Reverse Proxy my music

I will document here how i used a reverse proxy to share my personal music streaming service with a friendly url.

The following commands were used:

# text nginx config file
sudo nginx -t

# reload/start/stop nginx
sudo system reload nginx

# create symbolic link
ln -s /etc/nginx/sites-available/myhome /etc/nginx/sites-enabled

After following the instructions to install navidrome with docker i created a forward rule on port 4533 to point to my internal computer with the navidrome docker container.

Even though this works well, the access address has the port in it which is difficult to remember specially when you start to have more containers being accessed using this process. The address is something like this:

myhome.ddns.net:4533

A better approach is to use a name instead of a port, something like this:

myhome.ddns.net/navidrome

This can be accomplished using a reverse proxy. I installed the nginx server in the same computer that has the docker containers with my service. I changed the forward rule of my router to forward the 80 port instead.

We also need to configure navidrome base URL to work behind proxies, in the case of navidrome that configuration is done through ND_BASEURL environment variable, here is the docker compose example:

services:
  navidrome:
    image: deluan/navidrome:latest
    user: 1000:1000 # should be owner of volumes
    ports:
      - "4533:4533"
    restart: unless-stopped
    environment:
      # Optional: put your config options customization here. Examples:
      ND_BASEURL: /navidrome
      ND_SCANSCHEDULE: 1h
      ND_LOGLEVEL: info
      ND_SESSIONTIMEOUT: 24h
    volumes:
      - "/home/memyself/docker-apps/navidrome/data:/data"
      - "/home/memyself/docker-apps/navidrome/music:/music:ro"

Instead of port 80 we can use 443 for https with a self signed TLS from LetsEncrypt.

Firstly we need to Install certbot client to fetch a certificate from LetsEncrypt.

sudo apt-get install certbot python3-certbot-nginx

To use this tool nginx needs to be temporarily stoped, then you can run the certbot in standalone mode to get the certificate.

sudo certbot certonly --standalone -d myhome.ddns.net

Check the certification validity:

openssl x509 -in /etc/letsencrypt/live/myhome.ddns.net/fullchain.pem -noout -dates

Renew the certificate when expired:

sudo certbot renew

Finally the nginx config file

server {

        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;
        server_name myhome.ddns.net;

        # the rest of your TLS configuration goes here
        ssl_certificate /etc/letsencrypt/live/myhome.ddns.net/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/myhome.ddns.net/privkey.pem;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;

        location ^~ /navidrome {

                proxy_pass http://192.168.1.3:4533/navidrome;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Protocol $scheme;
                proxy_set_header X-Forwarded-Host $http_host;
                proxy_buffering off;
                #rewrite ^/navidrome(/.*)$ $1 break;
        }
}