,

Setting Up HTTPS and Web Access

Author name

April 25, 2024

With NGINX & Let’s Encrypt

Your Raspberry Pi streaming setup is now secure and functional, but there’s one more critical piece—ensuring secure web access via HTTPS. In this guide, we’ll set up NGINX as a secure reverse proxy and configure SSL certificates using Let’s Encrypt.

Why Use HTTPS?

HTTPS encrypts your data, safeguarding your vinyl streaming setup against interception or tampering. It also enables secure, remote access to your streaming interface.

Step-by-Step HTTPS Setup

Step 1: Install NGINX and Certbot

First, install NGINX and Certbot (for Let’s Encrypt certificates):

sudo apt install nginx certbot python3-certbot-nginx

Step 2: Configure NGINX as a Reverse Proxy

Create a secure reverse proxy for OwnTone and Icecast.

Edit NGINX configuration:

sudo nano /etc/nginx/sites-available/vinyl_stream.conf

Paste the following configuration:

server {
    listen 80;
    server_name yourdomain.com;

    location /owntone/ {
        proxy_pass http://localhost:3689/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

    location /stream/ {
        proxy_pass http://localhost:8000/;
    }
}

Replace yourdomain.com with your actual domain name.

Enable this configuration:

sudo ln -s /etc/nginx/sites-available/vinyl_stream.conf /etc/nginx/sites-enabled/

Step 3: Configure Basic Authentication

Secure OwnTone web interface:

Install Apache tools (for htpasswd utility):

sudo apt install apache2-utils

Create a user:

sudo htpasswd -c /etc/nginx/.htpasswd yourusername

Reload NGINX:

sudo nginx -t
sudo systemctl reload nginx

Step 4: Obtain SSL Certificate with Let’s Encrypt

Use Certbot to install SSL certificates automatically:

sudo certbot --nginx -d yourdomain.com

Certbot will:

  • Obtain certificates.
  • Automatically update NGINX configuration.
  • Schedule automatic renewals.

Step 5: Verify Secure HTTPS Access

Now, verify HTTPS access by navigating to:

https://yourdomain.com/owntone/
https://yourdomain.com/stream/vinyl.mp3

Ensure both pages load securely, displaying a padlock icon in the browser.

Step 6: Automating Certificate Renewal

Certificates expire after 90 days, but Certbot handles renewals automatically. Verify automated renewal is working:

sudo certbot renew --dry-run

Troubleshooting HTTPS Issues

  • Confirm firewall (UFW) allows HTTPS (443) and HTTP (80) traffic.
  • Double-check NGINX and Certbot logs for errors.
  • Ensure domain DNS records correctly point to your Raspberry Pi IP.

Your Setup is Now Complete!

Congratulations! Your vinyl streaming setup is now secure, encrypted, and fully accessible remotely. You’ve successfully combined the analog magic of vinyl with modern streaming technology.

Next Steps: Expanding Your Setup

Stay tuned for our final wrap-up post where we’ll discuss additional customizations and enhancements for your streaming setup.

Next post: May 9, 2024, Exploring Additional Customizations & Features.

Securing and Hardening Your Raspberry Pi

Exploring Additional Customizations

Leave a Comment