DVR webgui with Nginx reverse proxy

dambrosioj · January 5, 2017, 12:22pm

Has anyone successfully configured the webgui to be used with a reverse proxy?

I tried to pass the traffic to 192.168.1.xxx:8089 but no luck. I know you can open up the port for remote access but I prefer to keep as man ports closed as I can and use a proxy.

location /dvr {
# Send traffic to the backend
proxy_pass http://192.168.1.xxx:8089;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_redirect off;
# Send websocket data to the backend aswell
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}

maddox · January 5, 2017, 4:14pm

I have mine behind an nginx proxy using a let’s encrypt SSL cert. Here’s my config:

# --- + PROXY + ---

# Template variables:
#
# * domain = channels.XXX.com
# * name = channels
# * type = proxy
# * host = localhost
# * port = 8282

upstream channels-lb {
    server localhost:8089;
}

server {
   listen 80;
   server_name channels.XXX.com;
   return 301 https://channels.XXX.com$request_uri;
}

server {
    server_name channels.XXX.com;
    listen 443 ssl;


    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://channels-lb;
    }

    ssl_certificate /etc/letsencrypt/live/cert.XXX.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cert.XXX.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    access_log /var/log/nginx/channels-access.log;
    error_log  /var/log/nginx/channels-error.log;
}

# --- - PROXY - ---

tmm1 · January 5, 2017, 6:26pm

Note that the DVR server detects the client ip and forces authentication when it is not in your local network. By using a reverse proxy, all requests will appear local which breaks the authentication mechanism.

dambrosioj · January 5, 2017, 6:28pm

Thats what I figured. So really not way to get this working with a reverse proxy then?

Or should I put it, actually safer not using reverse proxy because it bypasses authentication

timstephens24 · January 5, 2017, 7:03pm

I have mine behind a reverse proxy as well. Not sure what (if anything) I’ll do about authentication. I haven’t really cared at this point.

dambrosioj · January 5, 2017, 7:14pm

I think for now I am just going to leave it outside of the reverse proxy. Are you using nginx?

Could you post your config also? was just curious

tmm1 · January 5, 2017, 7:16pm

This is probably why your configuration isn’t working. The DVR server needs all urls forwarded, so you have to use a virtual host like @maddox did.

maddox · January 5, 2017, 7:32pm

If you’re dabbling in NGINX for local stuff, I def suggest just creating vhosts with subdomains for all your services vs scoping with the url. It also means faster autocomplete in your browser

Just register a domain somewhere and point it at your house and cname it for all your subdomains. Then you can set up Let’s Encrypt to create a cert for all the hosts. Then you have nice simple URLs you can remember that work inside and outside the home and most importantly, SSL!

dambrosioj · January 5, 2017, 7:34pm

No I am using duckdns with lets encrypt already for outside access. Everything else works fine, emby/grafana/plex. I was just having issues for some reason with Channels DVR. I will play around with it later, but if there is no authentication its probably better to not use a reverse proxy and just port forward the port for now

btw I only posted part of my config.

tmm1 · January 6, 2017, 7:03am

14 posts were split to a new topic: Port forwarding not working

timstephens24 · January 5, 2017, 11:32pm

Like @maddox, nginx and Let’s Encrypt

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name channels.XXX.com;

    ssl_certificate /usr/syno/etc/certificate/ReverseProxy/60af3a34-33b1-4d55-b1cd-ad2aadc2fcb5/fullchain.pem;

    ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/60af3a34-33b1-4d55-b1cd-ad2aadc2fcb5/privkey.pem;

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload" always;

    location / {
        proxy_set_header        Host                $host;
        proxy_set_header        X-Real-IP           $remote_addr;
        proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;

        proxy_pass http://localhost:8089;

    }
}

I registered a domain with Google and wrote a very simple python script to keep my IP updated, and then use Let’s Encrypt for my domain all the subdomains.

dambrosioj · January 6, 2017, 3:29pm

This can be closed I figured it out. My nginx / lets encrypt is all setup on Centos7. I took a look at the logs and was getting alot of denies. The below commands fixed it right up.

I checked for errors in the SELinux logs:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied
And found that running the following commands fixed my issue:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp