Expose the new LibreTime virtual machine via Reyboz reyboz to director.border-radio.it via an SSH reverse tunnel.
Configured the LibreTime virtual machine as follow:
Installation
apt install autossh
First connection
ssh-copy-id border-radio-regia@reyboz.it -p 2222
/etc/systemd/system/autossh.service
[Unit] Description=Expose some Border Radio services to Reyboz infrastructure After=network.target Documentation=https://gitpull.it/T594 [Service] ExecStart=/usr/bin/autossh -M 0 -N -q -o "ServerAliveInterval 45" -o "ServerAliveCountMax 1" -o "ExitOnForwardFailure=yes" -R 2225:localhost:22 -R 8083:localhost:80 -p 2222 border-radio-regia@reyboz.it # If AUTOSSH_GATETIME is set to 0 autossh will restart even if ssh fails on the first run with an exit status of 1 Environment="AUTOSSH_GATETIME=0" # restart autossh if something goes wrong Restart=on-failure # wait some seconds before retrying RestartSec=3 # disable any kind of restart rate limiting # not supported in our version StartLimitIntervalSec=0 [Install] WantedBy=multi-user.target
On Reyboz :
/etc/apache2/sites-available/border-radio.director.conf
# # Border Radio Director # # An AirTime proxy (AirTime is actually in a LAN) # # See https://gitpull.it/594 # -- Valerio B. -- sab 23 mag 2020, 19:37:17, CEST # <VirtualHost *:443> ServerName director.border-radio.it # basic document root just used for Let's Encrypt temporary files DocumentRoot /home/www-data/border-radio.it/director # The AirTime application on Border Regia host is protected # by a basic HTTP Auth for security reasons: # Note that Border Radio Regia is an Ubuntu 12.04 iper-legacy. # <Location "/"> # To change the password: # # htpasswd -c /etc/apache2/secrets/border-director.passwd border # # Note that we do not protect the homepage because there we renew certificates. # AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/secrets/border-director.passwd Require valid-user # pass all requests to the Border Regia apache, via an SSH reverse tunnel ProxyPass http://localhost:8083/ ProxyPassReverse http://localhost:8083/ </Location> # Allow everyone to see LibreTime widgets # https://gitpull.it/T619 <Location "/embed/"> AuthType none Require all granted Satisfy any </Location> # Allow everyone to see LibreTime widgets and its resources # https://gitpull.it/T619 <Location "/js/"> AuthType none Require all granted Satisfy any </Location> # Allow everyone to see LibreTime widgets and its resources # https://gitpull.it/T619 <Location "/widgets/"> AuthType none Require all granted Satisfy any </Location> # Allow everyone to see LibreTime widgets and its resources # https://gitpull.it/T619 <Location "/css/"> AuthType none Require all granted Satisfy any </Location> # allow Let's Encrypt to receive its certificates <Location "/.well-known"> # do not proxy Let's Encrypt certificates to allow renew ProxyPass ! AuthType none Require all granted Satisfy any </Location> SSLEngine on SSLCertificateFile /etc/letsencrypt/live/director.border-radio.it/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/director.border-radio.it/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/director.border-radio.it/chain.pem </VirtualHost> # redirect insecure traffic <VirtualHost *:80> ServerName director.border-radio.it Redirect permanent / https://director.border-radio.it/ </VirtualHost>