Page MenuHomeGitPull.it

Expose Border Radio AirTime / autoradio
Closed, WontfixPublic5 Points

Description

Expose our local AirTime instance to director.border.radio.it with an HTTP basic auth in front of it for security reasons.

The problem of the Border Radio regia is that is a super-legacy computer under a NAT and with very broken repositories with impossibility to use apt to install autossh or setup whatever thing. So, actually I've setup an infinite-loop acting like autossh, to keep an SSH tunnel from Border Radio Regia to Reyboz server. The script runs from a screen session.

We have setup this only thanks to Antonio from Comala that was receiving my instructions while he was in the Border Radio room while I was blocked because of COVID-19. That's why this solution works but it's so shitty. Do not fight about this please.

/root/start-ssh/tunnel
while :; do date; ssh border-radio-regia@reyboz.it -p 8080 -N -o ExitOnForwardFailure=yes -o "ServerAliveInterval 45" -o "ServerAliveCountMax 1" -R 2223:localhost:80 -R 8083:localhost:80; sleep 5; done

See Border Radio Reference and Reyboz Ports Reference.

Frontend webserver

In Reyboz server:

/etc/apache2/sites-available/border-radio.director.conf
#
# Border Radio Director
#
# An AirTime proxy (AirTime is actually in a LAN)
#
# See https://gitpull.it/T378
# -- Valerio B. -- sab 23 mag 2020, 19:37:17, CEST
#
<VirtualHost *:443>

	ServerName director.border-radio.it

	# basic document root just used for Let's Encrypt temporary files
	DocumentRoot /home/www-data/border-radio.it/director

	# The AirTime application on Border Regia host is protected
	# by a basic HTTP Auth for security reasons:
	# Note that Border Radio Regia is an Ubuntu 12.04 iper-legacy.
	#
	<Location "/">

		# To change the password:
		#
		#   htpasswd -c /etc/apache2/secrets/border-director.passwd border-director
		#
		# Note that we do not protect the homepage because there we renew certificates.
		#  
		AuthType Basic
		AuthName "Restricted Content"
		AuthUserFile /etc/apache2/secrets/border-director.passwd
		Require valid-user

		# pass all requests to the Border Regia apache, via an SSH reverse tunnel
		ProxyPass        http://localhost:8083/
		ProxyPassReverse http://localhost:8083/	
	</Location>

	# allow Let's Encrypt to receive its certificates
	<Location "/.well-known">

		# do not proxy Let's Encrypt certificates to allow renew
		ProxyPass !

		AuthType none
		Require all granted
		Satisfy any
	</Location>

	SSLEngine on
	SSLCertificateFile      /etc/letsencrypt/live/director.border-radio.it/cert.pem
	SSLCertificateKeyFile   /etc/letsencrypt/live/director.border-radio.it/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/director.border-radio.it/chain.pem

</VirtualHost>

# redirect insecure traffic
<VirtualHost *:80>
	ServerName director.border-radio.it

	Redirect permanent / https://director.border-radio.it/
</VirtualHost>

I've setup a basic HTTP Auth for security reasons, because as already noted, the Border Radio Regia node is a super-legacy computer with Ubuntu 12.10 without I think any security patch.

Actually the user is border-director and the password was shared only to Mariangela C.

To change the password again:

$ htpasswd -c /etc/apache2/secrets/border-director.passwd border-director

Let's Encrypt

The certificate was deployed with Let's Encrypt:

certbot certonly --webroot --webroot-path=/home/www-data/border-radio.it/director/ -d director.border-radio.it

Event Timeline

valerio.bozzolan created this task.
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan updated the task description. (Show Details)

Everything works. Mark as resolved.

See T594: Expose the new LibreTime virtual machine via Reyboz reyboz to director.border-radio.it

Now we do not listen anymore on AirTime. There is another virtual machine providing LibreTime.

This is the new updated autossh service:

/etc/systemd/system/autossh-reyboz.service
[Unit]
Description=Expose some Border Radio services to Reyboz infrastructure
After=network.target
Documentation=https://gitpull.it/T378

[Service]
ExecStart=/usr/bin/autossh -M 0 -N -q -o "ServerAliveInterval 45" -o "ServerAliveCountMax 1" -o "ExitOnForwardFailure=yes" -R 2224:localhost:22 -R 0.0.0.0:10500:localhost:5900 -p 2222 border-radio-regia@reyboz.it

# If AUTOSSH_GATETIME is set to 0 autossh will restart even if ssh fails on the first run with an exit status of 1
Environment="AUTOSSH_GATETIME=0"

# restart autossh if something goes wrong
Restart=on-failure

# wait some seconds before retrying
RestartSec=3

# disable any kind of restart rate limiting
# not supported in our version
#StartLimitIntervalSec=0

[Install]
WantedBy=multi-user.target
valerio.bozzolan changed the task status from Resolved to Wontfix.EditedNov 19 2020, 00:46

Marking as wontfix to mark the fact that we do not expose the local installation of AirTime, and the newer installation autoradio anymore because now we have this damn separated virtual machine with LibreTime with its own autossh service.

valerio.bozzolan updated the task description. (Show Details)
valerio.bozzolan renamed this task from Expose Border Radio AirTime to Expose Border Radio AirTime / autoradio.Nov 19 2020, 01:01