Reflector requirement for Alexa Skill

Posted on
Fri Jun 18, 2021 10:15 am
ryanbuckner offline
Posts: 1074
Joined: Oct 08, 2011
Location: Northern Virginia

Reflector requirement for Alexa Skill

I don't use the reflector for access to Indigo from outside my firewall. Instead I port forward incoming traffic and use dyn services. Do I have to use reflector? and what are the pro's, con's?

Posted on
Fri Jun 18, 2021 10:29 am
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: Reflector requirement for Alexa Skill

Yes, you have to use the reflector because of how Amazon requires account linking to work. You can activate your reflector but only use it for Alexa if you like (and continue to use port forward/dynamic DNS for all other communication).

Note, the skill is currently unavailable, monitor this forum topic for the latest updates.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Fri Jun 18, 2021 11:12 am
ryanbuckner offline
Posts: 1074
Joined: Oct 08, 2011
Location: Northern Virginia

Re: Reflector requirement for Alexa Skill

jay (support) wrote:
Yes, you have to use the reflector because of how Amazon requires account linking to work. You can activate your reflector but only use it for Alexa if you like.

Note, the skill is currently unavailable, monitor this forum topic for the latest updates.


Thanks! Looks like I can use them both at once. The skills is currently working for me.

Posted on
Tue Aug 03, 2021 8:25 am
joel.snyder offline
Posts: 28
Joined: Aug 31, 2016

Re: Reflector requirement for Alexa Skill

Hi, I have a similar requirement: I really don't want the reflector for inbound access to my HA system. Not that I don't trust you folks to never have a bug ever in any web interface, but, you know how it is with old cranky people who have been burned.

So the question is: how do I activate reflector ONLY for Alexa?
In the GUI it seems like I can turn on the reflector, which looks like it activates web services automatically (with no option to disable). What are the steps to turn on reflector just for the tunnel for the Alexa integration but not enable remote client or remote web access?

Thanks,

Joel

Posted on
Tue Aug 03, 2021 12:50 pm
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: Reflector requirement for Alexa Skill

That's not possible - the reflector is an ssh tunnel pass through from the internet to the Indigo web server - we don't know where the requests are coming from as a matter of security/privacy.

The comment above wasn't meant to imply there was some technical capability to limit reflector use, only that you can use other means (port forwarding, etc) to get to the web server rather than using the reflector. I've edited the post for clarity.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Tue Aug 03, 2021 1:41 pm
matt (support) offline
Site Admin
User avatar
Posts: 21411
Joined: Jan 27, 2003
Location: Texas

Re: Reflector requirement for Alexa Skill

I'm not sure how much real additional security it will get you, but you could make your reflector name long and random-ish (note it has to be alpha-numeric characters only). We never make public reflector names, so if you make it complex then your reflector won't be known/guessable to any nefarious bots.

Image

Posted on
Sun Aug 08, 2021 9:23 am
joel.snyder offline
Posts: 28
Joined: Aug 31, 2016

Re: Reflector requirement for Alexa Skill

Thanks for the clarifications and insights. That helps me to understand better the risk.

Just some ideas for a future version of the reflector: if the connection (tunneled) back to the Indigo server has to be enabled from Amazon AWS-land, it would be possible to reduce the attack surface significantly by using either known IPs of AWS data centers or a GeoIP database. You wouldn't want to hassle too much to be super-precise, which is a maintenance headache, but you could offer a check-box in the GUI (at the Reflector end) that only allows traffic that is "likely" to be from AWS.

Not sure if you have an industry standard firewall in front of the Reflector boxes, but most of the UTM devices have this sort of capability built-in. And if the reflector devices are actually 'in the cloud,' most cloud IaaS providers also have this kind of GeoIP that you could activate. Of course, the issue would be separating out customers who want versus who don't want and dealing with transition time between "protected" and "non-protected" but ... it is something you could do which wouldn't be especially challenging from an InfoSec point of view.

Page 1 of 1

Who is online

Users browsing this forum: No registered users and 2 guests