Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- ubuntu:navidrome [2026/04/24 11:38] – [Installation der Pakete] Sebastian Hetzel
+++ ubuntu:navidrome [2026/04/30 20:56] (aktuell) – [Anwendung installieren] Sebastian Hetzel
@@ Zeile 52: / Zeile 52: @@
 </code>
+==== Logrotate ====
+<file bash /etc/logrotate.d/navidrome>
+/var/log/navidrome.log
+{
+        rotate 14
+        daily
+        missingok
+        notifempty
+        delaycompress
+        compress
+        create 640 navidrome navidrome
+        postrotate
+                if service navidrome status > /dev/null 2>&1; then \
+                    touch /var/log/navidrome.log; \
+                    chown navidrome:navidrome /var/log/navidrome.log; \
+                    service navidrome restart > /dev/null 2>&1; \
+                fi;
+        endscript
+        sharedscripts
+}
+</file>
 ==== Daten wiederherstellen (bei Migration) ====
@@ Zeile 253: / Zeile 275: @@
 a2enmod proxy proxy_http proxy_wstunnel headers rewrite ssl
 </code>
+Dual Stack aktivieren --> ''/etc/apache2/ports.conf''.
 <code apache>
-<IfModule mod_ssl.c>
+Listen 80
-<VirtualHost *:443>
+Listen [::]:80
-    ServerName music.example.com
+Listen 443
-    DocumentRoot /var/www/navidrome/html
+Listen [::]:443
+</code>
-    # Logs
+Apache-Version nicht bekannt geben --> ''/etc/apache2/conf-enabled/security.conf''
-    ErrorLog /var/www/navidrome/logs/error.log
-    CustomLog /var/www/navidrome/logs/access.log combined
-    # Proxy Settings
+<code apache>
-    ProxyPreserveHost On
+# ServerTokens
-    Protocols http/1.1   # HTTP/1.1 erzwingen für stabile Streaming-Verbindungen
+# This directive configures what you return as the Server HTTP response
+# Header. The default is 'Full' which sends information about the OS-Type
-    # WebSocket Support (Rewrites nur für Upgrade)
+# and compiled in modules.
-    RewriteEngine On
+# Set to one of:  Full | OS | Minimal | Minor | Major | Prod
-    RewriteCond %{HTTP:Upgrade} =websocket [NC]
+# where Full conveys the most information, and Prod the least.
-    RewriteRule /(.*) ws://127.0.0.1:4533/$1 [P,L]
+#ServerTokens Minimal
+ServerTokens Prod
-    # Normaler Proxy für alle anderen Requests
+#ServerTokens Full
-    ProxyPass / http://127.0.0.1:4533/ nocanon
-    ProxyPassReverse / http://127.0.0.1:4533/
-    # Forwarded Headers
-    RequestHeader set X-Forwarded-Proto "https"
-    RequestHeader set X-Forwarded-Port "443"
-    RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
-    # Connection / Timeout Optimierungen
-    KeepAlive On
-    MaxKeepAliveRequests 100
-    KeepAliveTimeout 5
-    ProxyTimeout 300
-    # Security Headers
-    # X-XSS-Protection ist veraltet, kann optional drinbleiben oder entfernt werden
-    # Header always set X-XSS-Protection "1; mode=block"
-    Header always set X-Content-Type-Options "nosniff"
-    Header always set Strict-Transport-Security "max-age=31536000"
-    # SSL Certs
-    Include /etc/letsencrypt/options-ssl-apache.conf
-    SSLCertificateFile /etc/letsencrypt/live/music.example.com/fullchain.pem
-    SSLCertificateKeyFile /etc/letsencrypt/live/music.example.com/privkey.pem
-</VirtualHost>
-</IfModule>
 </code>
 ===== ModSecurity-Konfiguration für Apache2 Reverse Proxy vor Navidrome =====
@@ Zeile 542: / Zeile 538: @@
 <code apache>
-<VirtualHost *:80>
+<IfModule mod_ssl.c>
-    ServerName music.example.com
+<VirtualHost *:443>
+        ServerName music.example.de
+        ServerAlias music.example.net
+        DocumentRoot /var/www/navidrome/html
-    ProxyPreserveHost On
+        ErrorLog /var/www/navidrome/logs/error.log
-    ProxyPass / http://127.0.0.1:4533/
+        CustomLog /var/www/navidrome/logs/access.log combined
-    ProxyPassReverse / http://127.0.0.1:4533/
-    # Sicherheit
+        ProxyPreserveHost On
-    Header always set X-Frame-Options SAMEORIGIN
+        Protocols http/1.1
-    Header always set X-Content-Type-Options nosniff
+        #ProxyPass "/.well-known/" "!"
-    Header always set X-XSS-Protection "1; mode=block"
-    # Logging
+        # WebSocket-Unterstützung
-    ErrorLog ${APACHE_LOG_DIR}/navidrome_error.log
+        RewriteEngine On
-    CustomLog ${APACHE_LOG_DIR}/navidrome_access.log combined
+        RewriteCond %{HTTP:Upgrade} =websocket [NC]
+        RewriteRule /(.*)           ws://127.0.0.1:4533/$1 [P,L]
+        # Alles andere Proxy
+        ProxyPass / http://127.0.0.1:4533/ nocanon
+        ProxyPassReverse / http://127.0.0.1:4533/
+        RequestHeader set X-Forwarded-Proto "https"
+        RequestHeader set X-Forwarded-Port "443"
+        RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
+        Header always set X-XSS-Protection "1; mode=block"
+        KeepAlive On
+        MaxKeepAliveRequests 100
+        KeepAliveTimeout 5
+        ProxyTimeout 300
+        Include /etc/letsencrypt/options-ssl-apache.conf
+        Include /etc/modsecurity/navidrome-exclusions.conf
+        SSLCertificateFile  /etc/letsencrypt/live/music.example.de/fullchain.pem
+        SSLCertificateKeyFile  /etc/letsencrypt/live/music.example.de/privkey.pem
+        Header always set Strict-Transport-Security "max-age=31536000"
 </VirtualHost>
+</IfModule>
 </code>
 ==== 7. Test & Debug ====