Subsonic converted to nginx

2014-09-13 19:55:18 +01:00 · 2014-09-13 19:55:18 +01:00 · 037f801270
parent 8e53558003
commit 037f801270
1 changed files with 11 additions and 263 deletions
--- a/beaglebone.txt
+++ b/beaglebone.txt
@ -7190,15 +7190,9 @@ editor /etc/nginx/sites-available/$HOSTNAME
 Delete all existing contents then add the following:
 #+BEGIN_SRC: bash
 upstream subsonicbackend {
    server 127.0.0.1:4040 max_fails=3 fail_timeout=30s;
    server 127.0.0.1:4040 max_fails=3 fail_timeout=60s;
    server 127.0.0.1:4040 max_fails=3 fail_timeout=90s;
 }
 server {
    listen 80;
-    server_name mysubsonicdomainname.com;
+    server_name tunes.us.to;
    rewrite ^ https://$server_name$request_uri? permanent;
 }
@ -7209,8 +7203,8 @@ map $http_upgrade $connection_upgrade {
 server {
    listen 443 ssl;
-    server_name mysubsonicdomainname.com;
+    server_name tunes.us.to;
-    index index.php;
+    index index.html index.htm;
    error_log  /var/www/mysubsonicdomainname.com/error.log debug;
@ -7222,84 +7216,19 @@ server {
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
    ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
-    add_header Strict-Transport-Security "max-age=0;";
+    #add_header Strict-Transport-Security max-age=0; # six months
    # Only uncomment one of the Strict-Transport-Security entries if you are
    # not using a self-signed certificate
    # add_header Strict-Transport-Security max-age=15768000; # six months
    # use this only if all subdomains support HTTPS!
    # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
-    client_max_body_size 6m;
+    client_max_body_size 20M;
    keepalive_timeout 75 75;
    gzip_vary off;
    location / {
-        proxy_pass https://subsonicbackend;
+        proxy_pass http://localhost:4040/;
-        proxy_http_version 1.1;
+        proxy_redirect     http://             https://;
-        proxy_redirect off;
+        proxy_set_header   Host                $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $http_host;
        proxy_set_header   X-Real-IP           $remote_addr;
-        proxy_buffers 16 32k;
+        proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
    }
 }
 server {
    listen 443 ssl;
    server_name mysubsonicdomainname.com;
    charset utf-8;
    root /var/www/mysubsonicdomainname.com/htdocs;
    index index.php;
    if ( !-d $request_filename ) {
        rewrite ^/rest/(.*).view$ /rest/index.php?action=$1 last;
    }
    if ( !-d $request_filename ) {
        rewrite ^/plex/(.*)$ /plex/index.php?action=$1 last;
    }
    location /rest {
        limit_except GET POST {
            deny all;
        }
    }
    location /plex {
        limit_except GET POST {
            deny all;
        }
    }
    location ^~ /bin/ {
        deny all;
        return 403;
    }
    location ^~ /config/ {
        deny all;
        return 403;
    }
    location / {
        limit_except GET POST HEAD{
            deny all;
        }
    }
    location ~ ^(.+\.php)(.*)$ {
        try_files $fastcgi_script_name =404;
        fastcgi_split_path_info  ^(.+\.php)(.*)$;
        fastcgi_pass   unix:/var/run/php5-fpm.sock;
        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
        fastcgi_param  PATH_INFO        $fastcgi_path_info;
        include        /etc/nginx/fastcgi_params;
    }
 }
 #+END_SRC
@ -7307,193 +7236,12 @@ server {
 Save and exit.
 #+BEGIN_SRC: bash
 export HOSTNAME=mysubsonicdomainname.com
 sed "s/mysubsonicdomainname.com/$HOSTNAME/g" /etc/nginx/sites-available/$HOSTNAME > /tmp/website
 cp -f /tmp/website /etc/nginx/sites-available/$HOSTNAME
 /etc/init.d/nginx reload
 #+END_SRC
 #+BEGIN_SRC: bash
 export HOSTNAME=mysubsonicdomainname.com
 editor /etc/apache2/sites-available/$HOSTNAME
 #+END_SRC
 Add the following, replacing /mysubsonicdomainname.com/ with your subsonic domain name and /myusername@mydomainname.com/ with your email address.
 #+BEGIN_SRC: bash
 <VirtualHost *:80>
    ServerName mysubsonicdomainname.com
    Redirect permanent / https://mysubsonicdomainname.com/
 </VirtualHost>
 <IfModule mod_ssl.c>
 <VirtualHost *:443>
    ServerAdmin myusername@mydomainname.com
    ServerName mysubsonicdomainname.com
    ProxyRequests Off
    ProxyPreserveHost Off
    <Location />
        ProxyPass  http://localhost:4040/
        ProxyPassReverse  http://localhost:4040/
    </Location>
    RewriteEngine on
    RewriteOptions inherit
    DocumentRoot /var/www/mysubsonicdomainname.com/htdocs
    <Directory />
        Options FollowSymLinks
        AllowOverride All
    </Directory>
    <Directory /var/www/mysubsonicdomainname.com/htdocs/>
        Options All
        AllowOverride All
        Order allow,deny
        allow from all
        LimitRequestBody 5120000
    </Directory>
    # Don't serve .php~ or .php# files created by emacs
    <Files ~ "(^#.*#|~|\.sw[op])$">
        Order allow,deny
        Deny from all
    </Files>
    <IfModule headers_module>
        Header set X-Content-Type-Options nosniff
        Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate, private"
        Header set Pragma no-cache
    </IfModule>
    <Files .htaccess>
      deny from all
    </Files>
    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
    <Directory "/usr/lib/cgi-bin">
        AllowOverride All
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
        LimitRequestBody 512000
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel error
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on
 	SSLCertificateFile    /etc/ssl/certs/mysubsonicdomainname.com.crt
 	SSLCertificateKeyFile /etc/ssl/private/mysubsonicdomainname.com.key
    # Options based on bettercrypto.org
    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder On
    SSLCompression off
    SSLCipherSuite EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
    # Add six earth month HSTS header for all users ...
    Header add Strict-Transport-Security "max-age=15768000"
    # If you want to protect all subdomains , use the following header
    # ALL subdomains HAVE TO support https if you use this !
    # Strict-Transport-Security: max-age=15768000 ; includeSubDomains
    #   SSL Engine Options:
    #   Set various options for the SSL engine.
    #   o FakeBasicAuth:
    #     Translate the client X.509 into a Basic Authorisation.  This means that
    #     the standard Auth/DBMAuth methods can be used for access control.  The
    #     user name is the `one line' version of the client's X.509 certificate.
    #     Note that no password is obtained from the user. Every entry in the user
    #     file needs this password: `xxj31ZMTZzkVA'.
    #   o ExportCertData:
    #     This exports two additional environment variables: SSL_CLIENT_CERT and
    #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
    #     server (always existing) and the client (only existing when client
    #     authentication is used). This can be used to import the certificates
    #     into CGI scripts.
    #   o StdEnvVars:
    #     This exports the standard SSL/TLS related `SSL_*' environment variables.
    #     Per default this exportation is switched off for performance reasons,
    #     because the extraction step is an expensive operation and is usually
    #     useless for serving static content. So one usually enables the
    #     exportation for CGI and SSI requests only.
    #   o StrictRequire:
    #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
    #     under a "Satisfy any" situation, i.e. when it applies access is denied
    #     and no other module can change it.
    #   o OptRenegotiate:
    #     This enables optimized SSL connection renegotiation handling when SSL
    #     directives are used in per-directory context.
    #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
    <FilesMatch "\.(cgi|shtml|phtml|php)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    <Directory /usr/lib/cgi-bin>
        SSLOptions +StdEnvVars
    </Directory>
    #   SSL Protocol Adjustments:
    #   The safe and default but still SSL/TLS standard compliant shutdown
    #   approach is that mod_ssl sends the close notify alert but doesn't wait for
    #   the close notify alert from client. When you need a different shutdown
    #   approach you can use one of the following variables:
    #   o ssl-unclean-shutdown:
    #     This forces an unclean shutdown when the connection is closed, i.e. no
    #     SSL close notify alert is send or allowed to received.  This violates
    #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
    #     this when you receive I/O errors because of the standard approach where
    #     mod_ssl sends the close notify alert.
    #   o ssl-accurate-shutdown:
    #     This forces an accurate shutdown when the connection is closed, i.e. a
    #     SSL close notify alert is send and mod_ssl waits for the close notify
    #     alert of the client. This is 100% SSL/TLS standard compliant, but in
    #     practice often causes hanging connections with brain-dead browsers. Use
    #     this only for browsers where you know that their SSL implementation
    #     works correctly.
    #   Notice: Most problems of broken clients are also related to the HTTP
    #   keep-alive facility, so you usually additionally want to disable
    #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
    #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
    #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
    #   "force-response-1.0" for this.
    BrowserMatch "MSIE [2-6]" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
    # MSIE 7 and newer should be able to use keepalive
    BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
 </VirtualHost>
 </IfModule>
 #+END_SRC
 Save and exit.
 #+BEGIN_SRC: bash
 makecert mysubsonicdomainname.com
 a2ensite mysubsonicdomainname.com
 service apache2 restart
 #+END_SRC
 *** Configuration
 Open a browser and go to your subsonic domain name. Log in with username /admin/ and password /admin/, then change your administrator password.