how to use and force ssl (https)

[greee-fr]

The title say it all :-)

[ghenry22]

I haven't tried using SSL with it for a few reasons as listed below.

The best way to implement SSL would be for subsonic (or another provider) to provide a forwarding service which uses a valid certificate.

For example https://myserver.subsonic.org might just proxy requests to your own server and the subsonic server itself could have a mechanism to update that service with your current IP address. subsonic does already provide this forwarding for HTTP and if they added a wildcard SSL certificate it would cover all user domains with a valid certificate. I believe that this is also how Plex implemented SSL for their plex pass users.

The only problem with this is that it builds a dependency on a 3rd party service being available in order to access your music.

I have seen a guide somewhere for modifying the config for SSL, if I find it again I will link it here for reference but it would be an unsupported solution for now.

1) SSL has more CPU overhead than regular HTTP, not a big difference usually but it does matter on lower powered NAS devices. 2) Most people will not have a valid domain and valid SSL certificate. So while you would get encryption you would have to use an invalid certificate which breaks a lot of subsonic clients and makes browsers unhappy. (ie certificate warnings). 3) It makes setup more complex with many more manual steps 4) It's a music streaming server, it really doesn't need SSL. The odds of someone investing the time to snoop on the traffic from your personal music server are incredibly small as there is really nothing to be gained.

[helmut72]

It's a music streaming server, it really doesn't need SSL.

Wrong.

1. Username/Password will be transfered in plain text.
2. Around mid 2018, newer Browsers will show a message if traffic is unencrypted.
3. There isn't much "3rd party service" needed. Apache or Nginx as a Reverse Proxy on the same Synology is enough.
4. Synology NAS can handle SSL quiet well.
5. Synology supports Let's Encrypt certificates. There isn't much excuse not to use SSL.

[ghenry22]

@helmut72 - we’re all entitled to an opinion of course but if you think someone is that interested in snagging your subsonic password then you’re obviously a far more interesting person than I am.

Why not write a guide on how to setup a simple reverse proxy for ssl? Or maybe approach the subsonic developer to look at building in some support for let’s encrypt? I just make the Synology package.

As subsonic can be run on anyone’s hardware by either IP or domain it’s not possible to just bundle a valid certificate, it would need a mechanism to issue the right certificate for the user, plus the user would have to have a domain name, understand how to use DNS etc which adds a lot of complexity to what is otherwise a simple installer.

But if it’s important to you, definitely come up with a solution and work with people to implement it :)

[helmut72]

@ghenry22 - sending a password in plain text over the Internet is a no-go since 20 years. No excuse how (non-)important anyone is. How do you connect to your server, with SSH or with very aged plain text Telnet?

Yes, of course, Subsonic can run on anyone's other hardware, but this package is related to Synology.

Why should anyone write a guide if Reverse Proxy and Let's Encrypt is built in the GUI of a Synology. Synology provides a great help. Any howto would be copy/paste from the Synology manual.

I just wonder why anyone recommend sending passwords in plain text in 2018. We don't have 1998.