DVR webgui with Nginx reverse proxy

Has anyone successfully configured the webgui to be used with a reverse proxy?

I tried to pass the traffic to 192.168.1.xxx:8089 but no luck. I know you can open up the port for remote access but I prefer to keep as man ports closed as I can and use a proxy.

location /dvr {
# Send traffic to the backend
proxy_pass http://192.168.1.xxx:8089;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $remote_addr;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_redirect off;
# Send websocket data to the backend aswell
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}

I have mine behind an nginx proxy using a let’s encrypt SSL cert. Here’s my config:

# --- + PROXY + ---

# Template variables:
#
# * domain = channels.XXX.com
# * name = channels
# * type = proxy
# * host = localhost
# * port = 8282

upstream channels-lb {
    server localhost:8089;
}

server {
   listen 80;
   server_name channels.XXX.com;
   return 301 https://channels.XXX.com$request_uri;
}

server {
    server_name channels.XXX.com;
    listen 443 ssl;


    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_pass http://channels-lb;
    }

    ssl_certificate /etc/letsencrypt/live/cert.XXX.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cert.XXX.com/privkey.pem;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    access_log /var/log/nginx/channels-access.log;
    error_log  /var/log/nginx/channels-error.log;
}

# --- - PROXY - ---

Note that the DVR server detects the client ip and forces authentication when it is not in your local network. By using a reverse proxy, all requests will appear local which breaks the authentication mechanism.

Thats what I figured. So really not way to get this working with a reverse proxy then?

Or should I put it, actually safer not using reverse proxy because it bypasses authentication

I have mine behind a reverse proxy as well. Not sure what (if anything) I’ll do about authentication. I haven’t really cared at this point.

I think for now I am just going to leave it outside of the reverse proxy. Are you using nginx?

Could you post your config also? was just curious

This is probably why your configuration isn’t working. The DVR server needs all urls forwarded, so you have to use a virtual host like @maddox did.

If you’re dabbling in NGINX for local stuff, I def suggest just creating vhosts with subdomains for all your services vs scoping with the url. It also means faster autocomplete in your browser :slight_smile:

Just register a domain somewhere and point it at your house and cname it for all your subdomains. Then you can set up Let’s Encrypt to create a cert for all the hosts. Then you have nice simple URLs you can remember that work inside and outside the home and most importantly, SSL!

No I am using duckdns with lets encrypt already for outside access. Everything else works fine, emby/grafana/plex. I was just having issues for some reason with Channels DVR. I will play around with it later, but if there is no authentication its probably better to not use a reverse proxy and just port forward the port for now

btw I only posted part of my config.

14 posts were split to a new topic: Port forwarding not working

Like @maddox, nginx and Let’s Encrypt

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name channels.XXX.com;

    ssl_certificate /usr/syno/etc/certificate/ReverseProxy/60af3a34-33b1-4d55-b1cd-ad2aadc2fcb5/fullchain.pem;

    ssl_certificate_key /usr/syno/etc/certificate/ReverseProxy/60af3a34-33b1-4d55-b1cd-ad2aadc2fcb5/privkey.pem;

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload" always;

    location / {
        proxy_set_header        Host                $host;
        proxy_set_header        X-Real-IP           $remote_addr;
        proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto   $scheme;
        proxy_intercept_errors  on;
        proxy_http_version      1.1;

        proxy_pass http://localhost:8089;

    }
}

I registered a domain with Google and wrote a very simple python script to keep my IP updated, and then use Let’s Encrypt for my domain all the subdomains.

This can be closed I figured it out. My nginx / lets encrypt is all setup on Centos7. I took a look at the logs and was getting alot of denies. The below commands fixed it right up.

I checked for errors in the SELinux logs:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied
And found that running the following commands fixed my issue:

sudo cat /var/log/audit/audit.log | grep nginx | grep denied | audit2allow -M mynginx
sudo semodule -i mynginx.pp