Nginx (SSL) proxy

Tutorials, tips and tricks.

Moderator: moderators

Nginx (SSL) proxy

Postby daenney » Sat Aug 18, 2012 10:55 am

I run subsonic at home and I thought I'd share my configuration. In this case nginx is the httpd which runs on port 443 and proxies to all kinds of webapps I run locally.

My home webserver already runs on a subdomain for which I have an SSL certificate. Because of this I want to have subsonic at /subsonic and not as another subdomain as my SSL certificate wouldn't be valid.

There's two parts, first:
Code: Select all
/etc/default/subsonic

SUBSONIC_HOST=127.0.0.1 
SUBSONIC_PORT=8083 
SUBSONIC_CONTEXT_PATH=/subsonic 

SUBSONIC_ARGS="--max-memory=100 --host=${SUBSONIC_HOST} --port=${SUBSONIC_PORT} --context-path=${SUBSONIC_CONTEXT_PATH}"

SUBSONIC_USER=a_non_root_user


Subsonic is bound to 127.0.0.1, since we can access it from anywhere in the world through the HTTP proxy and the streaming clients also support this there's no reason to bind the daemon to listen on anything else than localhost.

I'd also advise anyone to just create a separate user for subsonic, there's no need to run subsonic as root as long as the subsonic user can read (and write if you want to modify tags) the music folder(s).

Now for the nginx part:
Code: Select all
/etc/nginx/sites-available/glados

server {
  listen [::]:443 ssl;
  server_name home.mydomain.com;

  ssl_prefer_server_ciphers on;
  ssl_protocols SSLv3 TLSv1;
  ssl_session_timeout 5m;
  ssl_certificate /etc/nginx/ssl/mydomain.com.chain;
  ssl_certificate_key /etc/nginx/ssl/mydomain.com.key;

  root /usr/share/nginx/www;
  index index.html index.htm;
  client_max_body_size 20M;

  location / {
    root /var/www;
    try_files $uri $uri/ =404;
  }

  location /subsonic {
    include conf.d/params/proxy.conf;
    proxy_pass http://127.0.0.1:8083;
  }
[.. other apps .. ]
}


Code: Select all
/etc/nginx/conf.d/params/proxy.conf

proxy_redirect          off;
proxy_set_header        Host            $host;
proxy_set_header        X-Real-IP       $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;


There's no real need for the location / block but I happen to have an index page there plus it's a fairly OK example of how try_files should be used.

The reason I separated the proxy_* directives into a separate file is that you need those settings for just about any app you want to proxy like this. It's cleaner to just have one line for the include instead of having those for lines for every location /someapp block.

This can easily be expanded to include HTTP Basic auth like so:
Code: Select all
location /subsonic {
  satisfy any;
  allow my_ipv4_home_range/24;
  allow my_ipv6_block/64;
  auth_basic "Subsonic Authentication Required";
  auth_basic_user_file /etc/nginx/auth/subsonic;
  [..] the rest of the configuration as displayed about [..]
}


This is a neat little trick because it will only require HTTP authentication if you're not coming from you internal network. Unfortunately, because you can't pass HTTP authentication onto Subsonic you'll still be hit with the Subsonic login page either way. Because of that you might as well not have the basic authentication enabled for the Subsonic proxy.
daenney
 
Posts: 1
Joined: Sat Aug 18, 2012 10:25 am

Re: Nginx (SSL) proxy

Postby yaouza » Thu Oct 04, 2012 11:26 pm

I f****g love you ! :oops:

I've been trying to get subsonic and my other webapps working for most of the day, I've looked over tens of forums and tutorials, and IT FINALLY WORKS !

Thank ou so much,
Guillaume.
yaouza
 
Posts: 1
Joined: Thu Oct 04, 2012 11:09 pm

Re: Nginx (SSL) proxy

Postby noone5 » Mon Oct 22, 2012 1:17 pm

Hi,

I have try your configuration but all links are redirected to http URL


this is my configuration for SUBSONIC :

Code: Select all
SUBSONIC_HOST=127.0.0.1
SUBSONIC_PORT=8084

SUBSONIC_ARGS="--max-memory=150 --host=${SUBSONIC_HOST} --port=${SUBSONIC_PORT}"


# The user which should run the Subsonic process. Default "root".
# Note that non-root users are by default not allowed to use ports
# below 1024. Also make sure to grant the user write permissions in
# the music directories, otherwise changing album art and tags will fail.

SUBSONIC_USER=non-root-user


this is the configuration of the nginx :
Code: Select all
server {
       listen 443;
       ssl on;
       root /data/www/nginx/;
       server_name xxx.yyy.zzz;
       access_log      /var/log/nginx/subsonic.access.log;
       error_log       /var/log/nginx/subsonic.error.log;

       location / {
                proxy_pass      http://127.0.0.1:8084;
                proxy_redirect          off;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        }
}



is it something that i'm missing?
noone5
 
Posts: 7
Joined: Mon Oct 22, 2012 12:49 pm

Re: Nginx (SSL) proxy

Postby nutt318 » Tue Oct 23, 2012 4:45 pm

In your nginx config file you will want to change the following line:

Code: Select all
proxy_pass      http://127.0.0.1:8084;


To:

Code: Select all
proxy_pass      https://127.0.0.1:8084;
nutt318
 
Posts: 54
Joined: Thu Dec 09, 2010 9:24 pm

Re: Nginx (SSL) proxy

Postby daneren2005 » Sat Oct 27, 2012 12:36 am

I have already tried that as well and am having the same problem. Maybe something was changed in 4.7 so this no longer works correctly?

Using Subsonic 4.7 with Ubuntu 12.04 with nginx

Edit: Actually to give more information I just a redirect when redirecting to http and subsonic is on http. When I redirect to https and subsonic is on https then I just get 502 Bad Gateway

if I do https://server/subsonic/login.view then I can get to the page correctly, but then when I log in it redirects me to http:// again. Then if I do https://server/subsonic/ I get into the index page again, but it only half works. Some of the requests work and some of them redirect to http for no reason. I can't figure out what to do here. I tried adding login.view and index.view as indexes, but it doesn't seem to help much. The weirdest part is that the android client seems to work perfectly fine anyways.
Developer of DSub for Android
daneren2005
 
Posts: 1709
Joined: Fri Jul 06, 2012 7:52 pm

Re: Nginx (SSL) proxy

Postby iwill » Mon Oct 29, 2012 11:07 pm

One option is to automatically rewrite all HTTP requests to HTTPS with the following:
Code: Select all
server {
       listen 80;
       rewrite ^(.*) https://$host$1 permanent;
}
User avatar
iwill
 
Posts: 34
Joined: Wed Feb 29, 2012 7:38 pm
Location: Austin, TX

Re: Nginx (SSL) proxy

Postby iwill » Mon Oct 29, 2012 11:56 pm

Also, many thanks to OP for the helpful guide! I was missing a few of those directives before I was successful.
User avatar
iwill
 
Posts: 34
Joined: Wed Feb 29, 2012 7:38 pm
Location: Austin, TX

Re: Nginx (SSL) proxy

Postby daneren2005 » Tue Oct 30, 2012 12:38 am

Yah that seems to have done the trick, though it is extremely hacky and a waste of time since it does https -> http -> https. I tried some of the other proxy based ways which were said to work for other services that had a similar problem, but none of them seem to work.
Developer of DSub for Android
daneren2005
 
Posts: 1709
Joined: Fri Jul 06, 2012 7:52 pm

Re: Nginx (SSL) proxy

Postby iwill » Tue Oct 30, 2012 4:40 pm

daneren2005 wrote:... it does https -> http -> https.


It should just be doing http -> https with what I suggested above. A solution that avoids the rewrite would be to force Subsonic to use "https://" for all internal links and resource references. I'm not sure how this can be done without digging into the code.

Would enabling a https port in the start up option cause this to happen?
User avatar
iwill
 
Posts: 34
Joined: Wed Feb 29, 2012 7:38 pm
Location: Austin, TX

Re: Nginx (SSL) proxy

Postby qupfer » Tue Apr 08, 2014 3:45 pm

Hi, I know this post is very old but because its one of the first google-results I will post my (working) solution here. Just as a note (maybe for me :mrgreen: ).

nginx
Code: Select all
server{
        listen 443;
        ssl_certificate cert.crt;
        ssl_certificate_key key.key;
        ssl on;
        server_name domain.de;
        root /usr/share/nginx/html;
        index index.html index.htm;

        location /music/ {
                proxy_pass            http://localhost:25555/music/;
                proxy_redirect       http://                      https://;
                proxy_set_header   Host                         $host;
                proxy_set_header   X-Real-IP                  $remote_addr;
                proxy_set_header   X-Forwarded-For       $proxy_add_x_forwarded_for;
                }
}


and /etc/default/subsonic
Code: Select all
SUBSONIC_ARGS="--max-memory=150 --host=127.0.0.1 --port=25555 --context-path=/music"
SUBSONIC_USER=subsonic


Of course, for this solution "location", "--context-path" and "proxy_pass URI" must match or you have to find some more complex proxy_redirect/rewrite rules
qupfer
 
Posts: 8
Joined: Tue Feb 19, 2013 2:37 pm


Return to Tutorials

Who is online

Users browsing this forum: No registered users and 9 guests