BI HTTPS with Nginx Reverse Proxy

ruppmeister

Getting the hang of it
Joined
Apr 15, 2015
Messages
668
Reaction score
98
I just setup a new Windows Hyper-v server in the house for my Plex tasks and the sorts. Part of this install was to get a reverse proxy using SSL/TLS certificates up and working with Nginx. Everything went so well that I decided to throw in access for my Blue Iris setup running on a separate machine from the reverse proxy too.

I was wondering if the IPCT community was interested in a write up on how to accomplish this. I know about STunnel and its use with BI. Just wondering if it would be worth the time doing a Nginx write up for others.

This requires a Linux installed server and could even be done using a raspberry pi. I currently use Fail2Ban with basic authentication on the reverse proxy to prevent unauthorized attempts to access my server. I also use LetsEncrypt as my source for free SSL certificate for my domain.

Thoughts?

Edit: added more content.
 
Last edited by a moderator:

Vini

Getting the hang of it
Joined
Aug 25, 2015
Messages
141
Reaction score
39
I'd be very interested in a how to/write up for this! I run nginx under Docker...
 

ruppmeister

Getting the hang of it
Joined
Apr 15, 2015
Messages
668
Reaction score
98
Both BI phone apps (iPhone and Android) have the option to turn https on, but as of my last attempt to get it working with a reverse proxy it was not working. I believe it was coded to work when you use STunnel though.


Sent from my iPhone using Tapatalk
 

uteschj

n3wb
Joined
Jun 9, 2016
Messages
7
Reaction score
1
Signed up to say I have an Nginx reverse proxy set up in a Freenas jail with Letsencrypt and so far it has been working great through the web browser and the Blueiris app.
 

Gibby13

n3wb
Joined
Aug 27, 2015
Messages
20
Reaction score
1
Signed up to say I have an Nginx reverse proxy set up in a Freenas jail with Letsencrypt and so far it has been working great through the web browser and the Blueiris app.
What does your nginx config look like? I switched from using apache reverse proxy to nginx reverse proxy and the performance even locally is terrible with nginx.
 

uteschj

n3wb
Joined
Jun 9, 2016
Messages
7
Reaction score
1
What does your nginx config look like? I switched from using apache reverse proxy to nginx reverse proxy and the performance even locally is terrible with nginx.
My config is almost identical to Nayr's guide for Domoticz (posted above).

I added
Code:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
to the location block of the proxy so blue iris could log the IPs of the incoming connections.

Maybe try turning SSL off for the proxy and check the performance?

I only dabble in Nginx sorry!
 
Last edited by a moderator:

Gibby13

n3wb
Joined
Aug 27, 2015
Messages
20
Reaction score
1
My config is almost identical to Nayr's guide for Domoticz (posted above).

I only added

"proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;"

to the location block of the proxy so blue iris could log the IPs of the incoming connections.

Maybe try turning SSL off for the proxy and check the performance?

I only dabble in Nginx sorry!
So when using the Blue Iris Android app it works great both remotely and locally. Issue is just with UI2 and IP Cam Viewer when going through NGINX, FPS drops to around 0.5.

I have messed around a little bit with tcp_nodelay, tcp_nopush, and the proxy buffer settings with NGINX and it helped a little bit but not much. Here is my current NGINX config

Code:
server {


    listen 443;
    server_name my.fqdn.com;


    ssl_certificate           /certpath;
    ssl_certificate_key       /certpath;


    ssl on; 
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on; 


    access_log            /var/log/nginx/my.fqdn.access.log;
    error_log             /var/log/nginx/my.fqdn.error.log;


    location / { 


      tcp_nodelay             on;
      tcp_nopush              off;
      proxy_buffering         off;
      proxy_buffer_size 256k;
      proxy_buffers 4 512k;
      proxy_busy_buffers_size 512k;
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://xxx.xxx.xxx.xxx;
      proxy_read_timeout  90; 


      proxy_redirect      http://xxx.xxx.xxx.xxx https://my.fqdn.com;
    }   


  }
 

uteschj

n3wb
Joined
Jun 9, 2016
Messages
7
Reaction score
1
So when using the Blue Iris Android app it works great both remotely and locally. Issue is just with UI2 and IP Cam Viewer when going through NGINX, FPS drops to around 0.5.

I have messed around a little bit with tcp_nodelay, tcp_nopush, and the proxy buffer settings with NGINX and it helped a little bit but not much. Here is my current NGINX config

Code:
server {


    listen 443;
    server_name my.fqdn.com;


    ssl_certificate           /certpath;
    ssl_certificate_key       /certpath;


    ssl on; 
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on; 


    access_log            /var/log/nginx/my.fqdn.access.log;
    error_log             /var/log/nginx/my.fqdn.error.log;


    location / { 


      tcp_nodelay             on;
      tcp_nopush              off;
      proxy_buffering         off;
      proxy_buffer_size 256k;
      proxy_buffers 4 512k;
      proxy_busy_buffers_size 512k;
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      proxy_pass          http://xxx.xxx.xxx.xxx;
      proxy_read_timeout  90; 


      proxy_redirect      http://xxx.xxx.xxx.xxx https://my.fqdn.com;
    }   


  }

I am unfamiliar with setting up IP Cam Viewer in conjunction with Blue Iris. If you point me to a forum post or share the connection string I can try it on my system and report back.
 

Gibby13

n3wb
Joined
Aug 27, 2015
Messages
20
Reaction score
1
I am unfamiliar with setting up IP Cam Viewer in conjunction with Blue Iris. If you point me to a forum post or share the connection string I can try it on my system and report back.
Can you try it with UI2 and see what your FPS is?
 

uteschj

n3wb
Joined
Jun 9, 2016
Messages
7
Reaction score
1
Can you try it with UI2 and see what your FPS is?
Just installed UI2. Pretty nice!!

Im getting 9 FPS on my cheap low quality cameras and around 3 FPS on my higher quality hiks.
I was able to increase the FPS to about 6 by decreasing the JPEG quality and scale under the cameras webcast properties.

Note FPS measurements were taken over the WAN.

I can test FPS local for you tomorrow.

Sending you a PM.
 

Jury

Young grasshopper
Joined
May 27, 2017
Messages
36
Reaction score
0
Trying to setup access via Nginx reverse proxy. Unfortunately, getting loop on login page. Whenever correct or wrong user/password provided login page reappear. Direct login from LAN and WAN working ok. Can anyone with working reverse proxy share it's setup. For now I re-used from post #10 and it' s not working for me.

PS. Not actual. Somehow it started working.
 
Last edited:

uteschj

n3wb
Joined
Jun 9, 2016
Messages
7
Reaction score
1
Trying to setup access via Nginx reverse proxy. Unfortunately, getting loop on login page. Whenever correct or wrong user/password provided login page reappear. Direct login from LAN and WAN working ok. Can anyone with working reverse proxy share it's setup. For now I re-used from post #10 and it' s not working for me.

PS. Not actual. Somehow it started working.
I had that happen. In my case I believe it was an issues of conflicting cookies. I simply cleared my cookies.
 

Jury

Young grasshopper
Joined
May 27, 2017
Messages
36
Reaction score
0

uteschj

n3wb
Joined
Jun 9, 2016
Messages
7
Reaction score
1
Only thing I got to work was https://my_domain_name:any_my_external_port to be redirected to http://my_local_ip:my_BI_web_port. I got to work authentication in case of having /nvr/ as a virtual value in web server settings, meaning, that on https://my_domain_name/nvr/ opened login page, but after login /nvr/ part was removed and nothing happen then. I suppose, something should be fixed on BI side.
This javascript function inside the (UI2) login.htm page would most likely be why.


function LeaveLoginPage()
{
$.cookie("session", existingSession, { path: "/" });
var page = UrlParameters.Get("page");
if (page == "")
page = "/";
location.href = page;
}

Switch this line
page = "/";

To this
page = "/nvr/";
 
Top