AudioSilo

Reverse proxy & TLS

AudioSilo Server is designed to be safe to leave exposed to the internet. App-layer protections are always on: per-IP request rate limiting, brute-force lockout on login and auth-code redemption, argon2id password hashing, hashed revocable tokens, strict path-traversal containment, and body-size limits. What you choose here is just how TLS is handled.

Pick a TLS strategy

  • Self-signed (tls.mode: selfsigned, the default) — fine for a LAN, but clients must accept the certificate.
  • Automatic Let's Encrypt (tls.mode: autocert, set tls.hosts) — the server obtains and renews certs itself. Needs a public hostname reachable on :443.
  • Behind a reverse proxy (tls.mode: off) — the recommended setup for most internet-facing deployments. Caddy, nginx or Traefik terminates TLS and forwards to the server over plain HTTP.

Server config behind a proxy

Turn TLS off, set the exact external URL (so QR / invite links are correct), and trust your proxy's network so rate limiting sees real client IPs:

config.yaml 
tls:
  mode: "off"                       # the proxy terminates TLS    [AUDIOSILO_TLS_MODE]
public_url: "https://books.example.com"   # exact external URL    [AUDIOSILO_PUBLIC_URL]
trusted_proxies: ["127.0.0.1/32", "10.0.0.0/8"]   # your proxy's network
Set trusted_proxies to your proxy's address/range only. Trusting too wide a range lets clients spoof X-Forwarded-For and defeat per-IP rate limiting.

Example: Caddy

Caddy gives you automatic HTTPS with almost no config:

Caddyfile 
# Caddyfile — automatic HTTPS via Let's Encrypt
books.example.com {
    reverse_proxy localhost:8080
}

Example: nginx

With nginx, terminate TLS and forward the standard proxy headers:

nginx.conf 
server {
    listen 443 ssl;
    server_name books.example.com;

    # ssl_certificate     /etc/letsencrypt/live/books.example.com/fullchain.pem;
    # ssl_certificate_key /etc/letsencrypt/live/books.example.com/privkey.pem;

    location / {
        proxy_pass         http://127.0.0.1:8080;
        proxy_set_header   Host $host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}

Native app deep links

For the QR/invite link to auto-launch the installed app (rather than the web player), configure app_links in the config so the server publishes the matching apple-app-site-association and assetlinks.json at your public domain.