-
Notifications
You must be signed in to change notification settings - Fork 297
ssl server setup
the musikcube server
plugin does not support ssl by default. while it is technically feasible, it would (1) bloat the distribution, and (2) require quite a bit more configuration infrastructure than i want to add and support right now.
if ssl is desired, one can easily configure ssl termination using nginx or similar software.
the following instructions detail configuring ssl termination using nginx and let's encrypt on a raspberry pi.
first, install nginx
:
sudo apt-get install nginx
next, let's install certbot
. we will use this to obtain ssl certificates from letsencrypt:
echo 'deb http://httpredir.debian.org/debian jessie-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list.d/jessie-backports.list
sudo apt-get update
sudo apt-get install certbot -t jessie-backports
note1: ensure the host running the musikcube server can accept connections from port 443 and port 80.
sudo certbot certonly --standalone
note2: your machine no longer needs to accept connections from port 443 or 80 once the certificates are downloaded.
sudo chgrp www-data /etc/letsencrypt/live
sudo chmod 750 /etc/letsencrypt/live
note3: letsencrypt will email you when your cert is about to expire. when that happens:
- shut down
ngnix
if it's still running - forward port
443
and80
to your host again - run
sudo letsencrypt renew
- shut down the forwarded ports!
sudo vim /etc/nginx/sites-available/musikcube
# web socket (metadata) server
server {
listen 7907 ssl;
server_name <hostname>;
ssl on;
ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
location / {
proxy_pass http://127.0.0.1:7905;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
# audio (file) server
server {
listen 7908 ssl;
server_name <hostname>;
ssl on;
ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
location / {
proxy_pass http://127.0.0.1:7906;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
sudo ln -s /etc/nginx/sites-available/musikcube /etc/nginx/sites-enabled/
sudo /etc/init.d/nginx restart
you can now use ports 7907
and 7908
in the musikdroid client -- just make sure to enable ssl in the settings!