Reverse Proxy VS hostname forwarding

[chenks 21]

I tried to do this with the PFSENSE squid reverse proxy. I was procuring forbmy home automation system and Emby. I found it difficult because many of the buttons in the web content were url pointers to specific sub directory content after the domain. that is a major part of the reason I picked up a forstvlevel domain and use subdomains to differentiate the services behind my reverse proxy.

 

 

Sent from my iPhone using Tapatalk

 

most, if not all, the services i plan to use have a "URL Base" setting so you can tell it that it's now being used in such a way.

this removes any of the issues you found.

[Swynol 375]

i started the thread before i really gave nginx a chance. from someone who has used both option, NGINX is clearly the way forward.

[chenks 21]

I have a specific reason for moving away from nginx to iis, so unfortunately it doesn't matter how great nginx is

[pir8radio 1292]

I have a specific reason for moving away from nginx to iis, so unfortunately it doesn't matter how great nginx is

 

well...   not trying to woo you to stay with nginx... I understand weird reasons for doing one thing or another..   But I am a little curious what the reason is?  I promise I wont try to tell you nginx can do that too lol....  just curious.       but you should be able to do what you are looking to do in iis might just have to google around.. I don't think you will find as many examples as you would for nginx, but the info is out there if you do some digging. 

[chenks 21]

because i want to go 100% IIS.

i'll be doing asp.net stuff and i just want to keep it solely IIS without having nginx sitting anywhere.

 

any chance you could fire up your IIS and refresh your memory?

i'm getting nowhere fast with this, and none of the msdn sites seem to show examples of this way of doing it - they all seem to point to using sub-domains.

Edited July 23, 2018 by chenks

[pir8radio 1292]

because i want to go 100% IIS.

i'll be doing asp.net stuff and i just want to keep it solely IIS without having nginx sitting anywhere.

 

any chance you could fire up your IIS and refresh your memory?

i'm getting nowhere fast with this, and none of the msdn sites seem to show examples of this way of doing it - they all seem to point to using sub-domains.

 

I'll do some digging...   Ill fire up IIS and see what my old emby rule was...   maybe something like....

<rule name="Proxy">
<match url="http://domain.com/emby/(.*)"/>
<action type="Rewrite" url="http://domain.com/{R:1}" />
</rule>

https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/url-rewrite-module-configuration-reference

Edited July 23, 2018 by pir8radio

[chenks 21]

i've been using sabnzbd as my test application.

i got it working with a sub-domain, so that's a start at least.

 

this is using Windows Server 2012 R2

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxyInboundRule1" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://192.168.1.2:8080/{R:1}" />
                    <serverVariables>
                        <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
                        <set name="HTTP_ACCEPT_ENCODING" value="" />
                    </serverVariables>
                </rule>
            </rules>
            <outboundRules>
                <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
                    <match filterByTags="A, Form, Img" pattern="^http(s)?://192.168.1.2:8080/(.*)" />
                    <action type="Rewrite" value="http{R:1}://sabnzbd.blah.co.uk/{R:2}" />
                </rule>
                <rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
                    <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
                    <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
                </rule>
                <preConditions>
                    <preCondition name="ResponseIsHtml1">
                        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
                    </preCondition>
                    <preCondition name="NeedsRestoringAcceptEncoding">
                        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>
    </system.webServer>
</configuration>

[KeithA 0]

Hello

I must been an idiot because after trying all day I am unable to get it working. My initial goal is to get my server secure. I tried various conf that have been posted changing what I thought was needed however it still wont work. Currently I have a domain from freenom but am not positive if I have the dns setup correctly. If someone can let me know how to setup the dns I can check my settings to see if they are correct. My IP seldom changes but I have an account at dyndns and can forward if necessary. I didn't seem to have an issue creating the certs. I think the issue may be around the fact that I use a vpn. I am using a forwarded port and cant use 443 as suggested in your guide. I have been able to access Emby in the past from remote using http without issue. Do you have any suggestions?

 

Thanks

[Luke 37057]

Hi, what exactly is the problem that you're having?

[Tur0k 143]

Do on the public Internet you would want a DNS A record that points to your home’s public Internet IP address. Often domain hosts have a program that can be installed on a computer in your home that allows you to dynamically update a synthetic record to your public Internet IP address.

 

Have you done anything like this?

 

 

Sent from my iPhone using Tapatalk

Edited November 25, 2018 by Tur0k

[KeithA 0]

The problem I am having is that my server isn't accessible from the internet.  I have tried the HTTPS way and the reverse proxy method.  It is clearly something I am doing wrong,  this is completely foreign to me.  I added an A record and used my current IP as found using "whatsmyip".  I added a cname "emby" as most of the posts have directed.  It is directed towards my domain xxxxxx.xxx. When I ping emby.xxxxxx.xxx I get a response from my public  IP address (vpn exit IP).  I setup emby with the cert,  added my domain emby.xxxxxx.xxx and used a port that is known to be forwarded through my vpn.  Emby shows https://emby.xxxxxx.xxx:forwarded port after a restart.  I have tried accessing it from both inside and outside my home network and neither works.  Windows has the port open for both udp and tcp.  I am sure I just missed a step.....

 

Thanks

Edited November 25, 2018 by KeithA

[KeithA 0]

I think my issue maybe the vpn.  I cant use any port I want so the typical 443 wont be forwarded to the vpn.  It generates a random port that must be used.

[Tur0k 143]

The problem I am having is that my server isn't accessible from the internet. I have tried the HTTPS way and the reverse proxy method. It is clearly something I am doing wrong, this is completely foreign to me. I added an A record and used my current IP as found using "whatsmyip". I added a cname "emby" as most of the posts have directed. It is directed towards my domain xxxxxx.xxx. When I ping emby.xxxxxx.xxx I get a response from my public IP address (vpn exit IP). I setup emby with the cert, added my domain emby.xxxxxx.xxx and used a port that is known to be forwarded through my vpn. Emby shows https://emby.xxxxxx.xxx:forwarded port after a restart. I have tried accessing it from both inside and outside my home network and neither works. Windows has the port open for both udp and tcp. I am sure I just missed a step.....

 

Thanks

What is the deal with trying to host the connection through your VPN?

 

 

Sent from my iPhone using Tapatalk

[KeithA 0]

I guess I don't know any better.  My computer has a vpn client and is normally on 24/7.  All of my traffic goes through it.  Is there another way to be more anonymous online?  It hasn't been an issue until I tried this.  I certainly am open to other ideas.

 

Thanks

[Tur0k 143]

I guess I don't know any better. My computer has a vpn client and is normally on 24/7. All of my traffic goes through it. Is there another way to be more anonymous online? It hasn't been an issue until I tried this. I certainly am open to other ideas.

 

Thanks

Fair, I have a very similar setup.

 

Really, I want my browsing to be private. I don’t mind access from the public Internet to my Emby environment being hosted through my WAN IP.

 

I set access to the Internet from my Emby server through my VPN. When browsing the Internet the source IP is the source IP of my VPN service.

 

Access from the Internet to my Emby front end is handled via my reverse proxy and is facilitated via the wan public IP with my ISP.

 

That said, I address security with in a few ways.

1. I have implemented an IP reputation blocking tool installed on my internet facing firewall. It synchronizes with multiple lists that are publicly maintained. It blocks communication to and from malicious sources.

2. Additionally, I augment this with countermeasures that block at 8 bad password attempts from public Internet sources.

 

 

Sent from my iPhone using Tapatalk

Edited November 25, 2018 by Tur0k

[KeithA 0]

Thanks for your reply!

 

How do you give access around the VPN?  I connect using the app provided from the provider.  It is pretty basic and doesn't allow special openvpn arguments.  I would like to set it up similar to what you are doing.

 

Thanks again for your help....

[Tur0k 143]

Thanks for your reply!

 

How do you give access around the VPN? I connect using the app provided from the provider. It is pretty basic and doesn't allow special openvpn arguments. I would like to set it up similar to what you are doing.

 

Thanks again for your help....

1 Set your DDNS synthetic A record subdomain to your home’s wan address. If you use a small app to synch, don’t use it on your Emby Server as it will report that it is on its vpn Public IP.

 

2. Stand up a reverse proxy ( Nginx, HAProxy, caddy, etc) on another system on the same local network.

A. Setup the proxy to handle Emby connections.

B. Setup SSL offloading in the reverse proxy.

 

3. Port forward port 443 to your reverse proxy.

 

 

Test

 

Sent from my iPhone using Tapatalk

Edited November 26, 2018 by Tur0k

[Luke 37057]

 

Guys is there any interest in a Nginx Windows version compiled against OpenSSL 1.1.0 with http2 module enabled to check out latest cipher suites like CHACHA20_POLY1305?

 

Since the official or several unofficial Win Binaries of Nginx do either not include http2 module or do not use OpenSSL 1.1.0, I decided to set up an Windows Build environment and try it myself from source.

 

 

Latest Win Binary I use currently is latest Nginx 1.11.10 source with OpenSSL 1.1.0c.

nginx version: nginx/1.11.10
built by cl 16.00.30319.01 for 80x86
built with OpenSSL 1.1.0c  10 Nov 2016
TLS SNI support enabled
configure arguments: --with-cc=cl --builddir=objs --prefix= --conf-path=conf/nginx.conf --pid-path=logs/nginx.pid --http-log-path=logs/access.log --error-log-path=logs/error.log --sbin-path=nginx.exe
--http-client-body-temp-path=temp/client_body_temp --http-proxy-temp-path=temp/proxy_temp --http-fastcgi-temp-path=temp/fastcgi_temp --http-scgi-temp-path=temp/scgi_temp --http-uwsgi-temp-path=temp/uw
sgi_temp --with-cc-opt=-DFD_SETSIZE=32768 --with-pcre=objs/lib/pcre-8.40 --with-zlib=objs/lib/zlib-1.2.11 --with-openssl=objs/lib/openssl-1.1.0c --with-select_module --with-http_realip_module --with-h
ttp_addition_module --with-http_sub_module --with-http_dav_module --with-http_stub_status_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module
--with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_slice_module --with-mail --with-stream --with-http_ssl_module --with-mail_ssl_module --with-s
tream_ssl_module --with-http_v2_module --add-module=objs/lib/nginx-rtmp-module-1.1.10 --with-openssl-opt=no-asm

 

Emby Server 4.4 will have http2 support on Windows and Linux.