In this guide, I'll explain how to create a reverse proxy using NGINX in order to secure through HTTPS the Owntone WebGUI. Please note that NGINX is the only web server I was able to make this run. Apache2 and OpenLiteSpeed were a nightmare, but if any of you guys and gals figure it out, don't hesitate to create the proper wiki page or edit this one to include the other methods.
Configuration
Depending on which network mode you run the docker container, you might need to replace the IP address 127.0.0.1 for your docker container's IP instead. On my end, I am running Owntone with network_mode = host
instead of using the ports
section in my docker-compose.yml file.
Binding the websocket
First thing we need to do, is to uncomment the lines websocket_port
and websocket_interface
in the owntone.conf file. You will then edit the value to websocket_interface
to "127.0.0.1"
. You can keep the default websocket's port to 3688 unless you need to change it.
This will tell Owntone to only listen for websocket incoming connections on the localhost interface on port 3688. Restart the docker container for the settings to take effect.
Creating the proxy in NGINX
We now need to configure a new virtual host in NGINX with the proxy. Use the following code to create your new virtual host. Of course, adapt it with your domain name and IP addresses.
server {
listen 443 ssl;
server_name owntone.redacted.biz;
ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://127.0.0.1:3689/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
server {
listen 192.168.0.55:3688 ssl;
server_name owntone.redacted.biz;
ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
location / {
proxy_pass http://127.0.0.1:3688/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Restart NGINX for the settings to take effect.
Troubleshooting
Check listening addresses
You can check if NGINX and Owntone are listening to the proper interface by using the netstat -ltnup | grep 3688
command from the Terminal. This should return something like this if everything is configured properly.
tcp 0 0 192.168.0.55:3688 0.0.0.0:* LISTEN 2915882/nginx: mast
tcp 0 0 127.0.0.1:3688 0.0.0.0:* LISTEN 2889365/owntone
We can see above that Owntone listens on 127.0.0.1 only and that NGINX listens on 192.168.0.55 only.
Check firewall rules
If you're using UFW as your firewall, make sure port 3689 and 3688 are open. The following commands will open the ports on every interface.
sudo ufw allow 3689/tcp comment "Owntone DAAP"
sudo ufw allow 3688/tcp comment "Owntone HTTPS websocket"