Setting up a reverse proxy in front of LibreTime can improve security by enabling HTTPS and centralizing certificate management. However, it is not recommended to reverse proxy Icecast or Liquidsoap harbor inputs as they do not support it. Here's how to set up a reverse proxy in front of LibreTime:
Prerequisites:
- A domain name and TLS certificate for that domain
- Knowledge of the location of the services that should be exposed to the public, such as the LibreTime web server (usually located at localhost:8080)
Note: If LibreTime is running on the same host as the reverse proxy, the default listening port of the LibreTime web server needs to be changed because the reverse proxy needs to listen on ports 80 and 443.
Additionally, it is important to ensure that the firewall and network allow communication from the reverse proxy to the services. Tools like ping, telnet, and curl can be used to test communication.
To set up a reverse proxy, you can use Apache or Nginx. Here are the steps for Nginx:
- Install Nginx and retrieve the required certificates.
- Configure Nginx with Let's Encrypt.
- Create a new file called
/etc/nginx/sites-available/libretime.conf
and paste the following configuration, replacing the placeholders with your own station URL and the location of your LibreTime web server:
server { listen 80; server_name radio.example.com; location / { rewrite ^ https://$server_name$request_uri? permanent; } } server { listen 443 ssl; server_name radio.example.com; ssl_certificate /etc/letsencrypt/live/radio.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/radio.example.com/privkey.pem; location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port; proxy_pass http://libretime:8080/; } }
Enable the Nginx configuration and restart Nginx using the following commands:
ln -s /etc/nginx/sites-available/libretime.conf /etc/nginx/sites-enabled/ sudo systemctl restart nginx
Note that if you attempt to listen to an insecure Icecast stream on a secure website, your browser may raise a mixed content error, preventing your player from listening to the stream. It is recommended to follow a guide to configuring a secure Icecast server with a Let's Encrypt certificate.