Skip to content

ssl server setup

Jump to bottom
casey langen edited this page Jul 20, 2023 · 10 revisions

overview

the musikcube server plugin does not support ssl by default. while it is technically feasible, it would (1) bloat the distribution, and (2) require quite a bit more configuration infrastructure than i want to add and support right now.

if ssl is desired, one can easily configure ssl termination using nginx or similar software.

the following instructions detail configuring ssl termination using nginx and let's encrypt on a raspberry pi.

install nginx and certbot

first, install nginx:

  • sudo apt-get install nginx

next, let's install certbot. we will use this to obtain ssl certificates from letsencrypt:

  • echo 'deb http://httpredir.debian.org/debian jessie-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list.d/jessie-backports.list
  • sudo apt-get update
  • sudo apt-get install certbot -t jessie-backports

note1: ensure the host running the musikcube server can accept connections from port 443 and port 80.

  • sudo certbot certonly --standalone

note2: your machine no longer needs to accept connections from port 443 or 80 once the certificates are downloaded.

  • sudo chgrp www-data /etc/letsencrypt/live
  • sudo chmod 750 /etc/letsencrypt/live

note3: letsencrypt will email you when your cert is about to expire. when that happens:

  1. shut down ngnix if it's still running
  2. forward port 443 and 80 to your host again
  3. run sudo letsencrypt renew
  4. shut down the forwarded ports!

configure nginx

sudo vim /etc/nginx/sites-available/musikcube

# web socket (metadata) server
server {
  listen 7907 ssl;
  server_name <hostname>;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;

  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 10m;

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

  location / {
	proxy_pass http://127.0.0.1:7905;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
  }
}

# audio (file) server
server {
  listen 7908 ssl;
  server_name <hostname>;

  ssl on;
  ssl_certificate /etc/letsencrypt/live/<hostname>/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/<hostname>/privkey.pem;

  ssl_session_cache shared:SSL:20m;
  ssl_session_timeout 10m;

  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

  location / {
	proxy_pass http://127.0.0.1:7906;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
  }
}

restart nginx

  • sudo ln -s /etc/nginx/sites-available/musikcube /etc/nginx/sites-enabled/
  • sudo /etc/init.d/nginx restart

done

you can now use ports 7907 and 7908 in the musikdroid client -- just make sure to enable ssl in the settings!

Clone this wiki locally