Secure Subsonic with Let's Encrypt

Introduction

5/10/2021 - I wrote this guide after finally figuring out how to secure Subsonic using Let's Encrypt. I had found many recipes for securing Subsonic and none of them were working for me. Most of them had recipes for generating Let's Encrypt certificates and then combining these certificates and placing them in Subsonic to replace its self signed certificate. I couldn't actually get any of these recipes to work on my Mac Mini running High Sierra. What I discovered is that it's much easier to use Apache's reverse proxy feature to secure Let's Encrypt than it is to combine certs and install them into Subsonic. Also, this has an added side benefit of the URL now remaining my dynamic DNS URL rather than becoming my public IP address (like it did when I was using the server_name.subsonic.org feature of Subsonic).

Overview

Even though I wrote this guide based on my experiences of securing Subsonic with Let's Encrypt certificates on my venerable Mac Mini running High Sierra (macOS 10.13), this recipe should work for any Unix/Linux based OS.

Things you should already have:

• A machine running a *nix based OS

• Subsonic installed

• A dynamic DNS service to obtain a URL and keep it tied to your public IP address

• Ability to configure port forwarding on your router

• Access to your Subsonic computer whether directly or by SSH or remote control

Note: This guide does not explain how to do any of these items. It is assumed that you have already figured out and taken care of these items and just want to secure your Subsonic using Let's Encrypt's free certificates.

The basic gist of what you'll be doing goes like this:

• Configure your forwarded ports on your router

• Enable & configure Apache

• Install & run Certbot

Configure Forwarded Ports

The only ports you need to forward for this setup to work are 80 & 443.

If you've been running Subsonic unencrypted, you're most likely forwarding port 4040 to your Subsonic machine. You won't be doing this any more. If you've been running Subsonic with a self-signed cert, you'll actually want to turn off Subsonic's https configuration and also stop forwarding whichever port you were using for this (default is 4443, I think).

Subsonic is going to run in insecure mode on port 4040 but, it won't be accessible from the outside world once you stop forwarding port 4040. Instead, you'll be relying on Apache's reverse proxy feature to handle the encryption on the front end from your server to browsers and mobile apps. Behind the scenes, Apache will be talking to your Subsonic unencrypted on port 4040.

Enable & Configure Apache

Enabling (which depending on your operating system might also involve installing) Apache is going to differ from OS to OS.

I followed this guide for enabling Apache on High Sierra. However, I ended up undoing some of its settings. The reason being, is that Certbot (which is coming up in the next section) only knows how to automatically configure Let's Encrypt certificates for virtual hosts (vhosts).

Your goal in installing/enabling & configuring Apache should be to get it setup with only vhosts (assuming you want Certbot to be able to automatically get and configure Let's Encrypt certificates).

Side note: I'm certain that someone with more knowledge and experience than me will point out what I've done wrong or a better way to configure Apache. What's presented here is what I figured out from following other guides and posts and then using some trial and error to get things working how I wanted.

As an example, here's what steps were necessary to do this on macOS High Sierra:

1. Edit /etc/apache2/httpd.conf (Hint: in Terminal: sudo nano /etc/apache2/httpd.conf)

   1. Find and uncomment (by removing the #) the following lines:

      1. LoadModule proxy_module libexec/apache2/mod_proxy.so

      2. LoadModule proxy_http_module libexec/apache2/mod_proxy_http.so

      3. LoadModule proxy_balancer_module libexec/apache2/mod_proxy_balancer.so

      4. LoadModule ssl_module libexec/apache2/mod_ssl.so

      5. LoadModule lbmethod_byrequests_module libexec/apache2/mod_lbmethod_byrequests.so

      6. LoadModule rewrite_module libexec/apache2/mod_rewrite.so

      7. Include /private/etc/apache2/extra/httpd-vhosts.conf

   2. Save changes to httpd.conf

2. Edit etc/apache2/extra/httpd-vhosts.conf

   1. Define your Subsonic vhost like this:
      <VirtualHost *:80>
      ServerName your_dynamic_dns_url
      ProxyPass / http://localhost:4040/
      ProxyPassReverse / http://localhost:4040/
      RewriteEngine on
      RewriteCond %{SERVER_NAME} =your_dynamic_dns_url
      RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
      </VirtualHost>

   2. Save changes to httpd-vhosts.conf

3. Turn on the Apache by running the following command in the Terminal:
   sudo launchctl load -w /System/Library/LaunchDaemons/org.apache.httpd.plist

Install & Run Certbot

This web page allows you to select Apache as your web server and then select your OS and gives you instructions for installing and running Certbot.

If Apache is installed, enabled, and configured with vhosts, then Certbot (using the "sudo certbot --apache" command) will secure your vhosts and you're almost done.

You should now be able to go to https://your_dynamic_dns_url and your Subsonic page should load and your browser should show the little padlock icon indicating a secure site (and you shouldn't get any pesky self signed certificate or insecure website warnings).

You should also follow the instructions for adding Certbot to your crontab so that your Let's Encrypt certs will get automatically renewed.