure that malicious people do not get to you. Your bodyguard provides all the protection, but every once in a while he is going to get a question about you that he cannot answer. He will then turn to you, ask the question, and relay the answer to who ever asked the question. Yeah, Apache is like the TiVo's bodyguard.

The following instructions assume you have Apache up and running on a computer on your home network and have port-forwarded requests on some port to this computer. I also assume that you already have Apache serving web pages from inside your network to the rest of the Internet.

We are going to use mod_proxy , a fairly standard Apache extension module designed to handle connection forwarding.

Edit your Apache server's httpd.conf file, commonly found at /etc/httpd/conf under Unix, /etc/httpd on Mac OS X, and in the conf subdirectory of your Apache installation on Windows. Make sure the following two lines are uncommented (i.e., they are not preceded by a # character at the beginning of the line):

 LoadModule proxy_module    modules/libproxy.so ... AddModule mod_proxy.c

These two directives will have Apache load the proxy module at startup.

Now, we need to map TiVoWeb into a portion of your Apache server's namespace. For example, if you can reach your web server on the Net as http://your.web.server , then you want to connect to your TiVoWeb installation by pointing your web browser to http://your.web.server/tivoweb . Obviously, your computer has a different name than your.web.server , and you might want it to have a different directory at the end of the URL.

Add the following lines to the end of your httpd.conf file, but replace tivo in http://tivo with the IP address of your TiVo, and replace /tivoweb with the directory where you want it to be:

 ProxyPass   /tivoweb http://tivo/   ProxyPassReverse   /tivoweb     http://tivo/

Lastly, we need to tell TiVoWeb that it is operating behind Apache in a specific directory. Again, the magic is in the tivoweb.cfg file. Either edit it using an editor on your TiVo to set the Prefix line to the name of the directory, or run the following commands on your TiVo:

 bash-2.02#  cd /var/hack/tivoweb-tcl  bash-2.02#  head -3 tivoweb.cfg tivoweb.cfg.hold  bash-2.02#  echo Prefix = tivoweb tivoweb.cfg.hold  bash-2.02#  cat tivoweb.cfg  tail -3 tivoweb.cfg.hold  bash-2.02#  mv tivoweb.cfg.hold tivoweb.cfg

Restart TiVoWeb and your Apache server. Now, all requests going to http://your.web.server/tivoweb should bring up TiVoWeb in your browser.

One last thing to consider is the use of Apache's password. In either case, be sure to turn off password protection on TiVoWeb if you turned it on, as it'll be prompting Apache, the middle man, for the username/password.

Password-protect the /tivoweb path by adding the following lines to the end of your Apache installation's httpd.conf file:

 <Location /tivoweb>  AuthType Basic  AuthName tivo  AuthUserFile /etc/httpd/passwd  Require user tivo </Location>

Restart Apache again for this change to take effect.

All that's left is to assign our TiVo user, specified in the aforementioned password-protection directives. Under Unix and Mac OS X, type:

 %  htpasswd -c /etc/httpd/passwd tivo

You'll be prompted for a password and then prompted again to confirm it.

Apache will now be password-protecting the /tivoweb URL and looking for a valid username and password pair from the /etc/httpd/passwd file before allowing access to TiVoWeb.