https access

rasti · January 25, 2016, 12:01am

Hello,

is it possible to run Volumio in secure https mode ?

What settings in which files need to be changed ?

Thanks

Ralf

rasti · January 26, 2016, 8:43pm

Thanks to willy-tech.de/https-in-nginx-einrichten/
I managed to change it.

Volumio can be accessed now by http and https

ssh to volumio and change

sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
chmod 0600 /etc/nginx/ssl/*

2.change nginx.conf to

user root users;
worker_processes  1;

#error_log  logs/error.log;
error_log  /var/log/nginx/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;


    #access_log  logs/access.log  main;
access_log off;
    sendfile        on;
    #keepalive_timeout  0;
    keepalive_timeout  65;

    gzip  off;
    proxy_buffering off;
    fastcgi_keep_conn on;
    
    #start server1 section
    server {
        listen       80;
 	listen 443 ssl;
        ssl_certificate /etc/nginx/ssl/nginx.crt; 
        ssl_certificate_key /etc/nginx/ssl/nginx.key; 
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2; 
        ssl_ciphers         HIGH:!aNULL:!MD5; 

        access_log  /var/log/nginx/access.log;
        location / {
            root   /var/www;
            index  index.php index.html index.htm;
        }
	
	location /db {
	proxy_pass        http://localhost:81/;
	}

	location /command {
	proxy_pass        http://localhost:82/;
	}
	
	location ^~ /_OS_SETTINGS {
	    deny all;
	}

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        # php5-fpm
        location ~ \.php$ {
            root           /var/www;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            include        fastcgi_params;
	    fastcgi_param SCRIPT_FILENAME $request_filename;
	    fastcgi_read_timeout 3600;
        }
    } #end server1 section
    
    #start server2 section [/db]
    server {
        listen       81;
        access_log  /var/log/nginx/db.log;
        location / {
            root   /var/www/db;
            index  index.php;
        }
        # php5-fpm
        location ~ \.php$ {
            root           /var/www/db;
            fastcgi_pass   127.0.0.1:9001;
            fastcgi_index  index.php;
            #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            include        fastcgi_params;
	    fastcgi_param SCRIPT_FILENAME $request_filename;
	    fastcgi_read_timeout 3600;
        }
    } #end server2 section

    #start server3 section [/command]
    server {
        listen       82;
        access_log  /var/log/nginx/command.log;
        location / {
            root   /var/www/command;
            index  index.php;
        }
        # php5-fpm
        location ~ \.php$ {
            root           /var/www/command;
            fastcgi_pass   127.0.0.1:9002;
            fastcgi_index  index.php;
            #fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
            include        fastcgi_params;
	    fastcgi_param SCRIPT_FILENAME $request_filename;
	    fastcgi_read_timeout 3600;
        }
    } #end server2 section
}

MobeyDuck · January 27, 2016, 1:16pm

How did you manage to get a working certificate?

rasti · January 27, 2016, 3:47pm

See #1 and reference link

Milster · January 14, 2020, 1:50am

Hi Rasti
I’ve been trying to get this working for the last couple of days with no success.
Are you still active on this forum? Do you mind if I post my attempts so far and hopefully you could reveiw them and advise where I am getting unstuck?
Thanks!

volumio · January 14, 2020, 2:07pm

While this approach has its technical validity, it has some shortcomings (you are using a self signed certificate, which will result in a browser warning).
I would like to remind that we worked 2 years on making https connection possible with MyVolumio. While there are other ways of reaching this result, using MyVolumio remote connection (via myvolumio.org) is the most user friendly way (and secure, since all traffic is encrypted)

Milster · January 17, 2020, 2:13am

Hey Michelangelo
I have ended up subscribing to MyVolumio. But I am having a little trouble justifying the financial committment. Maybe I can offer my reason for wanting a https connection. I also run the very popular iot platiform homeassistant, which you probably know integrates nicely with Volumio as a media player. A nicer user experience via hass is running Volumio inside of an iframe. An iframe card is hass’ ability to run a website within a window within hass’ ui. Unfortunately if Hass is running on an https connection; an embedded iframe’s content must also be served up as https. Thus my desire for Volumio to run on https. So my particular traffic would only ever be within my home network. MyVolumio offers a suite of solutions but my requirement is very targetted. I wish there was a slightly cheaper subscription that would let me achieve my objective.
Congratulations on Volumio - its wonderful!!
Best
Milster

Milster · January 21, 2020, 1:59am

Hi @michelangelo. Are you able to send me a private message, so I can ask something of you please? Thanks! Milster