Protecting Airtime web admin with SSL



Airtime is a wonderful open source tool by Sourcefabric that allows you to create run both streaming and fm radios, allowing you to program, automate, record and stream your content very flexibly, and everything via web. It’s really a must for every community or free radio. They even offer a hosted service called Airtime Pro.

But some of us miss a feature, that, by some technical issues, isn’t available yet: SSL access to its web admin. Some internal config related to RabbitMQ and other things apparently prevents Airtime functioning properly if we just change Apache config to serve https through port 443, as we would do with any normal web server.

Edit: Seems that’s not true for recent versions, and it should work adding a ssl vhost to apache and not removing the port 80 regular one, as not to break RabbitMQ communication. Anyway, this is still a nice and fast way of doing it without ever modifying default Airtime config, which is a plus. :D. And for me, it’s even faster than doing it with Apache, both in terms of how long does it take to configure it, and on performance.

To avoid this we’ll use pound. pound is a load balancer and https frontend. It will sit in front, receiving ssl requests, and re-sending them locally to our web server.

So, for this, I’ll assume:

  • You have debian or ubuntu (although, if you know some linux, you can probably extrapolate it to your distro).
  • You have admin capability on your server, so you can install packages and edit config files.
  • Everything is on its default settings.
  • Also, we’ll use a self-signed cert, not a commercial one. A self-signed cert can be as safe as a commercial one, but browsers show some warning messages if they don’t know the entity signing them.

So, we need pound and openssl (which is needed for generating the certs) installed on your system. You’ll probably have already installed openssl, but we’ll make sure:

sudo apt-get install pound openssl

pound will warn you it won’t start until you configure it, but we’ll go with that later. Now, we need to generate a ssl certificate for pound to work, so we go to its config directory and run openssl:

cd /etc/pound
sudo openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -nodes

Now it’ll ask some basic questions for identifying your certificate, as your country code and an email contact. Once the cert is generated, we should change its owner and protect it from prying eyes:

sudo chown www-data:www-data /etc/pound/server.pem
sudo chmod 0600 /etc/pound/server.pem

Now, let’s edit pound config file:

sudo vi /etc/pound/pound.cfg

If you’re intimidated or unfamiliar to vi, you may use nano:

sudo nano /etc/pound/pound.cfg

In the end of the config file you’ll find a block like this:

ListenHTTP
        Address 127.0.0.1
        Port    8080

        ## allow PUT and DELETE also (by default only GET, POST and HEAD)?:
        xHTTP           0

        Service
                BackEnd
                        Address 127.0.0.1
                        Port    80
                End
        End
End

This defines where pound should listen and where to get its content. We have to substitute this with our config. Knowing that I run my server with the ip address 192.168.15.5 (substitute this with yours), It’ll change to:

ListenHTTPS
        Address 192.168.15.5
        Port    443
        Cert "/etc/pound/server.pem"
        xHTTP           0
        AddHeader "X-Forwarded-Proto: https"
        HeadRemove "X-Forwarded-Proto"
        Service
                BackEnd
                        Address 127.0.0.1
                        Port    80
                End
        End
End

Then edit the defaults config for pound:

sudo vi /etc/default/pound

and set:

startup=1

Let’s start pound and see!

sudo service pound start

Now try to connect to your Airtime putting https in the front!

If you get an unknown directive error when starting pound, make sure you have tabs and not spaces in front of each config line you copy pasted.

Now your Airtime is up and running, you may config your apache or firewall to answer only to localhost petitions, or if you are NATed, close your port 80 forwarding and activate only port 443.

Next step may be getting a “known” SSL certificate instead of a self-signed one, but that’s another story, not for today.

I’ve done this with help of two links: