chenks 21 Posted May 11, 2017 Share Posted May 11, 2017 That would be great! Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Author Share Posted May 11, 2017 ok so here is my config. my router forwards port 443 to my NGINX box, which in turn forwards the traffic to another box. in this example it forwards to my emby box running on 192.168.10.10:8096. ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.secretdomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors secretdomain.com emby.secretdomain.com location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } you could have your other webbox listening on a different port. or something that i havent tried is forwarding to another box using a default port such as 443 or 80. hope that makes sense Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Author Share Posted May 11, 2017 so the above is probably overlay complicated this is probably what you need. it listens on ports 80 and 443 for both ipv4 and ipv6 addresses. delete the ssl stuff if your not using your own cert and ssl ##blah2.com## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name blah2.com; ## only if using HTTPS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } ## End of HTTPS ## add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; location / { proxy_pass http://192.168.1.57:8096; ##port number??## proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } Link to comment Share on other sites More sharing options...
chenks 21 Posted May 11, 2017 Share Posted May 11, 2017 Is that a two server solution though? I will two separate webservers. One has nginx that is reverse proxying to media apps on the same server as nginx. And an iis server. Blah.com is the nginx server, and blah2.com is to route to the iis server. Both listening on port 80 Only the router forwards all port 80 traffic to the nginx server Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Author Share Posted May 11, 2017 (edited) ye separate boxes. so add that config to nginx on your 192.168.1.50 server. that will then forward anything coming in from blah2.com to 192.168.1.57. i'm not sure if you can forward out on port 80 so proxy_pass 192.168.1.57:80 may not work. however you could to do proxy_pass 192.168.1.57:8080 or any other port. then your iis box would have to listen on port 8080 or any other port. leave your router forwarding port 80 as it is, you shouldnt need to create any more forwarding ports unless you want to use HTTPS Edited May 11, 2017 by Swynol Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Author Share Posted May 11, 2017 Just done some reading and if your nginx is listening on port 80 you can forward onto another server listening on 80. So proxy_pass 192.168.1.57:80 will work. Sent from my iPad using Tapatalk Link to comment Share on other sites More sharing options...
chenks 21 Posted May 12, 2017 Share Posted May 12, 2017 right i'm struggling to follow what changes i need to make to my config file. i don't use ssl or IPv6. Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 12, 2017 Author Share Posted May 12, 2017 (edited) ok i copied your config from the other page. I've removed all the stuff you dont need and then added another server block which will send all traffic for blah2.com to 192.168.1.57 worker_processes 1; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server_tokens off; ##blah.com## server { listen 80; server_name blah.com, 192.168.1.50; location /sabnzbd { proxy_pass http://127.0.0.1:38080; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /web { proxy_pass http://127.0.0.1:32400/web; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /sonar { proxy_pass http://127.0.0.1:38082; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /radarr { proxy_pass http://127.0.0.1:7878; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /couchpotato { proxy_pass http://127.0.0.1:38083; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /transmission { proxy_pass http://127.0.0.1:9091; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /emby { rewrite /emby/(.*) /$1 break; proxy_pass http://127.0.0.1:8096; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /plex { rewrite /plex/(.*) /$1 break; proxy_pass http://127.0.0.1:32400; # whatever your plex port is proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } ##blah2.com## server { listen 80; server_name blah2.com; location / { proxy_pass http://192.168.1.57:80; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } } Edited May 12, 2017 by Swynol Link to comment Share on other sites More sharing options...
chenks 21 Posted May 12, 2017 Share Posted May 12, 2017 ok that doesn't seem to be quite working. http://blah2.com is being directed to the correct server, but for some reason is asking for a user/pass (even though IIS isn't set to do so) http://www.blah2.com is directing to the wrong server, that's going to 192.168.1.50 when it should be 192.168.1.57. infact it isn't just www.blah2.com that is going to the wrong server, it is *.blah2.com. Link to comment Share on other sites More sharing options...
chenks 21 Posted May 12, 2017 Share Posted May 12, 2017 (edited) solved one of the problems. added *.blah2.com to the config file and now all variations of URL forward to correct server. and the other problem - strange permission on the html file. Edited May 12, 2017 by chenks Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 12, 2017 Author Share Posted May 12, 2017 ah ye sorry forgot to add the wild card. not sure on the user/pass issue. havent done much with iis. you can try having a basic index.html file on the iis box. see if nginx can proxy_pass straight to it. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted May 12, 2017 Share Posted May 12, 2017 solved one of the problems. added *.blah2.com to the config file and now all variations of URL forward to correct server. and the other problem - strange permission on the html file. Just curious, why are you running IIS behind nginx? Nginx can serve up regular http as well it's main purpose is a web server... If you are doing some .net/asp then yea i would stick with iis. Link to comment Share on other sites More sharing options...
chenks 21 Posted May 12, 2017 Share Posted May 12, 2017 That's exactly it Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 12, 2017 Author Share Posted May 12, 2017 i'm sure theres a special config for NGINX when using .net asp on a iis. there's quite a bit on google about it. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted May 12, 2017 Share Posted May 12, 2017 i'm sure theres a special config for NGINX when using .net asp on a iis. there's quite a bit on google about it. That's exactly it Yea i wrote my old site in all asp.. I used iis as a reverse proxy for my other sites, its a bit more difficult and a huge pain, but you can ditch nginx and use only iis. I ended up just converting over to PHP, then got rid of that site a few years back.. But man I had A-LOT of code with asp, and i was surprised how much smaller my project was when i rewrote it in php.. ANYWAY.. Another option is to use asp on nginx, I have never set it up, but its out there.. But if you want to stick with what you have try this as a "starter" config for your asp stuff, then start un-commenting lines (remove #). I don't even want to help you troubleshoot if its an iis issue... I now hate iis.. lol ##blah2.com## server { listen 80; server_name blah2.com; location / { proxy_pass http://192.168.1.57:80; #proxy_set_header Range $http_range; #proxy_set_header If-Range $http_if_range; #proxy_set_header X-Real-IP $remote_addr; #proxy_set_header Host $host; #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted May 15, 2017 Share Posted May 15, 2017 (edited) @@Swynol Try adding the below to your config in the http section, maybe add it to your NGINX how to topic on here.. This will compress most of the text, scripts (a lot in emby) and xml. tcp_nodelay will push the emby responses out to the client faster without waiting/buffering.... I've always had this in my config, noticed most people don't use it. You should also try adding http2; to all of your ssl sites... loads pages that have a bunch of images a bit faster for me. But im sure you will google and do research.. :-) I have re-enabled my guest account for a bit if you want to test on my setup: gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; Edited May 15, 2017 by pir8radio 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted May 16, 2017 Share Posted May 16, 2017 (edited) I provision my secure connections using: squid reverse proxy setup on my firewall. A domain I purchased from google. A DDNS subdomain I have configured on my google domain A dynamic DNS client on my firewall that keeps my DDNS a record up to date automatically. An ACME package to manage my SSL certificates. On my firewall the only services I allow through are my reverse proxy and my VPN. For me this is preferable because my firewall config does not look like Swiss cheese. Additionally my URL is slick HTTPS://ddns.mydomain.net. My SSL certificate is for ddns.mydomain.net. My primary service that is needed outside my internal network is Emby, so currently I have that setup as the default site but technically it is HTTPS://ddns.mydomain.net/emby. Any subsequent services after that would have a different name after the last "/". Personally I like this too because the URL looks clean without the port identifier needing to be enumerated. The web based services just assume port 443 when you use "https://". Sent from my iPhone using Tapatalk Edited May 16, 2017 by Tur0k Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted May 16, 2017 Share Posted May 16, 2017 I provision my secure connections using: squid reverse proxy setup on my firewall. A domain I purchased from google. A DDNS subdomain I have configured on my google domain A dynamic DNS client on my firewall that keeps my DDNS a record up to date automatically. An ACME package to manage my SSL certificates. On my firewall the only services I allow through are my reverse proxy and my VPN. For me this is preferable because my firewall config does not look like Swiss cheese. Additionally my URL is slick HTTPS://ddns.mydomain.net Sent from my iPhone using Tapatalk Good work, yea thats what we are talking about with nginx, we only have 80 and 443 open on the firewall. Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 16, 2017 Author Share Posted May 16, 2017 (edited) @@Swynol Try adding the below to your config in the http section, maybe add it to your NGINX how to topic on here.. This will compress most of the text, scripts (a lot in emby) and xml. tcp_nodelay will push the emby responses out to the client faster without waiting/buffering.... I've always had this in my config, noticed most people don't use it. You should also try adding http2; to all of your ssl sites... loads pages that have a bunch of images a bit faster for me. But im sure you will google and do research.. :-) I have re-enabled my guest account for a bit if you want to test on my setup: gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; thanks @@pir8radio i will give that a go. havent used http2 yet, although have been reading up on it. EDIT: just added the above. hasnt broken anything and everything seems much snappier. Edited May 16, 2017 by Swynol Link to comment Share on other sites More sharing options...
chenks 21 Posted July 20, 2018 Share Posted July 20, 2018 sorry to dredge this thread back up, but it contains discussions previously had about nginx and reverse proxy using windows. i still have nginx doing reverse proxy so i can access my services. however, i'm now looking at dropping nginx completely and doing everything with IIS. does anyone know if IIS can do the same job as nginx did? the end result should be blah.com/service1 > 192.168.1.2:12345blah.com/service2 > 192.168.1.2:54321blah.com/service3 > 192.168.1.2:44332blah.com/service4 > 192.168.1.2:33442 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted July 20, 2018 Share Posted July 20, 2018 (edited) sorry to dredge this thread back up, but it contains discussions previously had about nginx and reverse proxy using windows. i still have nginx doing reverse proxy so i can access my services. however, i'm now looking at dropping nginx completely and doing everything with IIS. does anyone know if IIS can do the same job as nginx did? the end result should be blah.com/service1 > 192.168.1.2:12345 blah.com/service2 > 192.168.1.2:54321 blah.com/service3 > 192.168.1.2:44332 blah.com/service4 > 192.168.1.2:33442 It can, but you will be fighting all the way to get it to work correctly with emby or other complicated application servers. Its not as easy to work with the headers and what not... I actually WAS all IIS and switched to nginx for my webserver and proxy because of this. Edited July 20, 2018 by pir8radio 1 Link to comment Share on other sites More sharing options...
chenks 21 Posted July 20, 2018 Share Posted July 20, 2018 I'll be looking to do it with the following. Sabnzbd, sonarr, radarr, transmission and possibly jackett. You got and pointers or instructions to do it? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted July 20, 2018 Share Posted July 20, 2018 (edited) I'll be looking to do it with the following. Sabnzbd, sonarr, radarr, transmission and possibly jackett. You got and pointers or instructions to do it? This is a good start: https://blogs.msdn.microsoft.com/friis/2016/08/25/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps/ but you will quickly find its not as fun as nginx.. Much more than that, and i would have to load up IIS to refresh my memory.. I remember HTTPS was not fun either. Edited July 20, 2018 by pir8radio 1 Link to comment Share on other sites More sharing options...
chenks 21 Posted July 21, 2018 Share Posted July 21, 2018 i had a look at the article previously, but it didn't appear to offer the solution i was looking for. ie it was doing it for a domain at root level, but i was wanting to do it based on what is after the / . Link to comment Share on other sites More sharing options...
Tur0k 143 Posted July 21, 2018 Share Posted July 21, 2018 (edited) i had a look at the article previously, but it didn't appear to offer the solution i was looking for. ie it was doing it for a domain at root level, but i was wanting to do it based on what is after the / . I tried to do this with the PFSENSE squid reverse proxy. I was procuring forbmy home automation system and Emby. I found it difficult because many of the buttons in the web content were url pointers to specific sub directory content after the domain. that is a major part of the reason I picked up a forstvlevel domain and use subdomains to differentiate the services behind my reverse proxy. Sent from my iPhone using Tapatalk Edited July 21, 2018 by Tur0k Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now