Subdomain mess-up with two local IPs

rg305 · March 20, 2020, 6:33pm

So it did require a2ensite.
I wonder why you didn’t try that sooner…

eivind · March 20, 2020, 7:16pm

@rg305 Because the original domain had worked until I messed with the subdomain on Box 2. I didn’t suspect that (re-)enabling it would be needed, but it was logical that the subdomain would have to be enabled. I found out when I mulled over the result from apache2ctl -S.

9peppe · March 20, 2020, 7:36pm

it’s because you had multiple virtualhosts on port 443 with different ssl activation statuses: SSLEngine on was missing in the one that prevailed.

rg305 · March 20, 2020, 7:45pm

So then… (file) “Order Matters”.
[I often tell my kids this - like: “Socks go in before shoes (not after)!”]

~~Or an even better takeaway: SSLEngine on should probably be initiated in the main config.~~

And, of course there is also, placing a file in the sites-available folder usually does nearly nothing - without also enabling it (via: a2ensite <site>)

9peppe · March 20, 2020, 7:48pm

No, because you don't want to break port 80.

I don't know how apache solves this kind of conflicts -- is it the first? is there a default? -- but it's safe to say that it should be in every port 443 vhost (or in none, but that doesn't make sense)

rg305 · March 20, 2020, 7:53pm

OK so then:
Apply SSLEngine on within ALL TLS sections.
[that seems to work in my test Apache system]

9peppe · March 20, 2020, 7:58pm

yes, and that’s not a problem if you use certbot.

because you can create a section on port 80 only, with no SSLEngine directive and so, and certbot will create a new TLS section with the right configs.

eivind · March 21, 2020, 7:48pm

Well, we are beyond the SSL problems, and your help has solved the most serious problems, but I am not totally where I want to be. I cannot ask you to help me, as we are outside the scope of this forum. However, I would be grateful for any hints as to why my little internet radio doesn’t work. Thank you.

9peppe · March 21, 2020, 8:04pm

because the url it’s configured to load is
http://192.168.88.44/radio/8000/radio.mp3?1584820922
instead of the proper public one.

There should be configuration options in your application.

rg305 · March 21, 2020, 9:41pm

To add some clarity to this…
The initial URL seems useable: https://hjarteleg.velko.men/public/radio
Where

Name:    velko.men
Address:  79.170.87.117
Aliases:  hjarteleg.velko.men

But the redirection to, or use of, an RFC 1918 IP address (192.168.88.44) makes it unreachable.

I do see that now the site is returning 503 Service Unavailable; perhaps that means you are making changes and hopefully making progress.

Best of luck

Edit: now I see this again: https://192.168.88.44/public/radio

curl -Iki https://hjarteleg.velko.men/public/radio
HTTP/2 307
date: Sat, 21 Mar 2020 21:57:52 GMT
server: nginx
strict-transport-security: max-age=15768000; includeSubDomains; preload
content-type: text/html; charset=UTF-8
location: https://192.168.88.44/public/radio
x-xss-protection: 1
x-content-type-options: nosniff
x-robots-tag: none
referrer-policy: no-referrer-when-downgrade

rg305 · March 21, 2020, 9:58pm

The problem is within the nginx configuration.

It seems to be redirecting (307 temporary) instead of proxying.

9peppe · March 21, 2020, 10:43pm

I assume the 307 is returned by the app, not by nginx.

eivind · March 22, 2020, 9:44am

This was indeed an issue with the app. It has a “prefer browser URL” checkbox that has to be disabled. The radio station should now basically work. The intent is to broadcast my own concerts and readings for people who are house-bound and quarantined.

9peppe · March 22, 2020, 9:47am

I can hear it fine. It works.

There's a little problem, the actual mp3 file is served over unencrypted http, you get a mixed content warning. You should tell the app to use browser protocol/schema too (or to use relative urls)

eivind · March 22, 2020, 12:00pm

Thanks The mixed content warning is not unusual with Icecast streams, because it doesn’t have support for SSL due to licensing issues (sic) unless you build it from source yourself. That’s why, I am told. This is not ideal for modern browsers, AFAIK Chrome doesn’t allow it at all.

9peppe · March 22, 2020, 12:06pm

This is why you should get apache on box1 to handle this.

what’s its virtualhost config for the webradio right now? (it’s redirecting, that’s good)

JuergenAuer · March 22, 2020, 12:07pm

Hi @eivind

these

http://hjarteleg.velko.men/static/img/generic_song.jpg
http://hjarteleg.velko.men/radio/8000/radio.mp3?1584878447

are your addresses, that's your mixed content.

9peppe · March 22, 2020, 12:13pm

I looked around, the setting you should be looking for is “use web proxy” or something like that: https://www.azuracast.com/extending/cloudflare.html#enabling-cloudflare-with-azuracast

(and check the mount point url)

eivind · March 22, 2020, 12:47pm

There is a web proxy setting, and it is already switched on. The documentation says that this routes all radio through ports 80 and 443 instead of the standard Icecast port 8000.

9peppe · March 22, 2020, 1:12pm

we need to make azuracast believe it’s https even if it’s serving unencrypted http.

you can try adding to the apache proxy config something like:

RequestHeader set X-Forwarded-Proto %{REQUEST_SCHEME}

and hope it works.