Subsonic Forum

[Mosga]

Hello everybody.

Just discovered subsonic and absolutely loving it. Will probably replace my Google Music with it if everything goes right, however I still have some troubles with setting it up.

I'm running it under tomcat, 8080 non-ssl (for streaming) and 8443 SSL for control - thought I don't mind switching streaming to SSL too if required.

Problem is, while control access is secured by password, streaming isn't. "External player with playlist" (that's what various android players create) basically allows EVERYONE to load up 'http://<my-ip>:8080/stream?player=5?id=304&suffix=.flac' and listen to my music. Anyone can change song number and listen to entire music library. Obviously that doesn't sound very legal, plus they'll waste my bandwith and so on.. They don't have to guess "player" ID because putting any number there works.

Is it really supposed to work like that? Password is required only to add music folders and such but on any subsonic installation with external IP everyone in the internet can access their whole music collection without password?

Firewall isn't a solution because I might have random IP when accessing music from my phone.
I can set up http proxy with password, something like http://forum.subsonic.org/forum/viewtopic.php?f=6&t=10089, but will it be compatible with android players and such? Will they understand that URL to access actual music now must include password? (I understand that when password-protecting playlist URL, I'd better use SSL not to show my password to possible traffic sniffers).

[Mosga]

Ping?

Does everyone really run their subsonic instances unsecured to public? Or I'm missing something?

I've been thinking of complicated solutions like running vpn server on the same machine as subsonic and forcing android device to connect through vpn before accessing subsonic over vpn, but it will require more battery resources and is more complicated to set up.. Is there a simpler way?

[daneren2005]

Streaming requires a username/password. It isn't open to the public (unless you use the sharing functionality, and then you are choosing to make it so). If you just use the example url you gave, it will give a required parameters missing error.

[Mosga]

Thanks for your reply.
I am clearly missing something, because my subsonic instance only requires username/password to enter web interface. When I create "external jukebox" player (or it's created by something else like subsonic android app or ultrasonic android app), I can access playback WITHOUT any password from music player. That is, for example I can select that player in web interface and download play.m3u file; there is URL without password in it. When I open the port on firewall I can open that URL from any player or can change numbers to play any song - without authorizing at subsonic at all. There is no parameter missing error, it just plays. It will play even if I delete that particular player or won't log in into subsonic instance for days; and the URL is simple enough, it doesn't include any random key or anything like that.

I never activated any sharing functionality. Just installed subsonic (on solaris under tomcat 6), added example folder and set up transcoding ability.
Can you please give an example of play.m3u file that some other (not mine) subsonic instance generates?

[daneren2005]

Ah ok, I guess I hadn't tried it with a external playlist player. Right you are, it seems to accept it without a username password. As for how to secure it, doubt there is one. With Sindre mostly awol, you will probably have to decide for yourself if it is a risk worth having. What's interesting is that the playlist generated seems to be pointing to /stream, instead of /rest/stream (this is the one that requries a username/password that all the clients go through). We would really have to get some feedback from the dev to fix this problem.