Subsonic Forum

[zfa]

Hi all,

OK so I've just moved my Subsonic setup over to my new server. I have a lot of web-enabled services running on it and as part of my general design I do NOT expose these services directly to the internet but instead proxy access to them via an Apache instance. This allows me to use Apache to protect my services and also means I only need to open port 80 on my firewall but lets me have as many backend sites running as I want (I redirect unique subdomains to each service).

Okay, so enough with the background and on to my problem. I've got an Apache instance proxying Subsonic and it works perfectly. I now wish to add security to the proxy for all traffic NOT originating from the Subsonic Android App and have hit a stumbling block. I somehow need to distinguish traffic from the Subsonic app from that over the web. As the app cannot handle Apache authentication this traffic is going to be allowed direct access whilst all other access is to be asked for a password. How can I distinguish between the two traffic sources??

Presently I cannot see an easy way given the app's reqeusts - has anyone managed anything like this? It would be nice if the Subsonic app just included a user agent to identify itself.

TL;DR: Need a way to distinguish Subsonic app traffic from web access. Or I need (please) Subsonic to start including a user agent in it's calls.

[bushman4]

Doesn't all traffic from the remote applications use the rest API, and take the format of http://your-server/rest/blahblahblah?

Could you require authentication for the whole site except the rest subdirectory?

Glenn

[zfa]

Excellent. Allowing all strings commencing /rest/ to pass through without password authentication seems to have done the trick.

I didn't realise that all URIs would be re-fixed with /rest/ as I had no idea about all access being via the rest API (don't know much about Subsonic's architecture).

Many, many thanks for your help.