Subsonic Forum

I'm new to Subsonic - just installed it tonight. I want to use HTTPS exclusively. My only client (so far) is the Android Subsonic app. I don't know how to set up HTTPS.

Here are my settings.

I set up manual router port forwarding (because UPnP only seems to set up HTTP access). Here are my settings:
application: subsonic
protocol: both
source net: <blank>
port from: 4443
port to: 4443
IP address: <my Ubuntu server's LAN IP of 192.168.x.y>
enable: checked

I am using these args:
SUBSONIC_ARGS="--https-port=4443 --max-memory=120"

After changing the settings, I rebooted my router and restarted SS:
sudo service subsonic restart

The HTTPS settings do not work. In the Android client, after I set it up and click "Test" it returns "a network error occurred".
I tried a couple of different settings in the Android client, including:

[*]https://myname.subsonic.org
[*]https://myname.subsonic.org:4443
[*]https://myname.subsonic.org:443 (with alternate port forwarding settings)

(I also tried changing the port forwarding to forward from 443 to 4433 with the server address https://myname.subsonic.org)

I'm using the included SSL certificate. Locally, I can enter the HTTPS address in a browser and it works:
https://192.168.x.y:4443/
I can successfully log in, after I got the certificate warning the first time.

The HTTP network access still works from the Android client too. (I'll delete the UPnP entry as soon as HTTPS is working.)

Any help with HTTPS? Thanks

I am not a droid user but I believe that you do NOT enter your the https prefix into the server address.
Just use http: myname.subsonic.org as the address and the re-direct will then go to your https: port.
No need to enter port address either as that is taken care of automatically.

he is correct.

The Subsonic redirect service does not run on the SSL port, just on the standard web port.

If you use http://yourname.subsonic.org, it will then redirect to http://your.ip.address:YourHTTPPort/YourContextPath wich will then redirect to https://your.ip.address:YourHTTPSPort/YourContextPath.

HTH,

Glenn

Thanks for the help!

Those redirects will happen first, before any login credentials are sent, right? I just don't want my login credentials sent in plain text.

What's the best way to test that Subsonic can be accessed only via HTTPS?

Is anyone else running Subsonic on a server with other data (other than just media)? I'm running it on a file server with a lot of different data that should remain secure. Does Subsonic create security considerations I need to know about? Where would I find more info on this subject?

Thanks again!

The best way to ensure that Subsonic is only accessed by HTTPS is to only access it using HTTPS. But to do that, you give up the custom domain name... your server address would be https://your.ip.address:YourHTTPSPort/YourContextPath

Baring that, I guess you would have to trust in the fact that, once you enable SSL (HTTPS) in Subsonic, it will automatically redirect all HTTP connections to the HTTPS address. So assuming that you know that HTTPS is set up on the server, and you get a connection at all, you can be assured that the connection is over HTTPS (because all HTTP connections would be redirected and fail if HTTPS was not working).

As to other security considerations, I am not a java programmer so cannot comment.

HTH,

Glenn

MountainX wrote:Those redirects will happen first, before any login credentials are sent, right? I just don't want my login credentials sent in plain text.

I am not sure about how the Android Client parses your url in order to make the web calls but SubWiji (the Windows client I coded) looks up your https url BEFORE doing ANY web calls with the username and password in (which are encoded also).
So this would mean that the HTTPS url is always used whenever doing anything on your server, the only time the HTTP url is used is once to get the secure url (which when using the subsonic.org address doesn't need the username and password).

Regards

Paul