Software developer interested into security and sustainability.
Nginx is pretty easy to set up. Look up “nginx virtual hosts”. You might want to use certbot/acme if you don’t have SSL certificates for your domain names. You need either a wildcard certificate (*.example.com), a certificate with SAN (Subject Alternative Name) containing the second subdomain, or two certificates (one for each subdomain). Note that subdomains can be found more easily than path based websites, if you allow connections from the whole WAN.
If i understand correctly, whataboutism is used to burry a statement without any solid counter-argument. The accusation of it burries the whataboutism’s argument, which could be valid nonetheless.
But the article of the DMA says that the gatekeeper shall not prevent the business user to serve their product using other conditions than those of the gatekeeper’s platform. I think that would include Apple’s publishing guidelines.
Then it may be a token stealer.
If your account is linked to your Google, Apple or Facebook account that might be the culprit (I think you can see this in yout account settings). You need to check that because the consequences could be way worse than just having access to your Spotify account. You can use HaveIBeenPwned to look for leaks matching your e-mail address or password.
Another possibility is that your browser/OS or spotify client was infected by a token stealer which can automatically steal your access tokens as you log-in after changing the password.
Due to Secure Boot (if it actually enabled since there are some bogous implementations) this can be prevented. If I understand it correctly, LogoFAIL bypasses this security measure and enables loading unsigned code.
It was already like this in Europe when I began to use Spotify in 2015. I do not hate it because the app’s free tier is already unusable to me due to the adverts.
Maybe you should consider a server & client architecture to use the right tool for the right job on each platform.