Expose our local AirTime instance to director.border.radio.it with an HTTP basic auth in front of it for security reasons.
The problem of the Border Radio regia is that is a super-legacy computer under a NAT and with very broken repositories with impossibility to use apt to install autossh or setup whatever thing. So, actually I've setup an infinite-loop acting like autossh, to keep an SSH tunnel from Border Radio Regia to Reyboz server. The script runs from a screen session.
We have setup this only thanks to Antonio from Comala that was receiving my instructions while he was in the Border Radio room while I was blocked because of COVID-19. That's why this solution works but it's so shitty. Do not fight about this please.
while :; do date; ssh border-radio-regia@reyboz.it -p 8080 -N -o ExitOnForwardFailure=yes -o "ServerAliveInterval 45" -o "ServerAliveCountMax 1" -R 2223:localhost:80 -R 8083:localhost:80; sleep 5; done
See Border Radio Reference and Reyboz Ports Reference.
Frontend webserver
In Reyboz server:
# # Border Radio Director # # An AirTime proxy (AirTime is actually in a LAN) # # See https://gitpull.it/T378 # -- Valerio B. -- sab 23 mag 2020, 19:37:17, CEST # <VirtualHost *:443> ServerName director.border-radio.it # basic document root just used for Let's Encrypt temporary files DocumentRoot /home/www-data/border-radio.it/director # The AirTime application on Border Regia host is protected # by a basic HTTP Auth for security reasons: # Note that Border Radio Regia is an Ubuntu 12.04 iper-legacy. # <Location "/"> # To change the password: # # htpasswd -c /etc/apache2/secrets/border-director.passwd border-director # # Note that we do not protect the homepage because there we renew certificates. # AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/secrets/border-director.passwd Require valid-user # pass all requests to the Border Regia apache, via an SSH reverse tunnel ProxyPass http://localhost:8083/ ProxyPassReverse http://localhost:8083/ </Location> # allow Let's Encrypt to receive its certificates <Location "/.well-known"> # do not proxy Let's Encrypt certificates to allow renew ProxyPass ! AuthType none Require all granted Satisfy any </Location> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/director.border-radio.it/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/director.border-radio.it/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/director.border-radio.it/chain.pem </VirtualHost> # redirect insecure traffic <VirtualHost *:80> ServerName director.border-radio.it Redirect permanent / https://director.border-radio.it/ </VirtualHost>
I've setup a basic HTTP Auth for security reasons, because as already noted, the Border Radio Regia node is a super-legacy computer with Ubuntu 12.10 without I think any security patch.
Actually the user is border-director and the password was shared only to Mariangela C.
To change the password again:
$ htpasswd -c /etc/apache2/secrets/border-director.passwd border-director
Let's Encrypt
The certificate was deployed with Let's Encrypt:
certbot certonly --webroot --webroot-path=/home/www-data/border-radio.it/director/ -d director.border-radio.it