Since there’s been some recent weirdness with the native Spotify integration, I went looking for alternatives and first tried Mopidy (didn’t work) and then came across this excellent post about using Logitech Media Server with Spotify, and I now have this up and running in an iFrame card, which is outstanding. But… I can’t seem to secure it. My use case is:
- HA core runs on a Mac Mini which also hosts nginx, AdGuard and LMS
- certbot and nginx handle certificates and a
proxy_pass
to http: for HA - an iFrame for LMS has to run as https since that’s how HA is accessed, but LMS runs without SSL, so that custom port also has an nginx
proxy_pass
as below
LMS is accessible in an iFrame only as long as I open the custom port on the router. Which makes this publicly accessible:
https://sitename.duckdns.org:{custom_port}
LMS has basic password authentication in the settings, but I turned it on and it does nothing. I tried a bunch of different combinations of server names and nothing would display LMS without the external port open (except a browser on the mini itself).
Frankly this all makes sense now that i think about how nginx is supposed to work, but I’m left wondering how to secure LMS. If everything is running on the same machine on the same LAN, is there a way to tell nginx to proxy internally so only the iFrame has access to the LMS server and not the entire internet?
Relevant server block from nginx.conf
at the moment:
server {
server_name sitename.duckdns.org;
listen [::]:xxxxx ssl default_server ipv6only=off;
root /Users/username/.homeassistant/www;
ssl_certificate /etc/letsencrypt/live/sitename.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sitename.duckdns.org/privkey.pem;
ssl_dhparam /usr/local/etc/ssl/certs/ssl_dhparams.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 300s;
proxy_connect_timeout 75s;
}
}