How to enable SSL?

[MuadDibIII]

Hello,

I just installed Ampache on my synology NAS (with Docker), and I can't see a way to enable SSL.
I have my own domain and a Let's Encrypt certificate, but I can't see the option to set the SSL port anywhere on the settings page.

If it's not possible to do it on the web UI, is there any configuration file that I can make the change?

Thanks in advance for all your help,

Best regards,
Marc

[MuadDibIII]

Ok, I just found an option on the settings page (debug Ampache).
On the top of the page, there is 2 options (generate config file) and Write config file.

On generate config file I download a file where I can change a reverse proxy setting (force_ssl = "true"), that I think is what I'm looking for. The problem is once I change this setting, I don't know how to upload my new generated file.

The 2nd link (write config file), just opens "Browse Ampache", with no option to actually upload a config file...

How can I change this setting to enable a reverse HTTPS proxy on my NAS?

Thanks again for the help,
Marc

[lachlan-00]

The image is built so you can proxy ssl through the server/firewall instead of holding the ssl config. if you want to do ssl on the container you can build it yourself pretty easily.

edit the apache site file and put the ssl/port into the config (apache is only set for port 80 by default)

then you have to copy the ssl cert to the image or create a volume that points to the cert and build the container.

it's not too hard but it's easier to proxy the container through the webserver where the ssl is done on the host.

[kuzi-moto]

Hey @MuadDibIII, sounds like you're interested in using a reverse proxy. I highly recommend this route if you'd like to use SSL with Ampache. There is actually no other configuration that needs to be done with the Ampache config file. I would recommend just setting your reverse proxy to redirect http to https if it doesn't already.

If you would like some config examples I may be able to provide some.

[grf692]

Hey @MuadDibIII, sounds like you're interested in using a reverse proxy. I highly recommend this route if you'd like to use SSL with Ampache. There is actually no other configuration that needs to be done with the Ampache config file. I would recommend just setting your reverse proxy to redirect http to https if it doesn't already.

If you would like some config examples I may be able to provide some.

Hej, I am actually trying to do that. I already have an apache2 server running for some other stuff (not in docker) but I am not sure how to configure and enable a reverse proxy (I spent quite some time trying). So some config examples might help me !

[lachlan-00]

do you have an ssl cert? this is my (sort of) template for the proxy (unironically called ssl-proxy-example.conf)

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        # a2enconf http2 (needs an fpm module too like a2enconf php8.0-fpm)
        #Protocols h2 http/1.1
        ServerAdmin [email protected]
        ServerName music.com.au

        ErrorLog ${APACHE_LOG_DIR}/error-ssl-proxy-example.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLEngine On

        # a2enmod headers (15768000 seconds = 6 months)
        #Header always set Strict-Transport-Security "max-age=15768000"
                
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
            SSLOptions +StdEnvVars
        </Directory>
        <ifmodule mod_proxy.c>
            # Encoded slashes need to be allowed
            AllowEncodedSlashes NoDecode

            # Make sure to keep the host
            ProxyPreserveHost On

            #turning ProxyRequests on and allowing proxying from all may allow
            #spammers to use your proxy to send email.
            ProxyRequests Off
            <proxy *>
                AddDefaultCharset off
                Order Allow,Deny
                Allow from all
            </proxy>

            ProxyPreserveHost On
            # Enable/disable the handling of HTTP/1.1 "Via:" headers.
            # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
            # Set to one of: Off | On | Full | Block
            ProxyVia Full

            ProxyPass / http://192.168.1.1/
            ProxyPassReverse / http://192.168.1.1/
        </ifmodule>

        SSLCertificateFile /etc/letsencrypt/live/ampache/fullchain.pem                
        SSLCertificateKeyFile /etc/letsencrypt/live/ampache/privkey.pem
    </VirtualHost>
</IfModule>

SSLStaplingCache        shmcb:/var/run/ocsp(128000)
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

[lachlan-00]

this is sort of what gets generated by certbot when making ssl certs for letsecnrypt, i've commented things out that might not be there for you but if you can paste into the available sites

nano /etc/apache2/sites-available/ssl-proxy-ampache.conf

then enable the site

a2ensite ssl-proxy-ampache

and then reload

systemctl reload apache2

[grf692]

Thanks for the support guys. After a couple of attempts, it was messing with other software/services I am hosting and serving with Apache2 on the same Pi. So I actually changed from mpache-docker to "just Ampache" (no docker) and now it runs as I wanted.

Sorry, my lack of skills-knowledge with Apache2 / Reverse Proxy / SSL to blame ! :)

[landure]

For Docker, the easiest way to setup https is to use a reverse proxy / edge router like Traefik. I understand it can be a pain with a Raspberry Pi. Apache or Nginx installed locally can be used as https reverse proxy for docker containers with something like acme.sh to generate SSL certificates, but it imply to expose docker port on localhost only (opened only for 127.0.0.1).