Subsonic Forum

[garyjmellor]

Morning

Excellent explanation! :o) What I don't understand is why when I use canyouseeme and check my external IP with port 80 it comes back as connection refused. I understand inasmuch as I figure that the ISP has this blocked. What I don't understand is if this is blocked why does my Subsonic setup still work? While it's great I have this working now I like to know why this is the case rather than simply accepting that it simply does work. Also, I noticed on my router that the default firewall config has a simple 'block all incoming' type rule. If that's the case, how does Subsonic work if my request initially comes in on port 80 - surely it'd just get booted back (is this why I get connection refused on canyouseeme)....yet it doesn't? If the conection is refused how on earth can I access Subsonic from work? Up until I started tinkering with this I really thought I had a good understanding of basic networking but this just proves I really don't.

With regards to my folder setup: I have my music setup in a folder called 'Music' on my NAS. This is a shared folder. I map this to a mount point on my Linux box called '/mnt/Music'. This is mounted at boot time with an edit to the '/etc/fstab' file (might not mean anything to you as you're a Windows' chap). Within the Music folder on the NAS drive I have my content stored in the following format: 'Artist\Album\Track'. Using the test server on my Android app I can see content and play it without a hitch. Not quite sure where the problem is. Any suggestions? The only thought I've got is that the mount point on Linux is ignoring the 'Music' part. I think if I add another 'Music' folder within the current one on the NAS drive then this might sort it out i.e. 'Music\Music\Artist\Album\Tracks. If that fixes it then I'll rename the outer 'Music' folder to something more meaningful like: 'Subsonic\Music\Artist\Album\Tracks'. I'll post back with the results.

One other thing: do you have any sage advice for securing Subsonic? I know I can redirect to HTTPS (but without getting a certificate I'm not sure if this is worth doing - is it?). If I drop a firewall on my Subsonic server that kight go part way to shoring it up.

[GJ51]

http://www.grc.com/port_80.htm

It is the router that handles the traffic for port 80 and decides if it is to be blocked or allowed through. When the url has a request for a specific port (4040) then, even though the request hits the router at port 80, instead of blocking the traffic, it passes it to the SS host. Even though port 80 is blocked to incomming traffic, it is blocked by the router which still can handle a request for a different port according to the forwarding rules. If a request comes to the router for a response from port 80 it just dies and there is no response.

You can implement SSL connectivity without getting a certificate. You still get ssl traffic encryption and all the benefits of ssl communication. The only difference is that when you log in you will get an ssl warning msg that the certificate for the site is not trusted.

The site's security certificate is not trusted!
You attempted to reach 192.168.1.254, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system. This may mean that the server has generated its own security credentials, which Google Chrome cannot rely on for identity information, or an attacker may be trying to intercept your communications. You should not proceed, especially if you have never seen this warning before for this site.

Big deal, you know what site your logging into so there is no danger. On the plus side it may scare away an unwanted user. I use ssl, but even before I did I never had any security issues with Subsonic. Best suggestion: use a STRONG password for the admin account. Everyone knows that there is an admin account in SS, so it's just a matter of guessing the password to gain access to the admin pages. Even so, what's the damage, a trashed SS site that would need to be reconfigured? If I gave you the admin password to one of my SS sites it wouldn't let you run rampant all over my network unless you also used admin and it's password for remote log in to other access points on your network. Is there a security flaw yet to be exploited out there? Who knows, there is always the potential for a security breach by the very nature of being connected to the internet, but I haven't seen any sign of a problem with SS either personally or from anyone else on the forums here. (I actuall believe the plural of forum is fora, but I use the more commonly used form for calrity and the benefit of those who never took Latin.) Besides, who would be interested in cracking my little SS site, it's not like it's Bank of America or anything.

The folders/NAS issue. Not being a Linux guy I don't have much to offer in the way of an answer other than to suggest trying to set up a test folder with a simple structure to see if you can hit on something that works. I would set up a UNC share \\Music and then inside that I would have folders \Artist|Album\Tracks then in SS Settings/Music folders just enter \\Music. If you have no luck, send a PM to Alphawave7 or 3R3 as both are always very helpful and have Linux experience. Also check your Android device over both 3g and wifi as therre has been some chatter that cell providers may monitor and block some traffic which is why many wanted ssl so that providers couldn't tell what was being transmitted.

[garyjmellor]

Thanks for the lengthy reply. I've done some testing back home and I can confirm that port fowarding on port 80 isn't required. I disabled it completely on my router and then rebooted the router for good measure. Subsonic still runs perfectly. Go figure :o)