Subsonic Forum

[Schmoopy]

Hi all,

I'm about to take the plunge on a lifetime subscription and have a few initial questions.

First, how secure is running subsonic on my machine with "Access over the internet" turned on?
I recently purchased a lifetime of PLEX, but it doesn't seem that great as a music server. Does anyone
know the security differences between the two?

How active is development, and how long do you see this product being maintained?
I don't want to sign up if it's on its way out. Is running Airsonic and using dynamic DNS a viable
alternative, or more pain than it's worth? (No disrespect to the dev, I'd love to pay for a
product if it's being supported going into the future)

Finally, I managed to get it working with Sonos, but noticed that when I search by Artist, sometimes the list is incomplete.
If I search in Albums using the same artist name, all of the albums do show up however. Is this a known issue or
a configuration issue on my part?

Thank you all in advance!

[triplesixes]

Hello.

Do you have all your music organized by folders and tagged correctly? I've been using Subsonic for almost 5years and i can tell you it is a great app. By default Subsonic scans daily for new /changes to the directories you setup in the config. Somewhere in the forum, they have recommendations of folder structure. I have found making a top folder labeled "Music" and then using that as the single folder to scan works great. Then inside there make folders A B C thru Z. Inside those make folders for each artist and then inside the artists folders place the tracks. Subsonic does a great job using that structure to do the changes to the database. You can also run a manual scan if you want to see the changes faster.

I hope this helps.
Sixes.

[Schmoopy]

Thanks Sixes,

I've run everything through Musicbrainz Picard, so it's all tagged. I've used their standard folder structure, which is topfolder/artist/album/song. It works great so far, I was just concerned about opening up the port to the world, and with the Sonos issue I encountered.

Cheers

[Jägs]

Not to diminish the work of Sindre, but have you looked into Madsonic http://madsonic.org or Airsonic [https://airsonic.github.io/]? The reason I mention these is that while I like Subsonic, it has bugs that have not been fixed for quite a while, and ever since it went closed source, it seems that development--which was never terribly regular compared to projects like Plex or Emby--has slowed.

Both Madsonic and Airsonic are forks of Subsonic and are under much more active development. Madsonic has many more features, one of which that is interesting to me is "composer" tag support. This has long been a request for Subsonic, but has not been added. The only reason I've not switched is that I have a license for Subsonic, and like Subsonic, Madsonic requires a license to use all of the features.

Airsonic is intended to be complete free. The only reason I'm not on it instead of Subsonic is that it does not yet have a Debian build.

I'd suggest looking at those two before pulling the trigger with Subsonic.

[Schmoopy]

Thanks Jags,

I could not get Madsonic to work on the Mac for the life of me today
I have the feeling it's wanting a very specific Java version or something.

I did manage to get Airsonic working via standalone .war file without much difficulty.
It seems quite comparable to Subsonic, but not quite as friendly to set up.

I would love to get these working as https, and I think Subsonic may be the easiest one to tweak for that.
I didn't find a parameter to pass to the .war file for https in Airsonic.

For people here, is exposing via http a huge security risk? I was thinking I'd run the app in a Mac sandbox wrapper
and also under a non-root user. I'm a programmer, but a networking newbie.

[acroyear]

With Airsonic, you'll have to do it by hand in the Jetty or Tomcat server you added the .war file to. It isn't part of the .war, but rather the whole servlet engine.

For myself, I found it easier to just add the cert to my apache server and have that mod_rewrite proxy to the subsonic instances. It breaks <myserver>.subsonic.org redirects, but I never used them anyways because of a bug in Firefox, and airsonic likely removed that feature.

I was fine with http and ran my server that way for a long time (in fact, the http is still exposed for now because i haven't finished updating all of my clients). The main reason I'm moving up is that there are some features that Chrome will no longer support that way, so for my SubFire apps to work better, I need them to be https, so I need my server to be https too...and with a signed cert (I use letsencrypt.org) because some devices like Amazon Fire TV/Stick won't let you approve or install a self-signed cert like the one that is bundled with subsonic.

But generally I didn't worry about it, esp after the md5 enc: hash feature was added to the API in 6.x. If anybody actually tried to crack my box by protocol sniffing, any damage they could do I could undo with a DB revert and then cleaning up any cover photos changed. That said, if you're paranoid about security and script hacks, it is easier to do a general attack on the Jetty or Tomcat (if you are using that) server over an http port than an https.