-
Notifications
You must be signed in to change notification settings - Fork 645
Behind web proxy
With the librespot
switch --proxy
it is possible to run a Spotify Connect device behind a web proxy server. In this example a librespot
server with no direct internet connection uses a squid web proxy as intermediary.
The two relevant switches are --proxy
and --ap-port
to enforce connecting to a standard web port (80 and 443). Here is a minimal working example:
librespot --name DEVICENAME --proxy http://WEBPROXY:PORT --ap-port 443
--ap-port
can also be used without a proxy. In this case librespot
will only resolve access points with that specified port.
This is a minimal squid.conf configuration example without any traffic filtering, broadly based on the Calomel HowTo:
# General config
http_port 3128
detect_broken_pconn on
dns_defnames on
forwarded_for delete
httpd_suppress_version_string on
# ACL config
acl lan src 192.168.0.0/24
http_access deny !lan
# Allow web ports only
acl web_ports port 80 443
http_access deny !web_ports
# Allow TLS on HTTPS port only
acl tls_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !tls_ports
# Allow typical methods only
acl web_methods method CONNECT GET HEAD POST
http_access deny !web_methods
# Allow replies
http_reply_access allow all
# Disable caching
cache_mgr not_to_be_disturbed
cache deny all
# Logs
logformat custom %{%Y-%m-%dT%H:%M:%S}tl:%tu %>a %>ru %>rm %>Hs %<A %Ss
access_log stdio:/var/log/squid/access.log custom
cache_log stdio:/var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log
After starting squid
and librespot
, the librespot
logs should return the following when the connection through the proxy was successful:
librespot 0.3.1 e064f27 (Built on 2021-11-20, Build ID: sPNYe7OB, Profile: release)
librespot_core::session] Connecting to AP "gew1-accesspoint-a-m41b.ap.spotify.com:443"
librespot_core::connection] Using proxy "http://WEBPROXY:PORT/"
librespot_core::session] Authenticated as "USERNAME" !
If a fallback to ap.spotify.com
is logged instead, the following section might help to troubleshoot the problem.
Often squid configuration examples with something like the following acl can be found:
# Allow HTTP and SSL
acl web_protos proto HTTP SSL
http_access deny !web_protos
This doesn't work with librespot
because the communication between Spotify and librespot
isn't based on standard web protocols. The acl needs to be removed or librespot
needs to be whitelisted from it.
The access point resolver http://apresolve.spotify.com
doesn't accept connections with an X-Forwarded-For
header which doesn't contain a valid IP address (such as unknown
). This is the case when forwarded_for off
is set in squid.conf
. The default in Squid is forwarded_for on
which will append the client's original IP address in the request. The access point resolver will accept such requests, but if this isn't desired, the complete header can be removed with forwarded_for delete
as in the configuration example above.
Further details can be found in the Squid documentation.