Skip to main content
Version: Stable 4.x

Reverse proxy

To secure the communication between the users and LibreTime, you have to serve LibreTime over https.

The recommended way is to put a reverse proxy in front of LibreTime, and terminating the https communication at the reverse proxy.

The benefits are managing your certificates in a single place, and being easier to extend your infrastructure. You also don't have to edit the LibreTime specific files which helps when upgrading LibreTime.

flowchart LR internet[Internet] subgraph internal[Your system or private network] libretime[LibreTime service, listen on :8080] icecast[Icecast service, listen on :8000 and :8443] liquidsoap[Liquidsoap service, listen on :8001 and 8002] subgraph proxy[Your reverse proxy] front_http[Listen on :80] front_https[Listen on :443] end front_http --> libretime front_https --> libretime end internet =====> icecast internet =====> liquidsoap internet ==> front_http internet ==> front_https
danger

The current input and output streams are Icecast based protocols and doesn't support being behind a reverse proxy. Don't attempt to reverse proxy Icecast or the Liquidsoap harbor inputs.

You can secure the Icecast output streams by adding an additional Icecast socket and reusing the TLS certificates used to secure LibreTime.

Modern protocols such as HLS and SRT will be implement in the future to fix those limitations.

Prerequisites

info

In this documentation, we will use libretime.example.org as domain name pointing to your server, and localhost:8080 as location for the LibreTime web server.

Be sure that your firewall and network allows communications from the reverse proxy to the services. You can use ping, telnet and curl to check that communication is working.

Install a reverse proxy

Pick one of the reverse proxies below.

info

LibreTime already uses Nginx as web server, so unless you have an advanced setup, we recommend that you use Nginx as reverse proxy.

Nginx

Paste the following configuration in /etc/nginx/sites-available/libretime.example.org.conf and be sure to replace:

  • libretime.example.org with your own station url,
  • localhost:8080 with the location of your LibreTime web server;
/etc/nginx/sites-available/libretime.example.org.conf
server {
listen 80;
server_name libretime.example.org;

client_max_body_size 512M;
client_body_timeout 300s;

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

proxy_pass http://localhost:8080/;
}
}

Ensure the default nginx server configuration is not enabled:

sudo rm -f /etc/nginx/sites-enabled/default

Enable the nginx configuration:

sudo ln -s /etc/nginx/sites-available/libretime.example.org.conf /etc/nginx/sites-enabled/

Test the nginx configuration:

sudo nginx -t

Restart nginx:

sudo systemctl restart nginx

You can now follow this guide to configure Nginx with a Let's Encrypt certificate.

You should end up with a nginx configuration similar to:

/etc/nginx/sites-available/libretime.example.org.conf
server {
listen 80;
server_name libretime.example.org;

client_max_body_size 512M;
client_body_timeout 300s;

if ($host = libretime.example.org) {
return 301 https://$host$request_uri;
} # managed by Certbot

return 404; # managed by Certbot
}

server {
listen 443 ssl; # managed by Certbot
server_name libretime.example.org;

client_max_body_size 512M;
client_body_timeout 300s;

ssl_certificate /etc/letsencrypt/live/libretime.example.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/libretime.example.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;

proxy_pass http://localhost:8080/;
}
}

Apache

Paste the following configuration in /etc/apache2/sites-available/libretime.example.org.conf and be sure to replace:

  • libretime.example.org with your own station url,
  • localhost:8080 with the location of your LibreTime web server;
/etc/apache2/sites-available/libretime.example.org.conf
<VirtualHost *:80>
ServerName libretime.example.org

<Location />
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/
</Location>
</VirtualHost>

Ensure the default apache vhost configuration is not enabled:

sudo rm -f /etc/apache2/sites-enabled/000-default.conf

Enable the Apache2 proxy modules:

sudo a2enmod proxy proxy_http

Enable the Apache2 vhost configuration:

sudo a2ensite libretime.example.org

Test the Apache2 configuration:

sudo apache2ctl configtest

Restart Apache2:

sudo systemctl restart apache2

You can now follow this guide to configure Apache2 with a Let's Encrypt certificate.

You should end up with 2 Apache2 configurations similar to:

/etc/apache2/sites-available/libretime.example.org.conf
<VirtualHost *:80>
ServerName libretime.example.org

RewriteEngine on
RewriteCond %{SERVER_NAME} =libretime.example.org
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<Location />
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/
</Location>
</VirtualHost>
/etc/apache2/sites-available/libretime.example.org-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName libretime.example.org

SSLCertificateFile /etc/letsencrypt/live/libretime.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/libretime.example.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

<Location />
ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080/
</Location>
</VirtualHost>
</IfModule>

Icecast

If you attempt to listen an insecure Icecast stream on a secure website, a mixed content error will be raised by your browser and should prevent your player from listening to the stream.

Securing the Icecast output streams

caution

Before you start, make sure to have a working and secured LibreTime server, and that the TLS certificates generated by Cerbot are on the same host as Icecast.

Create a Icecast specific SSL certificate bundle based on the TLS certificates generated by Certbot:

sudo bash -c "install \
--group=icecast \
--mode=640 \
<(cat /etc/letsencrypt/live/libretime.example.org/{fullchain,privkey}.pem) \
/etc/icecast2/bundle.pem"

Enable the secure socket and set the SSL certificate bundle path in the Icecast configuration file:

/etc/icecast2/icecast.xml
     <!-- You may have multiple <listen-socket> elements -->
<listen-socket>
<port>8000</port>
<!-- <bind-address>127.0.0.1</bind-address> -->
<!-- <shoutcast-mount>/stream</shoutcast-mount> -->
</listen-socket>
<!--
<listen-socket>
<port>8080</port>
</listen-socket>
-->
- <!--
<listen-socket>
<port>8443</port>
<ssl>1</ssl>
</listen-socket>
- -->
/etc/icecast2/icecast.xml
         <!-- Aliases: can also be used for simple redirections as well,
this example will redirect all requests for http://server:port/ to
the status page
-->
<alias source="/" destination="/status.xsl"/>
<!-- The certificate file needs to contain both public and private part.
Both should be PEM encoded.
<ssl-certificate>/usr/share/icecast2/icecast.pem</ssl-certificate>
-->
+ <ssl-certificate>/etc/icecast2/bundle.pem</ssl-certificate>
</paths>
danger

Don't forget to open the new Icecast secure port 8443 in your firewall.

Restart Icecast to apply the changes:

sudo systemctl restart icecast2

Next, you need to change the LibreTime stream.outputs.icecast.*.public_url configuration to use the newly enabled Icecast secure port, for example:

/etc/libretime/config.yml
     # Icecast output streams.
# > max items is 3
icecast:
- <<: *default_icecast_output
enabled: true
- public_url:
+ public_url: https://libretime.example.org:8443/main.ogg
mount: main.ogg
audio:
format: ogg
bitrate: 256

- <<: *default_icecast_output
enabled: true
- public_url:
+ public_url: https://libretime.example.org:8443/main.mp3
mount: main.mp3
audio:
format: mp3
bitrate: 320

Restart LibreTime to apply the changes:

sudo systemctl restart libretime.target

Finally, you need to configure the Certbot renewal to bundle a Icecast specific SSL certificate and restart the Icecast service:

/etc/letsencrypt/renewal/libretime.example.org.conf
 # Options used in the renewal process
[renewalparams]
account = d76ce6a241c7c74f79e5443216ee420e
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory
+
+deploy_hook = 'bash -c "install --group=icecast --mode=640 <(cat $RENEWED_LINEAGE/{fullchain,privkey}.pem) /etc/icecast2/bundle.pem && systemctl restart icecast2"'

Check that the renewal configuration is valid:

sudo certbot renew --dry-run