Orenosp is a small, easy-to-configure SSL reverse proxy server that will allow encrypted, password authenticated access to TivoWeb. It installs itself as a service (so it starts when the PC boots without requiring a logon) on your Windows NT/2000/XP PC, is easy to configure, and is compatible with almost any web browser (including mobile phones).
Orenosp was written by Masato Kataoka, who graciously modified his program to make it compatible with TivoWeb.
Step 1: Prerequisites
Before installing a proxy server for TivoWeb, you should complete the following:
Please note: username / password authentication for TivoWeb must be disabled for Orenosp to connect. (Disabled is the default setting for TivoWeb.)
Also, there is really no advantage to configuring TivoWeb to run on a non-standard port since it not directly exposed to the Internet. Running TivoWeb on the default port (80) is recommended (i.e. no changes/edits to the TivoWeb configuration file on your Tivo are necessary.)
Choose an installation directory for orenosp. The recommended location is c:\program files\orenosp. Unzip the orenosp034b.zip (or later) archive into this destination directory.
Step 4: Configuring Orenosp
Edit the sproxy.conf file that is located in the c:\program files\orenosp directory. Here is a sample of how the file should appear:
# listen port
proxy_listen_name = lis-ssl 0.0.0.0@XXXXX https
# forward all requests received on lis-ssl to origin server (localhost:80)
proxy_pass_by = lis lis-ssl 192.168.XXX.XXX
# SSL: pass phrase for server private key
proxy_ssl_keypass = orenosp
First change the port on which Orenosp listens for incoming requests. Leave the first 4 numbers as 0.0.0.0. Change the number after the @ to the incoming port number.
The default for a SSL connection is 443. However, it is recommended that a non-standard port be used to increase security and hide from scans of standard ports.
Nonstandard ports would be in the range of 10,000 to 40,000. Pick a number you will remember because you will have to type it in to the address bar of your browser (https://your_account.dynamic_dns_host.com:10000)
Secondly, insert the IP address of your Tivo so Orenosp knows where to forward requests.
Thirdly, for the SSL pass phrase, enter the password for the security certificate being used. For the default certificate included with Orenosp, the password is as shown above (orenosp). You should choose and enter a new password when you create your own certificate in the final step. For now, use the default password.
Finally, set the username and password you want to use when accessing the Orenosp proxy before it connects to Tivoweb. You can have multiple usernames and passwords separated by commas.
Step 4A: Create the Orenosp service
Now that the sproxy.conf file has been created, open a command prompt and issue following command to create NT/Win2k/WinXP service for Orenosp:
> cd c:\program files\orenosp
> .\orenosp –kc
Note the ".\" in front of the command. Type in these symbols!
You should see the following confirmation at the command prompt:
Creating a service:
name: orenosp
path: C:\orenosp\orenosp -d -f C:\orenosp\sproxy.conf
Execute? (y/n):
Hit "y" and enter and a service named "orenosp" should now be created (but not yet started).
Step 4B: Start and test the Orenosp service
Use either one of the following 2 commands to start the service:
>net start orenosp
or
>orenosp -cu
If running a personal firewall program such a ZoneAlarm, you should get a message that the program is trying to run as a server. Check the "remember this program box" and click "OK".
This service will now be running, acting as SSL Reverse Proxy. To test if the service successfully starts, try opening either https://localhost:xxxxx/ or https://127.0.0.1:xxxxx with a browser; you should connect to your Tivoweb after entering your username and password. (Replace the xxxxx with the port on which Orenosp is listening). If the process fails, check c:\program files\orenosp\event.log.
Step 4C: Set the Orenosp service to Auto-start
The final configuration step is to change the Orenosp service startup options from manual to automatic. This will allow the service to automatically start when Windows boots:
Open "Control Panel" from the Start button
Click on "Services". With WinXP, this is located in the "Administrative Tools" folder
Find the "Orenosp" entry and double-click it to edit
For "Startup type" change the value to "Automatic"
Click on the "Recovery" tab. Set the action to "restart the service" for all options (first failure, second failure, and subsequent failures). This insures that the service is restarted automatically if it fails for any reason. (Because orenosp will close if any internal error occurs, it is important that the OS restarts Orenosp automatically.)
Click "OK" to finish configuration of the service.
You can also start and stop the orenosp service using this control panel applet.
Step 5: Configuring your broadband router
It will now be necessary to open a port on your broadband router from the internet to your PC. The specifics of this process differ depending on the manufacturer of the router; general steps are outlined below:
Browse to the web page used to configure your router (usually something like http://192.168.1.1) and log-on.
Go to the page that let’s you configure the Virtual Server ports
Open a port to the IP address of the Windows PC that is running Orenosp.
Use the port number you entered in Step 4 when you edited the sproxy.conf file.
The default for a SSL connection is 443. However, it is recommended that a non-standard port be used to increase security and hide from scans of standard ports.
Nonstandard ports would be in the range of 10,000 to 40,000. Pick a number you will remember because you will have to type it in to the address bar of your browser (https://your_account.dynamic_dns_host.com:10000)
if your own private CA doesn't yet exist in "c:\program files\orenosp\myca" directory, it creates one. You will be asked to enter a passphrase to protect CA's private key file.
if private CA already exists, you will be asked to supply the passphrase of the CA's private key.
generate a certificate and private key for your server in "myca" directory. The certificate will be named "c:\program files\orenosp\myca\certXXX.pem" where XXX is a serial number. The private key will be named "myca\keyXXX.pem" where XXX is a serial number. You will be asked to enter several information for the certificate. You will be asked to enter a passphrase to protect the private key file.
gencert will copy just generated certificate and private key file into Orenosp's SSL directories (ssl.crt and ssl.key) after renaming them properly.
Step 6B:
Now edit the file c:\program files\orenosp\sproxy.conf and change the pass pharse so that it matches your new certificate pass phrase.
It is important that you keep the CA database (demoCA) intact if this process is to ever be repeated or if you want to create client certificates. See orenosp documentation for more information.
Now stop and restart the orenosp service by typing the following at the command prompt:
> orenosp -cd
> orensop -cu
or
> net stop orenosp
> net start orenosp
You're done!
Notes:
Multiple Tivos/Tivowebs/Usernames/Passwords:
If you have more than one TiVo (running TiVoweb) on your LAN, you can add an additional entry in the sproxy.conf file as shown below for the additional tivo web. It will be accessed via a different port on the host PC. You will have to open this additional port on your router/firewall as well. The Orenosp Proxy Server will forward one port to tivoweb1 and the second port to tivoweb2:
# Define two listen ports
# listen port
#
proxy_listen_name = lis-ssl 0.0.0.0@10001 https
proxy_listen_name = lis-ssl2 0.0.0.0@10002 https
# forward all requests received on lis-ssl to origin server (localhost:80)
proxy_pass_by = lis lis-ssl 192.168.xxx.xx1
proxy_pass_by = lis lis-ssl2 192.168.xxx.xx2
# for requests received at each listen port
# authenticate users using separate user-list for each port
-kc [svcname [-f adm-cfname]]
svc utility mode - create service
-kd [svcname]
svc utility mode - delete service
-cu [svcname [options]]
svc utility mode - start service
-cd [svcname]
svc utility mode - stop service
Uninstall:
Stop Orenosp service by typing the following at the command prompt:
> cd c:\program files\orenosp
> .\orenosp -cd
Delete Orenosp service:
> cd c:\program files\orenosp
> .\orenosp -kd
Delete files from c:\program files\orenosp as necessary.
gencert.exe advanced config optoins:
gencert.exe -gen [{-0|-1|-2}] [{-a|-n|-f}]
-0,-1,-2 : how much of info you want to put into your certificate.
-0: [default] minimum information.
only DNS name of your server and valid duration of certificate.
-1: a little more than -0.
-2: full.
-a : [default] Automatically copy generated server certificate and key into
Orenosp's SSL directories if one doesn't exist.
if one exists, asks user's permission to overwrite it.
-n : Do not copy generated server certificate and key into
Orenosp's SSL directories
-f : Copy generated server certificate and key into
Orenosp's SSL directories, overwriting any existing certificate/key files.
Notes for the old SSL Encryption Key procedure (Orenosp v0.34 and earlier)
The default encryption key/certificate used by Orenosp is available to anyone who downloads the program. It is necessary for you to create your own unique certificate. The other benefit of creating your own key and certificate is that you can set it to match the domain name of your DynamicDNS provider so you won’t get a “certificate does not match DNS name” error message.
The instructions below explain how to set up your own CA and generate server certificates using openssl. First you need to unzip opensslutl096e.zip file to your hard drive. You should use the directory c:\program files\orenosp\openssl. It should contain the following files:
openssl.exe (openssl utility program)
openssl.cnf (An openssl configuration file needed when generating certificates.)
CA.pl (A perl script to facilitate CA creation. Calls openssl.exe internally.)
You will also need to extract two files from the Perl runtime library to the same directory. Extract the following 2 files from the indigoperl-5.6.zip file and place them in the same directory as the openssl files:
PERL56.DLL (The perl dynamic link libriary needed for PERL.EXE)
PERL.EXE (The executable file needed to run the perl script to create the CA.)
Old Step 6A: Download and Set OPENSSS_CONF environment
Extract the zip files to a know directory location, such as the one shown below.
Set location of openssl.cnf file via an envionment variable
>cd c:\progra~1\orenosp\openssl
>set OPENSSL_CONF=c:\progra~1\orenosp\openssl\openssl.cnf
When you follow the procedures below, be sure that the OPENSSL_CONF environment is correctly set.
Old Step 6B: Make a new CA certificate and private key.
Type the following at the command prompt:
> perl CA.pl -newca
During this process, you will be asked:
CA certificate filename (or enter to create): just press Enter
PEM pass phrase(password): for private key for new CA
values to many attributes in the CA certificate: some values are required for test CA
to give you just an example of values to use for the required fields:
Country Name (C) = US
Organization Name (O) = home-servers-org
Organizational Unit Name (OU) = me-here
Common Name (CN) = Test-CA
Other fields are optional and you can leave them blank.
Note:Write down each of the values entered! You will need to enter most of them again later!
Old Step 6C: Make a private key for server
Type the following at the command prompt:
> openssl genrsa -des3 -out newkey.pem 1024
It will ask you to enter a pass phrase for private key for new server certificate. Be sure to remember this pass phrase.
Note: When running the above command it says “warning, not much extra random data, consider using the -rand option”. However, openssl random number generator is correctly initialized, so you shouldn't have to worry about it.
Old Step 6D: Create a CSR (certificate signing request) for your server
It will ask you:
- pass phrase for private key for "cakey.pem" (private key for CA) which you just typed in Step 6B
If this step is successful, you will be asked:
- Sign the certificate? [y/n]:y
- 1 out of 1 certificate requests certified, commit? [y/n]:y
You will then see:
- Write out database with 1 new entries
- Data Base Updated
In c:\program files\orenosp\openssl directory, you'll find :
svcert.pem : server certificate for your server
newkey.pem : private key for server certificate
newreq.pem : CSR (no longer necessary)
Rename the new file c:\program files\orenosp\openssl\svcert.pem to server.crt
Rename the old file c:\program files\orenosp\ssl.crt\server.crt to server.crt.old
Copy the new server.crt into the c:\program files\orenosp\ssl.crt directory, where the old file was located.
Rename c:\program files\orenosp\openssl\newkey.pem to server.key
Rename the old file c:\program files\orenosp\ssl.key\server.key to server.key.old
Copy c:\program files\orenosp\openssl\server.key into the c:\program files\orenosp\ssl.key directory, where the old file was located.
Sample of the commands necessary to accomplish the steps above:
> c:
> cd c:\program files\orenosp\openssl\
> copy svcert.pem server.crt
> copy newkey.pem server.key
> cd c:\program files\orenosp\ssl.crt\
> move server.crt server.crt.old
> cd c:\program files\orenosp\ssl.key\
> move ssl.key ssl.key.old
> copy c:\program files\orenosp\openssl\server.crt c:\program files\orenosp\ssl.crt\
> copy c:\program files\orenosp\openssl\server.key c:\program files\orenosp\ssl.key\
Now edit the file c:\program files\orenosp\sproxy.conf and change the pass pharse so that it matches your new certificate pass phrase.
It is important that you keep the CA database (demoCA) intact if this process it to ever be repeated or if you want to create client certificates. See orenosp documentation for more information.
Now stop and restart the orenosp service by typing the following at the command prompt:
> orenosp -cd
> orensop -cu
or
> net stop orenosp
> net start orenosp
Corrections or updates for this page:
Note: Do not post questions, unrelated comments, or information of which your are uncertain. This section is reserved for corrections and updates only.
