Page MenuHomeGitPull.it

Expose Border Radio AirTime
Closed, ResolvedPublic

Description

Expose our local AirTime instance to director.border.radio.it with an HTTP basic auth in front of it for security reasons.

The problem of the Border Radio regia is that is a super-legacy computer under a NAT and with very broken repositories with impossibility to use apt to install autossh or setup whatever thing. So, actually I've setup an infinite-loop acting like autossh, to keep an SSH tunnel from Border Radio Regia to Reyboz server. The script runs from a screen session.

We have setup this only thanks to Antonio from Comala that was receiving my instructions while he was in the Border Radio room while I was blocked because of COVID-19. That's why this solution works but it's so shitty. Do not fight about this please.

/root/start-ssh/tunnel
while :; do date; ssh border-radio-regia@reyboz.it -p 8080 -N -o ExitOnForwardFailure=yes -o "ServerAliveInterval 45" -o "ServerAliveCountMax 1" -R 2223:localhost:80 -R 8083:localhost:80; sleep 5; done

See Border Radio Reference and Reyboz Ports Reference.

Frontend webserver

In Reyboz server:

/etc/apache2/sites-available/border-radio.director.conf
#
# Border Radio Director
#
# An AirTime proxy (AirTime is actually in a LAN)
#
# See https://gitpull.it/T378
# -- Valerio B. -- sab 23 mag 2020, 19:37:17, CEST
#
<VirtualHost *:443>

	ServerName director.border-radio.it

	# basic document root just used for Let's Encrypt temporary files
	DocumentRoot /home/www-data/border-radio.it/director

	# The AirTime application on Border Regia host is protected
	# by a basic HTTP Auth for security reasons:
	# Note that Border Radio Regia is an Ubuntu 12.04 iper-legacy.
	#
	<Location "/">

		# To change the password:
		#
		#   htpasswd -c /etc/apache2/secrets/border-director.passwd border-director
		#
		# Note that we do not protect the homepage because there we renew certificates.
		#  
		AuthType Basic
		AuthName "Restricted Content"
		AuthUserFile /etc/apache2/secrets/border-director.passwd
		Require valid-user

		# pass all requests to the Border Regia apache, via an SSH reverse tunnel
		ProxyPass        http://localhost:8083/
		ProxyPassReverse http://localhost:8083/	
	</Location>

	# allow Let's Encrypt to receive its certificates
	<Location "/.well-known">

		# do not proxy Let's Encrypt certificates to allow renew
		ProxyPass !

		AuthType none
		Require all granted
		Satisfy any
	</Location>

	SSLEngine on
	SSLCertificateFile      /etc/letsencrypt/live/director.border-radio.it/cert.pem
	SSLCertificateKeyFile   /etc/letsencrypt/live/director.border-radio.it/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/director.border-radio.it/chain.pem

</VirtualHost>

# redirect insecure traffic
<VirtualHost *:80>
	ServerName director.border-radio.it

	Redirect permanent / https://director.border-radio.it/
</VirtualHost>

I've setup a basic HTTP Auth for security reasons, because as already noted, the Border Radio Regia node is a super-legacy computer with Ubuntu 12.10 without I think any security patch.

Actually the user is border-director and the password was shared only to Mariangela C.

To change the password again:

$ htpasswd -c /etc/apache2/secrets/border-director.passwd border-director

Let's Encrypt

The certificate was deployed with Let's Encrypt:

certbot certonly --webroot --webroot-path=/home/www-data/border-radio.it/director/ -d director.border-radio.it

Event Timeline

valerio.bozzolan triaged this task as Wishlist priority.Sat, May 23, 08:58
valerio.bozzolan created this task.
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan added a project: Reyboz.
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan closed this task as Resolved.Sun, May 24, 20:13
valerio.bozzolan updated the task description. (Show Details)

Everything works. Mark as resolved.