libretime/docs/getting-started/reverse-proxy.md

---
title: Reverse Proxy
sidebar_position: 5
---

In some deployments, the LibreTime server is deployed behind a reverse proxy,
for example in containerization use-cases such as Docker and LXC. LibreTime
makes extensive use of its API for some site functionality, which causes
[Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)
to occur. By default, CORS requests are blocked by your browser and the origins
need to be added to the **Allowed CORS URLs** block in
[**General Settings**](/docs/guides/settings). These origins should include any
domains that will be used externally to connect to your reverse proxy that you
want handled by LibreTime. These URLS can also be set during the first run configuration
that is displayed when you first install LibreTime

### Reverse proxy basics

A reverse proxy allows the LibreTime server to not be connected to the open internet. In
this configuration, it is rather behind another server that proxies traffic to it from
users. This provides some advantages in the containerization space, as this means that
the containers can be on their own internal network, protected from outside access.

A reverse proxy also allows SSL to be terminated in a single location for multiple sites.
This means that all your traffic to the proxy from clients is encrypted, but the reverse
proxy's traffic to the containers on the internal network is not. All the SSL certificates
live on the reverse proxy and can be renewed there instead of on the individual
containers.

### Setup

For SSL redirection to work, you need two domains: one for LibreTime and one for Icecast.
Here, these will be `libretime.example.com` and `icecast.example.com`.

You will also require two VMs, servers or containers. Alternatively the reverse proxy can
be located on the server, proxying connections to containers also on the host. Setting up
a containerization environment is beyond the scope of this guide. It assumes that you have
Nginx set up on `localhost` and LibreTime will be installed on `192.168.1.10`. You will need root
access on both. `192.168.1.10` also needs to be able to be accessed from `localhost`
(`ping 192.168.1.10` on `localhost`).

On `192.168.1.10`, install LibreTime as described in the [install guide](/docs/getting-started/install). Once it has installed, replace `<hostname>localhost</hostname>` in
`/etc/icecast2/icecast.xml` with the following:

```xml
<hostname>icecast.example.com</hostname>
```

This is the hostname that people listening to your stream will connect to and what
LibreTime will use to stream out to them. You will then need to restart Icecast using `sudo systemctl restart icecast2`.

On `localhost`, run the following:

```bash
cat << EOF | sudo tee /etc/nginx/sites-available/libretime.conf
server {
    listen 80;
    server_name libretime.example.com;
    location / {
        rewrite ^ https://$server_name$request_uri? permanent;
    }
}
server {
    listen 443 ssl;
    server_name libretime.example.com;
    ssl_certificate /etc/letsencrypt/live/libretime.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/libretime.example.com/privkey.pem;
    add_header Strict-Transport-Security "max-age=15552000;";
    add_header X-Frame-Options "SAMEORIGIN";
    client_max_body_size 512M;
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://192.168.1.10/;
    }
}
EOF
```

This Nginx configuration ensures that all traffic uses SSL to the reverse proxy, and
traffic is proxied to `192.168.1.10`.

Next, the SSL certificate needs to be generated and the site activated.

```
sudo apt install certbot
sudo systemctl stop nginx
sudo certbot certonly -d libretime.example.com -a standalone
sudo systemctl start nginx
```

You can now go to `https://libretime.example.com` and go
through the installer. On `General Settings`, you need to change the Webserver Port to
`443` and add the following CORS URLs:

```
https://libretime.example.com
http://libretime.example.com
https://localhost
http://localhost
```

Finally, the configuration file needs updating. Under `[general]`, `force_ssl`
needs to be set to true:

```ini
[general]
...
force_ssl = true
```
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			`---`
			`title: Reverse Proxy`
docs: rework docs into the new website - multipass docs moved to local-dev.md - add documentation to website - rework fogotten files - disable fogotten files Co-authored-by: Zachary Klosko <zklosko@users.noreply.github.com> 2022-02-09 09:37:52 +01:00			`sidebar_position: 5`
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			`---`

			`In some deployments, the LibreTime server is deployed behind a reverse proxy,`
			`for example in containerization use-cases such as Docker and LXC. LibreTime`
			`makes extensive use of its API for some site functionality, which causes`
			`[Cross-Origin Resource Sharing (CORS)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS)`
			`to occur. By default, CORS requests are blocked by your browser and the origins`
			`need to be added to the Allowed CORS URLs block in`
docs: rework docs into the new website - multipass docs moved to local-dev.md - add documentation to website - rework fogotten files - disable fogotten files Co-authored-by: Zachary Klosko <zklosko@users.noreply.github.com> 2022-02-09 09:37:52 +01:00			`[General Settings](/docs/guides/settings). These origins should include any`
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			`domains that will be used externally to connect to your reverse proxy that you`
			`want handled by LibreTime. These URLS can also be set during the first run configuration`
			`that is displayed when you first install LibreTime`

docs: fix prose linting errors - Properly enclose code between triple backticks - Put paths and url between backticks - Remove links <> enclosing - Libretime styled name is LibreTime - Put urls and paths betwen backticks - Use sentence like capitalization for headings - Put tools name between backticks - Update links 2022-02-10 12:15:23 +01:00			`### Reverse proxy basics`
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00
			`A reverse proxy allows the LibreTime server to not be connected to the open internet. In`
			`this configuration, it is rather behind another server that proxies traffic to it from`
			`users. This provides some advantages in the containerization space, as this means that`
			`the containers can be on their own internal network, protected from outside access.`

			`A reverse proxy also allows SSL to be terminated in a single location for multiple sites.`
			`This means that all your traffic to the proxy from clients is encrypted, but the reverse`
			`proxy's traffic to the containers on the internal network is not. All the SSL certificates`
			`live on the reverse proxy and can be renewed there instead of on the individual`
			`containers.`

			`### Setup`

remove known bug note on reverse proxy set up 2021-01-21 08:49:15 +01:00			`For SSL redirection to work, you need two domains: one for LibreTime and one for Icecast.`
			Here, these will be `libretime.example.com` and `icecast.example.com`.
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00
			`You will also require two VMs, servers or containers. Alternatively the reverse proxy can`
			`be located on the server, proxying connections to containers also on the host. Setting up`
			`a containerization environment is beyond the scope of this guide. It assumes that you have`
docs: update reverse-proxy example variables 2022-02-16 13:48:21 +01:00			Nginx set up on `localhost` and LibreTime will be installed on `192.168.1.10`. You will need root
			access on both. `192.168.1.10` also needs to be able to be accessed from `localhost`
			(`ping 192.168.1.10` on `localhost`).
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00
docs: update reverse-proxy example variables 2022-02-16 13:48:21 +01:00			On `192.168.1.10`, install LibreTime as described in the [install guide](/docs/getting-started/install). Once it has installed, replace `<hostname>localhost</hostname>` in
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			`/etc/icecast2/icecast.xml` with the following:

docs: fix prose linting errors - Properly enclose code between triple backticks - Put paths and url between backticks - Remove links <> enclosing - Libretime styled name is LibreTime - Put urls and paths betwen backticks - Use sentence like capitalization for headings - Put tools name between backticks - Update links 2022-02-10 12:15:23 +01:00			```xml
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			`<hostname>icecast.example.com</hostname>`
			```

			`This is the hostname that people listening to your stream will connect to and what`
docs: rework docs into the new website - multipass docs moved to local-dev.md - add documentation to website - rework fogotten files - disable fogotten files Co-authored-by: Zachary Klosko <zklosko@users.noreply.github.com> 2022-02-09 09:37:52 +01:00			LibreTime will use to stream out to them. You will then need to restart Icecast using `sudo systemctl restart icecast2`.
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00
docs: update reverse-proxy example variables 2022-02-16 13:48:21 +01:00			On `localhost`, run the following:
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00
docs: rework docs into the new website - multipass docs moved to local-dev.md - add documentation to website - rework fogotten files - disable fogotten files Co-authored-by: Zachary Klosko <zklosko@users.noreply.github.com> 2022-02-09 09:37:52 +01:00			```bash
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			`cat << EOF \| sudo tee /etc/nginx/sites-available/libretime.conf`
			`server {`
			`listen 80;`
			`server_name libretime.example.com;`
			`location / {`
			`rewrite ^ https://$server_name$request_uri? permanent;`
			`}`
			`}`
			`server {`
			`listen 443 ssl;`
			`server_name libretime.example.com;`
			`ssl_certificate /etc/letsencrypt/live/libretime.example.com/fullchain.pem;`
			`ssl_certificate_key /etc/letsencrypt/live/libretime.example.com/privkey.pem;`
			`add_header Strict-Transport-Security "max-age=15552000;";`
			`add_header X-Frame-Options "SAMEORIGIN";`
			`client_max_body_size 512M;`
			`location / {`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
chore: fix broken links 2022-02-16 09:48:01 +01:00			`proxy_pass http://192.168.1.10/;`
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			`}`
			`}`
			`EOF`
			```

			`This Nginx configuration ensures that all traffic uses SSL to the reverse proxy, and`
chore: fix broken links 2022-02-16 09:48:01 +01:00			traffic is proxied to `192.168.1.10`.
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00
			`Next, the SSL certificate needs to be generated and the site activated.`

			```
			`sudo apt install certbot`
			`sudo systemctl stop nginx`
			`sudo certbot certonly -d libretime.example.com -a standalone`
			`sudo systemctl start nginx`
			```

chore: fix broken links 2022-02-16 09:48:01 +01:00			You can now go to `https://libretime.example.com` and go
Commiting to test quickstart.sh 2020-11-02 19:20:34 +01:00			through the installer. On `General Settings`, you need to change the Webserver Port to
			`443` and add the following CORS URLs:

			```
			`https://libretime.example.com`
			`http://libretime.example.com`
			`https://localhost`
			`http://localhost`
Adding @caveman99's doc 2020-11-17 01:59:30 +01:00			```

			Finally, the configuration file needs updating. Under `[general]`, `force_ssl`
			`needs to be set to true:`

docs: fix prose linting errors - Properly enclose code between triple backticks - Put paths and url between backticks - Remove links <> enclosing - Libretime styled name is LibreTime - Put urls and paths betwen backticks - Use sentence like capitalization for headings - Put tools name between backticks - Update links 2022-02-10 12:15:23 +01:00			```ini
Adding @caveman99's doc 2020-11-17 01:59:30 +01:00			`[general]`
			`...`
			`force_ssl = true`
			```