Reverse Proxy VS hostname forwarding

[chenks 21]

That would be great!

[Swynol 375]

ok so here is my config. my router forwards port 443 to my NGINX box, which in turn forwards the traffic to another box.

 

in this example it forwards to my emby box running on 192.168.10.10:8096.

##EMBY Server##
	
	server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.secretdomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }
		
		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors secretdomain.com emby.secretdomain.com
	
     location / {
        proxy_pass http://192.168.10.10:8096;  

		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		}
	

}

you could have your other webbox listening on a different port. or something that i havent tried is forwarding to another box using a default port such as 443 or 80.

 

hope that makes sense

[Swynol 375]

so the above is probably overlay complicated this is probably what you need. it listens on ports 80 and 443 for both ipv4 and ipv6 addresses. delete the ssl stuff if your not using your own cert and ssl

##blah2.com##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name blah2.com; 
	
        
## only if using HTTPS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

## End of HTTPS ##
		
		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
			
     location / {
        proxy_pass http://192.168.1.57:8096;  ##port number??##

		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		}
	

}

[chenks 21]

Is that a two server solution though?

 

I will two separate webservers.

One has nginx that is reverse proxying to media apps on the same server as nginx.

And an iis server.

 

Blah.com is the nginx server, and blah2.com is to route to the iis server.

Both listening on port 80

 

Only the router forwards all port 80 traffic to the nginx server

[Swynol 375]

ye separate boxes. 

 

so add that config to nginx on your 192.168.1.50 server. that will then forward anything coming in from blah2.com to 192.168.1.57. 

 

i'm not sure if you can forward out on port 80 so proxy_pass 192.168.1.57:80 may not work. however you could to do proxy_pass 192.168.1.57:8080 or any other port.

 

then your iis box would have to listen on port 8080 or any other port.

 

leave your router forwarding port 80 as it is, you shouldnt need to create any more forwarding ports unless you want to use HTTPS

Edited May 11, 2017 by Swynol

[Swynol 375]

Just done some reading and if your nginx is listening on port 80 you can forward onto another server listening on 80. So proxy_pass 192.168.1.57:80 will work.

 

 

 

 

Sent from my iPad using Tapatalk

[chenks 21]

right i'm struggling to follow what changes i need to make to my config file.

i don't use ssl or IPv6.

[Swynol 375]

ok i copied your config from the other page. I've removed all the stuff you dont need and then added another server block which will send all traffic for blah2.com to 192.168.1.57

worker_processes  1;
events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
	server_tokens off;

	##blah.com##
	
    server {
        listen       80;
        server_name  blah.com, 192.168.1.50;

	location /sabnzbd {

		proxy_pass http://127.0.0.1:38080;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	}

	location /web {

		proxy_pass http://127.0.0.1:32400/web;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	}

	location /sonar {

		proxy_pass http://127.0.0.1:38082;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	}

	location /radarr {

		proxy_pass http://127.0.0.1:7878;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	}

	location /couchpotato {

		proxy_pass http://127.0.0.1:38083;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	}

	location /transmission {

		proxy_pass http://127.0.0.1:9091;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	}

	location /emby {
		rewrite /emby/(.*) /$1 break;
		proxy_pass http://127.0.0.1:8096;
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
 
	location /plex {
		rewrite /plex/(.*) /$1 break;
		proxy_pass http://127.0.0.1:32400;   # whatever your plex port is
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}


        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

    }
	
	##blah2.com##
	
	server {
    listen 80;
	server_name blah2.com; 
	
	   location / {
        proxy_pass http://192.168.1.57:80; 

		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

		}
	}
}

Edited May 12, 2017 by Swynol

[chenks 21]

ok that doesn't seem to be quite working.

 

http://blah2.com is being directed to the correct server, but for some reason is asking for a user/pass (even though IIS isn't set to do so)

 

http://www.blah2.com is directing to the wrong server, that's going to 192.168.1.50 when it should be 192.168.1.57.

infact it isn't just www.blah2.com that is going to the wrong server, it is *.blah2.com.

[chenks 21]

solved one of the problems.

added *.blah2.com to the config file and now all variations of URL forward to correct server.

 

and the other problem - strange permission on the html file.

Edited May 12, 2017 by chenks

[Swynol 375]

ah ye sorry forgot to add the wild card.

 

not sure on the user/pass issue. havent done much with iis. you can try having a basic index.html file on the iis box. see if nginx can proxy_pass straight to it.

[pir8radio 1292]

solved one of the problems.

added *.blah2.com to the config file and now all variations of URL forward to correct server.

 

and the other problem - strange permission on the html file.

 

Just curious, why are you running IIS behind nginx?  Nginx can serve up regular http as well it's main purpose is a web server... If you are doing some .net/asp then yea i would stick with iis. 

[chenks 21]

That's exactly it

[Swynol 375]

i'm sure theres a special config for NGINX when using .net asp on a iis. there's quite a bit on google about it.

[pir8radio 1292]

i'm sure theres a special config for NGINX when using .net asp on a iis. there's quite a bit on google about it.

 

 

That's exactly it

 

 

Yea i wrote my old site in all asp..  I used iis as a reverse proxy for my other sites, its a bit more difficult and a huge pain, but you can ditch nginx and use only iis.   I ended up just converting over to PHP, then got rid of that site a few years back..  But man I had A-LOT of code with asp, and i was surprised how much smaller my project was when i rewrote it in php..   ANYWAY..  Another option is to use asp on nginx, I have never set it up, but its out there..     But if you want to stick with what you have try this as a "starter" config for your asp stuff, then start un-commenting lines (remove #).  I don't even want to help you troubleshoot if its an iis issue...  I now hate iis.. lol

 

    ##blah2.com##

    

    server {

listen 80;

    server_name blah2.com;

    

     location / {

proxy_pass http://192.168.1.57:80;

 

        #proxy_set_header Range $http_range;

        #proxy_set_header If-Range $http_if_range;

        #proxy_set_header X-Real-IP $remote_addr;

        #proxy_set_header Host $host;

        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

 

        }

    }

 

[pir8radio 1292]

@@Swynol Try adding the below to your config in the http section, maybe add it to your NGINX how to topic on here..   This will compress most of the text, scripts (a lot in emby) and xml.  tcp_nodelay will push the emby responses out to the client faster without waiting/buffering....   I've always had this in my config, noticed most people don't use it.   You should also try adding http2; to all of your ssl sites...  loads pages that have a bunch of images a bit faster for me.   But im sure you will google and do research..  :-)   

 

I have re-enabled my guest account for a bit if you want to test on my setup:

 

    gzip on;
gzip_disable "msie6";

gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
   text/plain
   text/css
   text/js
   text/xml
   text/javascript
   application/javascript
   application/x-javascript
   application/json
   application/xml
   application/rss+xml
   image/svg+xml;

    tcp_nodelay on;

Edited May 15, 2017 by pir8radio

[Tur0k 143]

I provision my secure connections using:

squid reverse proxy setup on my firewall.

A domain I purchased from google.

A DDNS subdomain I have configured on my google domain

A dynamic DNS client on my firewall that keeps my DDNS a record up to date automatically.

An ACME package to manage my SSL certificates.

On my firewall the only services I allow through are my reverse proxy and my VPN. For me this is preferable because my firewall config does not look like Swiss cheese. Additionally my URL is slick HTTPS://ddns.mydomain.net. My SSL certificate is for ddns.mydomain.net.

 

My primary service that is needed outside my internal network is Emby, so currently I have that setup as the default site but technically it is HTTPS://ddns.mydomain.net/emby. Any subsequent services after that would have a different name after the last "/". Personally I like this too because the URL looks clean without the port identifier needing to be enumerated. The web based services just assume port 443 when you use "https://".

 

 

Sent from my iPhone using Tapatalk

Edited May 16, 2017 by Tur0k

[pir8radio 1292]

I provision my secure connections using:

squid reverse proxy setup on my firewall.

A domain I purchased from google.

A DDNS subdomain I have configured on my google domain

A dynamic DNS client on my firewall that keeps my DDNS a record up to date automatically.

An ACME package to manage my SSL certificates.

On my firewall the only services I allow through are my reverse proxy and my VPN. For me this is preferable because my firewall config does not look like Swiss cheese. Additionally my URL is slick HTTPS://ddns.mydomain.net

 

 

Sent from my iPhone using Tapatalk

 

Good work, yea thats what we are talking about with nginx, we only have 80 and 443 open on the firewall. 

[Swynol 375]

 

@@Swynol Try adding the below to your config in the http section, maybe add it to your NGINX how to topic on here..   This will compress most of the text, scripts (a lot in emby) and xml.  tcp_nodelay will push the emby responses out to the client faster without waiting/buffering....   I've always had this in my config, noticed most people don't use it.   You should also try adding http2; to all of your ssl sites...  loads pages that have a bunch of images a bit faster for me.   But im sure you will google and do research..  :-)   

 

I have re-enabled my guest account for a bit if you want to test on my setup:

 

    gzip on;
gzip_disable "msie6";

gzip_comp_level 6;
gzip_min_length 1100;
gzip_buffers 16 8k;
gzip_proxied any;
gzip_types
   text/plain
   text/css
   text/js
   text/xml
   text/javascript
   application/javascript
   application/x-javascript
   application/json
   application/xml
   application/rss+xml
   image/svg+xml;

    tcp_nodelay on;

thanks @@pir8radio  i will give that a go. havent used http2 yet, although have been reading up on it.

 

 

EDIT: just added the above. hasnt broken anything and everything seems much snappier.

Edited May 16, 2017 by Swynol

[chenks 21]

sorry to dredge this thread back up, but it contains discussions previously had about nginx and reverse proxy using windows.

 

i still have nginx doing reverse proxy so i can access my services.

however, i'm now looking at dropping nginx completely and doing everything with IIS.

 

does anyone know if IIS can do the same job as nginx did?

the end result should be

 

blah.com/service1 > 192.168.1.2:12345
blah.com/service2 > 192.168.1.2:54321
blah.com/service3 > 192.168.1.2:44332
blah.com/service4 > 192.168.1.2:33442

[pir8radio 1292]

sorry to dredge this thread back up, but it contains discussions previously had about nginx and reverse proxy using windows.

 

i still have nginx doing reverse proxy so i can access my services.

however, i'm now looking at dropping nginx completely and doing everything with IIS.

 

does anyone know if IIS can do the same job as nginx did?

the end result should be

 

blah.com/service1 > 192.168.1.2:12345

blah.com/service2 > 192.168.1.2:54321

blah.com/service3 > 192.168.1.2:44332

blah.com/service4 > 192.168.1.2:33442

 

It can, but you will be fighting all the way to get it to work correctly with emby or other complicated application servers.   Its not as easy to work with the headers and what not...  I actually WAS all IIS and switched to nginx for my webserver and proxy because of this. 

Edited July 20, 2018 by pir8radio

[chenks 21]

I'll be looking to do it with the following.

Sabnzbd, sonarr, radarr, transmission and possibly jackett.

 

You got and pointers or instructions to do it?

[pir8radio 1292]

I'll be looking to do it with the following.

Sabnzbd, sonarr, radarr, transmission and possibly jackett.

 

You got and pointers or instructions to do it?

 

This is a good start:  https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/    but you will quickly find its not as fun as nginx..         Much more than that, and i would have to load up IIS to refresh my memory..      I remember HTTPS was not fun either. 

Edited July 20, 2018 by pir8radio

[chenks 21]

i had a look at the article previously, but it didn't appear to offer the solution i was looking for.

 

ie it was doing it for a domain at root level, but i was wanting to do it based on what is after the / .

[Tur0k 143]

i had a look at the article previously, but it didn't appear to offer the solution i was looking for.

 

ie it was doing it for a domain at root level, but i was wanting to do it based on what is after the / .

I tried to do this with the PFSENSE squid reverse proxy. I was procuring forbmy home automation system and Emby. I found it difficult because many of the buttons in the web content were url pointers to specific sub directory content after the domain. that is a major part of the reason I picked up a forstvlevel domain and use subdomains to differentiate the services behind my reverse proxy.

 

 

Sent from my iPhone using Tapatalk

Edited July 21, 2018 by Tur0k