Home > Resources > Software: Digital Signage > BRAVIA Signage > Startup Guide

Appendix I. Security Measures

Estimated reading time: 4 minutes

Describes security measures assuming the use of BRAVIA Signage.

Network Security Measures

BRAVIA Signage is assumed to be used on a network guaranteed to be secured through an appropriately managed reverse proxy. Implement appropriate security measures based on the use environment.

Encrypting Transmissions

Since BRAVIA Signage Server doesn’t support SSL/TLS encrypted transmissions, there is a risk that the transmitted content may be intercepted or manipulated. Encrypt transmissions between operation PCs as well as BRAVIA Signage Player and BRAVIA Signage Server as well as contents servers using reverse proxy.

Access Restriction

To avoid risks such as unauthorized access to the BRAVIA Signage Server management screen by users with malicious intentions, use the BRAVIA Signage Server authentication function or reverse proxy and authenticate access from the operation PC (*). Additionally, to avoid direct access that does not incorporate reverse proxy to the server PC, set a restriction rule that rejects transmissions other than firewall reverse proxies of the server PC.

*BRAVIA Signage Player and BRAVIA Signage Server connections are not supported for authentication.

Setting Examples of Reverse Proxy and Firewall

This explains how to construct a reverse proxy and firewall on the same PC with BRAVIA Signage Server and contents server. This explanation assumes the port number is in the default state, and BRAVIA Signage Server is using 8080 and contents server is using 80.

Constructing a Reverse Proxy That Uses Nginx

Introducing transmission encryption and user authentication using reverse proxy.

  1. Download Nginx and install it to the server PC.
    • https://nginx.org/en/download.html
  2. Acquire or create a server certificate and secret key, and apply HTTPS settings to Nginx
    • Reference: https://nginx.org/en/docs/http/configuring_https_servers.html
    • If you have applied the signature method, securely manage the secret key and make sure to prevent unauthorized use.
  3. Create a user file (.htpasswd) and apply user authentication settings to Nginx
    • Reference: https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

Setting file examples:

This setting forwards port number 443 to the number 80 port used on the contents server and 8000 to the number 8080 port used on BRAVIA Signage Server.

server {
 listen 443 ssl;
   # Server certificate, secret key
   ssl_certificate  /etc/nginx/ssl/server.crt;
   ssl_certificate_key    /etc/nginx/ssl/private-key.pem;
   location / {
      # Specify the server host
      proxy_pass http://localhost:80;
   }
}

map $http_upgrade $connection_upgrade {
   default upgrade;
   ''      close;
}

server {
   listen 8000 ssl;
   # Server certificate, secret key
   ssl_certificate  /etc/nginx/ssl/server.crt;
   ssl_certificate_key    /etc/nginx/ssl/private-key.pem;

   location /socket.io-player/ {
      # Connection from BRAVIA Signage Player
      proxy_pass http://localhost:8080/socket.io-player/;

      # Settings required for WebSocket connection from BRAVIA Signage Server
      proxy_http_version 1.1;
      proxy_set_header Host $host;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $connection_upgrade;
   }

   location / {
      # Access to the management screen
      proxy_pass http://localhost:8080;

      # User Authentication
      auth_basic "Basic Authentication";
      auth_basic_user_file .htpasswd;
   }
}

Windows Firewall Setting Examples

Restrict direct access that does not incorporate reverse proxy to the server PC from the client by using the server PC firewall.

Setting through GUI

  1. Open Windows firewall settings
    • Windows Settings > Update and Security > Windows Security > Firewall and Network Protection
  2. Create new regulations and block transmissions on ports used by the server
    • Select Reception Regulations > Operation > New Regulations
  3. Select “Port”
  4. Specify BRAVIA Signage Server and the contents server port number (specify number 80 and 8080) with TCP
  5. Select “Block Connection”
  6. Select any profile to apply regulations on
  7. Apply a name for the regulation and press complete

Setting through commands

  1. Open the command prompt with administrator privileges
  2. Apply access restriction regulations to number 80 and 8080 ports of the firewall with command line
    • netsh advfirewall firewall add rule name="Restriction policy for access to XX servers" dir=in action=deny protocol=TCP localport=80,8080

BRAVIA Signage Setting Change

After changing the server URL following reverse proxy introduction, refer to the following, perform required settings on BRAVIA Signage Server and BRAVIA Signage Player.

User Guide (Advanced Use) > 1. Advanced Use (Application) > 1.3. Change Contents Library URL

User Guide (Advanced Use) > 2. Advanced Use (Infrastructure) > 2.4. Introduce the Reverse Proxy Server