Web server
From SpinetiX Support Wiki
(Redirected from Web servers)
This page is about external web servers usage. See also the player's embedded web server page.
Contents
Introduction
Web server can refer to hardware or software, or both of them working together.
- On the hardware side, a web server is a computer that stores web server software and files (like HTML documents, images, videos, CSS and JavaScript files, etc.). It is connected to the Internet / local network and supports physical data interchange with other devices connected to the web / LAN.
- On the software side, a web server includes several parts that control how web clients access hosted files, at minimum an HTTP server. An HTTP server is a piece of software that understands URLs (web addresses) and HTTP (the protocol your browser uses to view webpages). It can be accessed through the domain names (like mozilla.org) of websites it stores, and delivers their content to the end-user's device.
At the most basic level, whenever a client (e.g., browser) needs a file which is hosted on a web server, the client requests the file via HTTP. When the request reaches the correct web server (hardware), the HTTP server (software) accepts the request, finds the requested file (if it doesn't then a 404 response is returned), and sends it back to the client, also through HTTP.
The most common web servers are Apache and Microsoft IIS, but other products can also be used as long as they are HTTP compliant.
SpinetiX players feature an embedded web server (based on Apache) offering access to different player applications such as: player web interface, player content server, player APIs.
Transfer protocols
SpinetiX players can retrieve content from web servers via HTTP, HTTPS, and WebDAV application protocols.
- WebDAV is an extension of HTTP protocol to allow reading (and writing) files on a web server - this is employed to get the list of files from a server location by media files widgets and by some content pull methods.
- Other protocols like FTP, NFS or SMB/CIFS are not supported by the HMP.
- Although you can publish content on an FTP server or on a Windows Shared Folder (accessible via UNC path) from Elementi M and X (see Publish Location page), the HMP can only access those locations via HTTP.
HTTPS
All player models are able to access remote resources via HTTPS.
- The list of trusted root certificates matches that of Firefox. Certificate validation can be controlled from Control Center ⇾ Network ⇾ Trusted Certificates page.
- SSL with Virtual Hosts using Server Name Indication (SNI) is supported starting with firmware 3.1.0.
- The OpenSSL version used by the player is not affected by the Heartbleed bug.
Authentication
Credentials configuration
The credentials to use when accessing resources from remote servers requiring authentication, are configured from:
- Control Center ⇾ System ⇾ Saved Passwords on players
- Menu ⇾ Settings ⇾ Network Credentials... on Elementi
Supported authentication methods
The players support the following methods for connecting to servers requiring authentication:
- Basic access authentication
- HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn't require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes. The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred over or used in conjunction with Basic Authentication.
- Digest access authentication
- Digest access authentication is one of the agreed-upon methods a web server can use to negotiate credentials, such as username or password. It applies a hash function to the username and password before sending them over the network. In contrast, basic access authentication uses the easily reversible Base64 encoding instead of encryption, making it non-secure unless used in conjunction with SSL. Technically, digest authentication is an application of MD5 cryptographic hashing with usage of nonce values to prevent replay attacks. It uses the HTTP protocol.
- NTLM (added in firmware 3.2.0)
- NT LAN Manager (NTLM) is a suite of Microsoft security protocols that provides authentication, integrity, and confidentiality to users. NTLM is a challenge-response authentication protocol which uses three messages to authenticate a client in a connection oriented environment (connectionless is similar), and a fourth additional message if integrity is desired. NTLM is supported only over secured HTTP connections. Note that NTLM is an insecure protocol when not over SSL.
- Form-based authentication (added in firmware 4.5.0)
Non-supported authentication methods
Other authentication methods like Kerberos, Integrated Windows Authentication, or SPNEGO are not supported.
- Many Microsoft-based web services including SharePoint and Exchange are set to use Integrated Windows Authentication by default; this setting must be changed site-wide.
- See these security considerations for reasons why using FORM based authentication with the HMP is not a good idea.
Troubleshooting
SSL errors
- Server certificate verification failed: certificate has expired
- This happens when the server certificate is no longer valid - to solve this, a new server certificate must be issued.
- Server certificate verification failed: certificate issued for a different hostname
- This happens when the server name doesn't match the one mentioned within the SSL certificate, for instance when using the server's IP address instead of its hostname - to solve this, use the server name as mentioned within the SSL certificate.
- Server certificate verification failed: issuer is not trusted
- This happens when the server root certificate is not within the player built-in database of the root certificates of public certification authorities, for instance when the certificate was delivered by a private, or enterprise internal, certification authority. To solve this, you can add that root certificates on the player from HMP Control Center > Network > Trusted Certificates.
- SSL handshake failed: SSL error code -1/1/336032856
- This can happen when the hostname reported by the server does not the match the hostname given in the SSL certificate. Make sure your server configuration uses correct values for "ServerName" and "NameVirtualHost".
- SSL handshake failed: SSL error: unknown message digest algorithm
- The sha256WithRSAEncryption algorithm was not supported before 3.1.0 release. The solution is to update the firmware on the HMP or use sha1WithRSAEncryption algorithm when generating the certificate.
Technical notes
For reasons of stability, when retrieving content from a web server, the HMP uses a partial GET, using HTTP Range Header to specify the first 512kb of the file. Some older or wrongly configured servers do not understand this command and return a 500 error "Internal Server Error". The HMP will then retry the request for the entire file. For this reason, when using a server which reacts like this, the resources.log may include 500 errors, but the data is displayed successfully anyway. To remove the errors, the issue should be addressed on the server.
Microsoft IIS does not serve SVG files by default. If you find the resources.log file filled with 404 errors, but you are certain that the file exists on the web server, then you may need to configure IIS by adding the SVG MIME type. For more information, see this Microsoft Technet article.