Expose our local AirTime instance to `director.border.radio.it` with an HTTP basic auth in front of it for security reasons.
The problem of the Border Radio regia is that is a super-legacy computer under a NAT and with very broken repositories with impossibility to use `apt` to install `autossh` or setup whatever thing. So, actually I've setup an infinite-loop acting like `autossh`, to keep an SSH tunnel from Border Radio Regia to #reyboz server. The script runs from a `screen` session.
We have setup this only thanks to Antonio from Comala that was receiving my instructions while he was in the Border Radio room while I was blocked because of COVID-19. That's why this solution works but it's so shitty. Do not fight about this please.
```
name=/root/start-ssh/tunnel
while :; do date; ssh border-radio-regia@reyboz.it -p 8080 -N -o ExitOnForwardFailure=yes -o "ServerAliveInterval 45" -o "ServerAliveCountMax 1" -R 2223:localhost:80 -R 8083:localhost:80; sleep 5; done
```
See [[ border_radio_reference/ ]] and [[ reyboz/ports/ ]].
== Frontend webserver ==
In #reyboz server:
```
name=/etc/apache2/sites-available/border-radio.director.conf
#
# Border Radio Director
#
# An AirTime proxy (AirTime is actually in a LAN)
#
# See https://gitpull.it/T378
# -- Valerio B. -- sab 23 mag 2020, 19:37:17, CEST
#
<VirtualHost *:443>
ServerName director.border-radio.it
# basic document root just used for Let's Encrypt temporary files
DocumentRoot /home/www-data/border-radio.it/director
# The AirTime application on Border Regia host is protected
# by a basic HTTP Auth for security reasons:
# Note that Border Radio Regia is an Ubuntu 12.04 iper-legacy.
#
<Location "/">
# To change the password:
#
# htpasswd -c /etc/apache2/secrets/border-director.passwd border-director
#
# Note that we do not protect the homepage because there we renew certificates.
#
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/secrets/border-director.passwd
Require valid-user
# pass all requests to the Border Regia apache, via an SSH reverse tunnel
ProxyPass http://localhost:8083/
ProxyPassReverse http://localhost:8083/
</Location>
# allow Let's Encrypt to receive its certificates
<Location "/.well-known">
# do not proxy Let's Encrypt certificates to allow renew
ProxyPass !
AuthType none
Require all granted
Satisfy any
</Location>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/director.border-radio.it/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/director.border-radio.it/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/director.border-radio.it/chain.pem
</VirtualHost>
# redirect insecure traffic
<VirtualHost *:80>
ServerName director.border-radio.it
Redirect permanent / https://director.border-radio.it/
</VirtualHost>
```
I've setup a basic HTTP Auth for security reasons, because as already noted, the Border Radio Regia node is a super-legacy computer with Ubuntu 12.10 without I think any security patch.
Actually the user is `border-director` and the password was shared only to Mariangela C.
To change the password again:
```
$ htpasswd -c /etc/apache2/secrets/border-director.passwd border-director
```
== Let's Encrypt ==
The certificate was deployed with Let's Encrypt:
```
certbot certonly --webroot --webroot-path=/home/www-data/border-radio.it/director/ -d director.border-radio.it
```