4.7 KiB
| title | sidebar_position |
|---|---|
| Reverse proxy | 30 |
This guide walk you though the steps required to setup a reverse proxy in front of LibreTime.
Setting a reverse proxy in front of LibreTime is recommended, it prevents LibreTime to be
open to the Internet, adds security by enabling https and let's you manage your certificates in
a single place.
:::warning
The current input and output streams are Icecast based protocols and doesn't support being behind a reverse proxy. Don't attempt to reverse proxy Icecast or the Liquidsoap harbor inputs.
Modern protocols such as HLS and SRT will be implement in the future to fix those limitations.
:::
Below is a schema that illustrate the goals when setting up a reverse proxy in front of LibreTime:
flowchart TD
internet[Internet]
subgraph internal[Your system or private network]
libretime[LibreTime service, listen on :8080]
icecast[Icecast service, listen on :8000]
liquidsoap[Liquidsoap service, listen on :8001 and 8002]
subgraph proxy[Your reverse proxy]
front_http[Listen on :80]
front_https[Listen on :443]
front_http -.-> |Redirect to https| front_https
router[Router]
front_https --> |Terminate https| router
end
router --> |If hostname is radio.example.com| libretime
end
internet ==> front_http
internet ==> front_https
internet ==> icecast
internet ==> liquidsoap
Prerequisites
You need a domain name (radio.example.com) and a tls certificate for that domain. You can get certificates from Let's Encrypt by using Certbot.
You need to identify the location of the services that should be exposed to the public:
- the LibreTime web server (usually
localhost:8080, for documentation clarity we uselibretime:8080).
:::info
If LibreTime is running on the same host as the reverse proxy, you need to change the LibreTime web server default listening port because the reverse proxy needs to listen on the 80and 443 ports.
:::
:::caution
Be sure that your firewall and network allows communications from the reverse proxy to the services. You can use ping, telnet and curl to check that communication is working.
:::
Install a reverse proxy
Apache
:::info
You follow one of these guides to configure Apache with a Let's Encrypt certificate.
:::
🚧
Nginx
:::info
You follow one of these guides to configure Nginx with a Let's Encrypt certificate.
:::
Once you installed nginx and retrieved the required certificates, you can configure the reverse proxy to work with LibreTime.
Paste the following configuration in /etc/nginx/sites-available/libretime.conf and be sure to replace:
radio.example.comwith your own station url,libretime:8080with the location of your LibreTime web server;
server {
listen 80;
server_name radio.example.com;
location / {
rewrite ^ https://$server_name$request_uri? permanent;
}
}
server {
listen 443 ssl;
server_name radio.example.com;
ssl_certificate /etc/letsencrypt/live/radio.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/radio.example.com/privkey.pem;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_pass http://libretime:8080/;
}
}
Enable the nginx configuration and restart nginx using the commands below:
ln -s /etc/nginx/sites-available/libretime.conf /etc/nginx/sites-enabled/
sudo systemctl restart nginx
Icecast
:::warning
If you attempt to listen an insecure Icecast stream on a secure website, a mixed content error will be raised by your browser and should prevent your player from listening to the stream.
You follow one of these guides to configure a secure Icecast server with a Let's Encrypt certificate.
:::