With the librespot switch --proxy it is possible to run a Spotify Connect device behind a web proxy server. In this example a librespot server with no direct internet connection uses a squid web proxy as intermediary.

Librespot configuration

The two relevant switches are --proxy and --ap-port to enforce connecting to a standard web port (80 and 443). Here is a minimal working example:

librespot --name DEVICENAME --proxy http://WEBPROXY:PORT --ap-port 443

--ap-port can also be used without a proxy. In this case librespot will only resolve access points with that specified port.

Squid configuration

This is a minimal squid.conf configuration example without any traffic filtering, broadly based on the Calomel HowTo:

# General config
http_port 3128
detect_broken_pconn on
dns_defnames on
forwarded_for delete
httpd_suppress_version_string on

# ACL config
acl lan src 192.168.0.0/24
http_access deny !lan

# Allow web ports only
acl web_ports port 80 443
http_access deny !web_ports

# Allow TLS on HTTPS port only
acl tls_ports port 443
acl CONNECT method CONNECT
http_access deny CONNECT !tls_ports

# Allow typical methods only
acl web_methods method CONNECT GET HEAD POST
http_access deny !web_methods

# Allow replies
http_reply_access allow all

# Disable caching
cache_mgr not_to_be_disturbed
cache deny all

# Logs    
logformat custom %{%Y-%m-%dT%H:%M:%S}tl:%tu %>a %>ru %>rm %>Hs %<A %Ss
access_log stdio:/var/log/squid/access.log custom
cache_log stdio:/var/log/squid/cache.log
cache_store_log stdio:/var/log/squid/store.log

Successful connection

After starting squid and librespot, the librespot logs should return the following when the connection through the proxy was successful:

librespot 0.3.1 e064f27 (Built on 2021-11-20, Build ID: sPNYe7OB, Profile: release)
librespot_core::session] Connecting to AP "gew1-accesspoint-a-m41b.ap.spotify.com:443"
librespot_core::connection] Using proxy "http://WEBPROXY:PORT/"
librespot_core::session] Authenticated as "USERNAME" !

If a fallback to ap.spotify.com is logged instead, the following section might help to troubleshoot the problem.

Troubleshooting

Protocol enforcement

Often squid configuration examples with something like the following acl can be found:

# Allow HTTP and SSL
acl web_protos proto HTTP SSL
http_access deny !web_protos

This doesn't work with librespot because the communication between Spotify and librespot isn't based on standard web protocols. The acl needs to be removed or librespot needs to be whitelisted from it.

Forwarding header

The access point resolver http://apresolve.spotify.com doesn't accept connections with an X-Forwarded-For header which doesn't contain a valid IP address (such as unknown). This is the case when forwarded_for off is set in squid.conf. The default in Squid is forwarded_for on which will append the client's original IP address in the request. The access point resolver will accept such requests, but if this isn't desired, the complete header can be removed with forwarded_for delete as in the configuration example above.

Further details can be found in the Squid documentation.