How do I use HTTPS (SSL) on the web server?

Hello there, I’m wondering on how I use HTTPS on the web server, I would like some extra security on the web server and I think having SSL is a start.

Thanks for any help!

The Buildin Kodi Webserver is only planned for use in the LAN where encryption is not needed.
If you want to use it outside I recommend you either use full VPN (lkie Openvpn) or you install another webserver who takes care of HTTPS and proxy it to the buildin one

1 Like

I have another pi, do you know how to use that as a proxy?

https://www.raspberrypi.org/forums/viewtopic.php?t=34291&p=291469

1 Like

Thanks! :slight_smile:

You don’t need another pi, you can use nginx as a reverse SSL proxy on the same pi. For more details check out the last section of my Deluge tutorial where I set up nginx to secure the torrent website.

@yknivag I tried your config, edited it to fit mine and it still doesn’t seem to work.

##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
#server {
#	listen 80 default_server;
#	listen [::]:80 default_server;
#
#	# SSL configuration
#	#
#	# listen 443 ssl default_server;
#	# listen [::]:443 ssl default_server;
#	#
#	# Self signed certs generated by the ssl-cert package
#	# Don't use them in a production server!
#	#
#	# include snippets/snakeoil.conf;
#
#	root /var/www/html;
#
#	# Add index.php to the list if you are using PHP
#	index index.html index.htm index.nginx-debian.html;
#
#	server_name _;
#
#	location / {
#		# First attempt to serve request as file, then
#		# as directory, then fall back to displaying a 404.
#		try_files $uri $uri/ =404;
#	}
#
#	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#	#
#	#location ~ \.php$ {
#	#	include snippets/fastcgi-php.conf;
#	#
#	#	# With php5-cgi alone:
#	#	fastcgi_pass 127.0.0.1:9000;
#	#	# With php5-fpm:
#	#	fastcgi_pass unix:/var/run/php5-fpm.sock;
#	#}
#
#	# deny access to .htaccess files, if Apache's document root
#	# concurs with nginx's one
#	#
#	#location ~ /\.ht {
#	#	deny all;
#	#}
#}
#
#
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}


server {
        listen 80 default_server;
        listen [::]:80 default_server;
        return 301 https://$host$request_uri;
}

server {
        listen 443;
        listen [::]:443;

        ### http://www.gnuterrypratchett.com/ ###
#        add_header X-Clacks-Overhead "GNU Terry Pratchett"; #<<<You can delete this line if you're not a Terry Pratchett fan>>>

        root /var/www/html;
        index index.php index.html index.htm index.nginx-debian.html;

        server_name 192.168.1.141:8008;

        ssl_certificate         /etc/nginx/cert.crt;
        ssl_certificate_key     /etc/nginx/certkey.key;

        ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        access_log /var/log/nginx/access.log;

        location / {
                proxy_set_header        X-Deluge-Base   "/torrent/";
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;

                # Fix the “It appears that your reverse proxy set up is broken" error.
                proxy_pass          http://192.168.1.141:1337/;
                proxy_read_timeout  90;
                proxy_redirect          off;
                proxy_buffering         off;

        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        location ~ /\.ht {
                deny all;
        }
}

Nginx starts without errors but nothing is on port 8008.

What are you expecting to be on port 8008? You have set nginx to listen on port 443.

If you want to use 8008 then you need to change the two listen statements to 8008 and remove the :8008 from the server_name setting.

You should also remove this line: proxy_set_header X-Deluge-Base "/torrent/";

@yknivag Now I’m getting;
nginx: [error] open() "/run/nginx.pid" failed (2: No such file or directory)

Know any solution?

Can you post the output of sudo systemctl status nginx and of sudo journalctl (use the official OSMC pastebin (http://paste.osmc.io) if the latter is too large to post here).

http://paste.osmc.io/fosozamilo.diff

Thanks for helping :slight_smile:

So I got nginx working but I can’t websocket to work over the nginx proxy… also @yknivag thanks for the config.

Asyou probably discovered the nginx[error] was caused by a mistwke in your proxy file.

I’m not sure about the websocket, I’ve never reverse proxied chorus before, but I get that same message on my browser even on the internal network.

I’m starting to think it’s not possible… I’ll have to find an alternative method, thanks for all the help.

The Chorus web interface is quite new and works in a differtent way than the old one. You might want to check out the Kodi forum to see if anyone there has it working over SSL.

Sorry for late reply.

I’ve been active on the Chorus2 github page and there’s a possible solution to it there… In the meantime I’m trying out Sonerezh which I wrote a guide for. It will do for now ^^

Got my Raspberry PI a week ago, decided I didn’t like Raspbian so I tried osmc and got to work on Apache
Steps to get ssl working on Apache2 on osmc:
This was a huge struggle in getting there and hopefully I’ve remembered all of the steps:

  1. sudo apt-get install apache2

  2. in /etc/apache2/mods-enabled/
    sudo ln -s /etc/apache2/mods-available/ssl.conf
    sudo ln -s /etc/apache2/mods-available/ssl.load
    sudo ln -s /etc/apache2/mods-available/socache_shmcb.load

  3. in /etc/apache2/sites-enabled
    sudo ln -s /etc/apache2/sites-available/default-ssl.conf

  4. From a Linux Mint 18 computer copy
    /etc/ssl/certs/ssl-cert-snakeoil.pem
    /etc/ssl/private/ssl-cert-snakeoil.key
    into their respective directories in osmc

sudo shutdown -r now

Hope this helps