Page MenuHomeGitPull.it

Expose the new LibreTime virtual machine via Reyboz reyboz to director.border-radio.it
Closed, ResolvedPublic2 Points

Description

Expose the new LibreTime virtual machine via Reyboz reyboz to director.border-radio.it via an SSH reverse tunnel.

Configured the LibreTime virtual machine as follow:

Installation
apt install autossh
First connection
ssh-copy-id border-radio-regia@reyboz.it -p 2222
/etc/systemd/system/autossh.service
[Unit]
Description=Expose some Border Radio services to Reyboz infrastructure
After=network.target
Documentation=https://gitpull.it/T594

[Service]
ExecStart=/usr/bin/autossh -M 0 -N -q -o "ServerAliveInterval 45" -o "ServerAliveCountMax 1" -o "ExitOnForwardFailure=yes" -R 2225:localhost:22 -R 8083:localhost:80 -p 2222 border-radio-regia@reyboz.it

# If AUTOSSH_GATETIME is set to 0 autossh will restart even if ssh fails on the first run with an exit status of 1
Environment="AUTOSSH_GATETIME=0"

# restart autossh if something goes wrong
Restart=on-failure

# wait some seconds before retrying
RestartSec=3

# disable any kind of restart rate limiting
# not supported in our version
StartLimitIntervalSec=0

[Install]
WantedBy=multi-user.target

On Reyboz :

/etc/apache2/sites-available/border-radio.director.conf
#
# Border Radio Director
#
# An AirTime proxy (AirTime is actually in a LAN)
#
# See https://gitpull.it/594
# -- Valerio B. -- sab 23 mag 2020, 19:37:17, CEST
#
<VirtualHost *:443>

	ServerName director.border-radio.it

	# basic document root just used for Let's Encrypt temporary files
	DocumentRoot /home/www-data/border-radio.it/director

	# The AirTime application on Border Regia host is protected
	# by a basic HTTP Auth for security reasons:
	# Note that Border Radio Regia is an Ubuntu 12.04 iper-legacy.
	#
	<Location "/">

		# To change the password:
		#
		#   htpasswd -c /etc/apache2/secrets/border-director.passwd border
		#
		# Note that we do not protect the homepage because there we renew certificates.
		#  
		AuthType Basic
		AuthName "Restricted Content"
		AuthUserFile /etc/apache2/secrets/border-director.passwd
		Require valid-user

		# pass all requests to the Border Regia apache, via an SSH reverse tunnel
		ProxyPass        http://localhost:8083/
		ProxyPassReverse http://localhost:8083/	
	</Location>

	# Allow everyone to see LibreTime widgets
	# https://gitpull.it/T619
	<Location "/embed/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>

	# Allow everyone to see LibreTime widgets and its resources
	# https://gitpull.it/T619
	<Location "/js/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>

	# Allow everyone to see LibreTime widgets and its resources
	# https://gitpull.it/T619
	<Location "/widgets/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>

	# Allow everyone to see LibreTime widgets and its resources
	# https://gitpull.it/T619
	<Location "/css/">
		AuthType none
		Require all granted
		Satisfy any
	</Location>

	# allow Let's Encrypt to receive its certificates
	<Location "/.well-known">

		# do not proxy Let's Encrypt certificates to allow renew
		ProxyPass !

		AuthType none
		Require all granted
		Satisfy any
	</Location>

	SSLEngine on
	SSLCertificateFile      /etc/letsencrypt/live/director.border-radio.it/cert.pem
	SSLCertificateKeyFile   /etc/letsencrypt/live/director.border-radio.it/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/director.border-radio.it/chain.pem

</VirtualHost>

# redirect insecure traffic
<VirtualHost *:80>
	ServerName director.border-radio.it

	Redirect permanent / https://director.border-radio.it/
</VirtualHost>

Event Timeline

valerio.bozzolan triaged this task as High priority.