Security and SSL

Subsonic is a free, web-based media streamer, providing ubiquitous access to your music. Use it to share your music with friends, or to listen to your own music while at work. You can stream to multiple players simultaneously, for instance to one player in your kitchen and another in your living room.

Moderator: Lillian.W@AST

Post Reply
Buckmark
Posts: 5
youtube meble na wymiar Warszawa
Joined: Sun Feb 15, 2015 11:52 pm

Security and SSL

Post by Buckmark »

It would be kinda nice to have Subsonic use security / SSL / HTTPS. Has anyone ever gone down this path before? Overall, I'm rather happy with Subsonic, and it has been pretty easy to setup and configure. A much better experience than SoundsGood. But connecting remotely to my NAS (outside my home) over plain HTTP rather than HTTPS isn't terribly secure. Yes, I've lowered the permissions on my Subsonic account so that it is essentially read-only (play-only) but still...

Has anyone tried adding an SSL certificate to Subsonic? I found this article on the Web, and it looks do-able (I'm not afraid of getting my hands dirty and using terminal access to my NAS via SSH).

http://www.richgrundy.com/blog/setting- ... -subsonic/

Even a self-signed certificate would make me more comfortable (if that would work). The files for subsonic appear to be in the NAS filesystem on usr/local/AppCentral/subsonic. Underneath there is the jar file (containing a subsonic.keystore with an old cert), and also the subsonic.sh where I can specify the HTTPS SSL port. But if I change the contents of the jar file, then I thought I would probably need to sign the jar file again as Java 7 doesn't always like to run unsigned jars. I suppose I should see if Subsonic's jar file is signed. If so, then I'd have to sign it after updating the jar with my SSL key and certificate, and signing the jar file itself would require a second jar signing key and certificate. Certificates are not cheap and I'm not sure if I could get away with self-signed certificates. And what domain would I specify on my SSL certificates? I'd likely need to register for my own DDNS.

If suppose this would be an interesting project for a rainy day. Has anyone ever gone down this path before?
User avatar
gibxxi
Posts: 85
Joined: Tue Mar 31, 2015 2:59 am

Re: Security and SSL

Post by gibxxi »

All that's required to get Subsonic to use a basic SSL setup (with a self-signed certificate, automatically generated) is to adjust the Subsonic startup script accordingly to allow/specify a SSL port.

You will need to stop the addon via ADM, SSH in to the NAS and find the subsonic.sh file located at:

Code: Select all

/usr/local/AppCentral/subsonic/Subsonic/subsonic.sh
Under the option "SUBSONIC_HTTPS_PORT=", specify the port you'd like to use for SSL access. I use port 4043 for this purpose. Then restart the Subsonic App and attempt to login via regular http. Subsonic should auto-redirect you over to SSL if using a web browser, albeit with a security warning about the untrusted nature of the self-signed SSL certificate.

I would assume the same redirection occurs for mobile apps too, like the default android Subsonic app made by Sindre Mehus himself. The reason I say this is I have had issues/failures trying to connect to the SSL port directly in some mobile apps in the past, but specifying the standard http address seems to work. Also, since I don't have the option to stream content over insecure http set up at all, the fact that streaming works as expected, once SSL is enabled would lead me to believe that the mobile app is in fact automatically redirecting to SSL too, it's just not advertising the fact. I could however be completely wrong on this. I haven't (yet) found a way to conclusively prove the connection type (to mobile apps) for the UI, either way, nor have I put much effort into finding out though.

I have uPnP setup in Subsonic itself, and thus do not need to specify port mappings/forwarding in either ADM OR the router. Subsonic handles the port mappings on it's own behalf.

EDIT: Contrary to what I posted above, after the SSL port is specified, you will need to log in using the SSL address:port at least once, once this has been done successfully at least once on your chosen browser, Subsonic will then redirect all subsequent connections to http to https. Been a long time since I tried this, and forgot about this requirement.
___ GibsonXXI ___
"Si vis pacem para bellum!"

NAS1: Asustor AS5104T | NAS2: Infrant Repertoire U4 (Modified)
User avatar
JavaVof
Posts: 3
Joined: Sun Jul 28, 2019 6:46 pm
Location: Timor, East
Contact:

Security and SSL

Post by JavaVof »

Hi,

I have a group in the control security setting configure not to be able to use the New button. The form is a form_toolbar_relatedpages.

When I enter the form the New button is disable just as expected. But if I go to any tab on the form the New button is activated and became enable no matter the user is the same user with the New restriction by his security control group.

What could be happening? What can I do to avoid this?

Thanks all for any help
Post Reply

Return to “Subsonic”