Auto-generate a self-signed SSL cert, configure nginx to serve via SSL by default and make the use of the :80/:443 web proxy a configurable system-wide setting. Together, these changes enable full support for CloudFlare Full SSL on any AzuraCast instance.

2016-12-25 12:07:25 -06:00 · 2016-12-25 12:07:25 -06:00 · fab92c7a96
parent efc5ce7e13
commit fab92c7a96
5 changed files with 27 additions and 5 deletions
--- a/app/library/AzuraCast/Radio/Frontend/IceCast.php
+++ b/app/library/AzuraCast/Radio/Frontend/IceCast.php
@ -187,11 +187,14 @@ class IceCast extends FrontendAbstract
        $fe_config = (array)$this->station->frontend_config;
        $radio_port = $fe_config['port'];

-        $base_url = $this->di['em']->getRepository('Entity\Settings')->getSetting('base_url', 'localhost');
+        $settings_rep   o = $this->di['em']->getRepository('Entity\Settings');

-        // Vagrant port-forwarding mode.
-        if (APP_APPLICATION_ENV == 'development')
-            return 'http://'.$base_url.':8080/radio/'.$radio_port;
+        $base_url = $settings_repo->getSetting('base_url', 'localhost');
+        $use_radio_proxy = $settings_repo->getSetting('use_radio_proxy', 0);
+
+        // Web proxy support.
+        if (APP_APPLICATION_ENV == 'development' || $use_radio_proxy)
+            return '/radio/'.$radio_port;
        else
            return 'http://'.$base_url.':'.$radio_port;
    }
--- a/app/modules/admin/config/forms/settings.conf.php
+++ b/app/modules/admin/config/forms/settings.conf.php
@ -25,6 +25,16 @@ return [
                        'default' => $base_url_default,
                    ]],

+                    'use_radio_proxy' => ['radio', [
+                        'label' => _('Use Web Proxy for Radio'),
+                        'description' => _('By default, radio stations broadcast on their own ports (i.e. 8000). If you\'re using a service like CloudFlare or accessing your radio station by SSL, you should enable this feature, which routes all radio through the web ports (80 and 443).'),
+                        'options' => [
+                            0 => 'No',
+                            1 => 'Yes',
+                        ],
+                        'default' => 0,
+                    ]],
+
                ],
            ],

--- a/util/ansible/roles/nginx/tasks/main.yml
+++ b/util/ansible/roles/nginx/tasks/main.yml
@ -3,6 +3,10 @@
    become: true
    apt:  pkg=nginx state=latest

+  - name: create self-signed SSL cert
+    command: openssl req -new -nodes -x509 -subj "/C=US/ST=Texas/L=Austin/O=IT/CN=${ansible_fqdn}" -days 3650 -keyout /etc/nginx/ssl/server.key -out /etc/nginx/ssl/server.crt -extensions v3_ca creates=/etc/nginx/ssl/server.crt
+    notify: reload nginx
+
  - name: Change default nginx site
    become: true
    template: src=default.j2 dest=/etc/nginx/sites-available/default
--- a/util/ansible/roles/nginx/templates/default.j2
+++ b/util/ansible/roles/nginx/templates/default.j2
@ -1,7 +1,11 @@
 client_max_body_size 50M;

 server {
-    listen 80 default_server;
+    listen 80;
+    listen 443 default_server ssl;
+
+    ssl_certificate    /etc/nginx/ssl/server.crt;
+    ssl_certificate_key    /etc/nginx/ssl/server.key;

    root {{ app_base }}/www/web;
    index index.php;
--- a/util/ansible/update.yml
+++ b/util/ansible/update.yml
@ -13,6 +13,7 @@
    - init
    - azuracast-config
    - azuracast-radio
+    - nginx
    - php
    - influxdb
    - supervisord