Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- ubuntu:navidrome [2026/04/23 14:06] – [Service-User der Anwendung zuweisen] Sebastian Hetzel
+++ ubuntu:navidrome [2026/04/30 20:56] (aktuell) – [Anwendung installieren] Sebastian Hetzel
@@ Zeile 52: / Zeile 52: @@
 </code>
+==== Logrotate ====
+<file bash /etc/logrotate.d/navidrome>
+/var/log/navidrome.log
+{
+        rotate 14
+        daily
+        missingok
+        notifempty
+        delaycompress
+        compress
+        create 640 navidrome navidrome
+        postrotate
+                if service navidrome status > /dev/null 2>&1; then \
+                    touch /var/log/navidrome.log; \
+                    chown navidrome:navidrome /var/log/navidrome.log; \
+                    service navidrome restart > /dev/null 2>&1; \
+                fi;
+        endscript
+        sharedscripts
+}
+</file>
 ==== Daten wiederherstellen (bei Migration) ====
@@ Zeile 105: / Zeile 127: @@
 </code>
+=== Default Berechtigungen setzen ===
+<code bash>
+apt install acl
+setfacl -d -m u::rwX,g::rX,o::--- /srv/LOSSLESS_AUDIO
+</code>
 ==== Service-User der Anwendung zuweisen ====
@@ Zeile 235: / Zeile 263: @@
 ===== Apache2 als Reverse-Proxy =====
+==== Installation der Pakete ====
-<code apache>
+<code bash>
-<IfModule mod_ssl.c>
+apt update
-<VirtualHost *:443>
+apt install apache2 libapache2-mod-security2
-    ServerName music.example.com
+</code>
-    DocumentRoot /var/www/navidrome/html
-    # Logs
+Module im Apache aktivieren:
-    ErrorLog /var/www/navidrome/logs/error.log
-    CustomLog /var/www/navidrome/logs/access.log combined
-    # Proxy Settings
+<code bash>
-    ProxyPreserveHost On
+a2enmod proxy proxy_http proxy_wstunnel headers rewrite ssl
-    Protocols http/1.1   # HTTP/1.1 erzwingen für stabile Streaming-Verbindungen
+</code>
-    # WebSocket Support (Rewrites nur für Upgrade)
+Dual Stack aktivieren --> ''/etc/apache2/ports.conf''.
-    RewriteEngine On
-    RewriteCond %{HTTP:Upgrade} =websocket [NC]
-    RewriteRule /(.*) ws://127.0.0.1:4533/$1 [P,L]
-    # Normaler Proxy für alle anderen Requests
+<code apache>
-    ProxyPass / http://127.0.0.1:4533/ nocanon
+Listen 80
-    ProxyPassReverse / http://127.0.0.1:4533/
+Listen [::]:80
+Listen 443
+Listen [::]:443
+</code>
-    # Forwarded Headers
+Apache-Version nicht bekannt geben --> ''/etc/apache2/conf-enabled/security.conf''
-    RequestHeader set X-Forwarded-Proto "https"
-    RequestHeader set X-Forwarded-Port "443"
-    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
-    # Connection / Timeout Optimierungen
+<code apache>
-    KeepAlive On
+# ServerTokens
-    MaxKeepAliveRequests 100
+# This directive configures what you return as the Server HTTP response
-    KeepAliveTimeout 5
+# Header. The default is 'Full' which sends information about the OS-Type
-    ProxyTimeout 300
+# and compiled in modules.
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
-    # Security Headers
+# where Full conveys the most information, and Prod the least.
-    # X-XSS-Protection ist veraltet, kann optional drinbleiben oder entfernt werden
+#ServerTokens Minimal
-    # Header always set X-XSS-Protection "1; mode=block"
+ServerTokens Prod
-    Header always set X-Content-Type-Options "nosniff"
+#ServerTokens Full
-    Header always set Strict-Transport-Security "max-age=31536000"
-    # SSL Certs
-    Include /etc/letsencrypt/options-ssl-apache.conf
-    SSLCertificateFile /etc/letsencrypt/live/music.example.com/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/music.example.com/privkey.pem
-</VirtualHost>
-</IfModule>
 </code>
 ===== ModSecurity-Konfiguration für Apache2 Reverse Proxy vor Navidrome =====
@@ Zeile 301: / Zeile 315: @@
 </code>
+Einbindung in Apache unter ''vi /etc/apache2/mods-enabled/security2.conf''
+<file apache /etc/apache2/mods-enabled/security2.conf>
+<IfModule security2_module>
+        # Default Debian dir for modsecurity's persistent data
+        SecDataDir /var/cache/modsecurity
+        # Include all the *.conf files in /etc/modsecurity.
+        # Keeping your local configuration in that directory
+        # will allow for an easy upgrade of THIS file and
+        # make your life easier
+        IncludeOptional /etc/modsecurity/modsecurity.conf
+        #IncludeOptional /etc/modsecurity/other-rules.conf
+        IncludeOptional /etc/modsecurity/crs/crs-setup.conf
+        IncludeOptional /etc/modsecurity/crs/rules/*.conf
+        # Include OWASP ModSecurity CRS rules if installed
+        # IncludeOptional /usr/share/modsecurity-crs/*.load
+        # Defense against CVE-2021-44228
+        SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:User-Agent"
+        SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:Referer"
+</IfModule>
+</file>
 ==== 2. Hauptkonfiguration ====
@@ Zeile 499: / Zeile 538: @@
 <code apache>
-<VirtualHost *:80>
+<IfModule mod_ssl.c>
-    ServerName music.example.com
+<VirtualHost *:443>
+        ServerName music.example.de
+        ServerAlias music.example.net
+        DocumentRoot /var/www/navidrome/html
-    ProxyPreserveHost On
+        ErrorLog /var/www/navidrome/logs/error.log
-    ProxyPass / http://127.0.0.1:4533/
+        CustomLog /var/www/navidrome/logs/access.log combined
-    ProxyPassReverse / http://127.0.0.1:4533/
-    # Sicherheit
+        ProxyPreserveHost On
-    Header always set X-Frame-Options SAMEORIGIN
+        Protocols http/1.1
-    Header always set X-Content-Type-Options nosniff
+        #ProxyPass "/.well-known/" "!"
-    Header always set X-XSS-Protection "1; mode=block"
-    # Logging
+        # WebSocket-Unterstützung
-    ErrorLog ${APACHE_LOG_DIR}/navidrome_error.log
+        RewriteEngine On
-    CustomLog ${APACHE_LOG_DIR}/navidrome_access.log combined
+        RewriteCond %{HTTP:Upgrade} =websocket [NC]
+        RewriteRule /(.*)           ws://127.0.0.1:4533/$1 [P,L]
+        # Alles andere Proxy
+        ProxyPass / http://127.0.0.1:4533/ nocanon
+        ProxyPassReverse / http://127.0.0.1:4533/
+        RequestHeader set X-Forwarded-Proto "https"
+        RequestHeader set X-Forwarded-Port "443"
+        RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
+        Header always set X-XSS-Protection "1; mode=block"
+        KeepAlive On
+        MaxKeepAliveRequests 100
+        KeepAliveTimeout 5
+        ProxyTimeout 300
+        Include /etc/letsencrypt/options-ssl-apache.conf
+        Include /etc/modsecurity/navidrome-exclusions.conf
+        SSLCertificateFile  /etc/letsencrypt/live/music.example.de/fullchain.pem
+        SSLCertificateKeyFile  /etc/letsencrypt/live/music.example.de/privkey.pem
+        Header always set Strict-Transport-Security "max-age=31536000"
 </VirtualHost>
+</IfModule>
 </code>
 ==== 7. Test & Debug ====