BI HTTPS with Nginx Reverse Proxy

uteschj said:
This javascript function inside the (UI2) login.htm page would most likely be why.
Click to expand...

Thx. I will try and let to know about results. If that's the case, BI web part should be fixed to respect app settings everywhere.
 
uteschj said:
This javascript function inside the (UI2) login.htm page would most likely be why.
Click to expand...

Yeah... For ui2, if I request with /NVR/ at the end, I got message "unable to locate server" or something like that.
Unfortunately, for now, I'm not using ui2, because I have a issue with redirect after successful login. I posted this in ui2 thread.
And in original login, no such function. So no chance to fix there.
 
I've been playing with comparing nginx and stunnel and in my scenario, nginx is much more flexible but performance is much worse than with stunnel. Connections to stunnel respond back within a couple of seconds. Nginx sometimes takes 10s of seconds to connect. I have them both set as windows services so I can switch between them easily.

My CPU is an older Core i5 750 which was satisfactory for the stunnel configuration but not the nginx configuration.

The two nginx features I really like are:
  • rewrite any http connecions to https automatically
  • allow me to configure LetsEncyrpt free certificates and install them
but I can't afford the performance penalty.

I'll just have to use nginx when I neeed to refresh my LetsEncrypt certs then switch back to stunnel for day to day operations.

Code: 
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  my.fqdn.com;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            #root   html;
            #index  index.html index.htm;
            return  301 https://$server_name$request_uri;
        }
        location ^~ /.well-known/acme-challenge {
            allow all;
            default_type "text/plain";
            root   html;
         }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  my.fqdn.com;

        ssl_certificate      certX.crt.pem;
        ssl_certificate_key  certX.key.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

           location / {
            proxy_pass http://localhost:81; # my existing apache instance
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           }
    }

}
 
Frank Ecker said:
I've been playing with comparing nginx and stunnel and in my scenario, nginx is much more flexible but performance is much worse than with stunnel. Connections to stunnel respond back within a couple of seconds. Nginx sometimes takes 10s of seconds to connect. I have them both set as windows services so I can switch between them easily.

My CPU is an older Core i5 750 which was satisfactory for the stunnel configuration but not the nginx configuration.

The two nginx features I really like are:
  • rewrite any http connecions to https automatically
  • allow me to configure LetsEncyrpt free certificates and install them
but I can't afford the performance penalty.

I'll just have to use nginx when I neeed to refresh my LetsEncrypt certs then switch back to stunnel for day to day operations.

Code: 
#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  my.fqdn.com;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            #root   html;
            #index  index.html index.htm;
            return  301 https://$server_name$request_uri;
        }
        location ^~ /.well-known/acme-challenge {
            allow all;
            default_type "text/plain";
            root   html;
         }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  my.fqdn.com;

        ssl_certificate      certX.crt.pem;
        ssl_certificate_key  certX.key.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

           location / {
            proxy_pass http://localhost:81; # my existing apache instance
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           }
    }

}
Click to expand...

I have virtual Linux machine on my server with nginx and letsencrypt for that.
 
Jury said:
I have virtual Linux machine on my server with nginx and letsencrypt for that.
Click to expand...
Do you run it 24x7 and automate the renewals? In my case, I need to manually turn off the stunnel, start the nginx and manually run through the powershell scripts to refresh the certs. The get back to normal ops by shutting down the nginx and restarting the stunnel.

My machine isn't powerful enough (i5 750 w/ 16g) to run the VM full time in the background. At least I assume it isn't powerful enough since I've never actually tried it on this machine.
 
Frank Ecker said:
Do you run it 24x7 and automate the renewals? In my case, I need to manually turn off the stunnel, start the nginx and manually run through the powershell scripts to refresh the certs. The get back to normal ops by shutting down the nginx and restarting the stunnel.

My machine isn't powerful enough (i5 750 w/ 16g) to run the VM full time in the background. At least I assume it isn't powerful enough since I've never actually tried it on this machine.
Click to expand...

I use OMV (Openmediavault) as Linux virtual machine. 24x7. Let's encrypt renewal happen 1 time in 30 days. Done by cron task. I'm not using stunnel at all. Respong from Nginx without delays. My server is Xeon W3530 12G (DELL Precision T3500). BI handle 20 cameras (720P).
 
Could you share you LetsEncrypt config for Blue Iris Reverse Proxy?
 
Gibby13 said:
@jcreynoldsii I use docker to setup Lets Encrypt now.

You just need to change a couple lines for ip, port, hostnames and email and it should be usable.

Click to expand...
I use letsencrypt via docker as well. Haven't had success setting it up yet.


Sent from my Pixel 3 XL using Tapatalk
 
Still trying to work this out. I'll post my configs later and hopefully someone smarter than I can spot my mistakes.

Sent from my Pixel 3 XL using Tapatalk
 
I have setup a reverse proxy witj nginx for ssl and I do get a performance hit on the android app... the video feed is not as smooth (low fps) as when not using the reverse proxy.
Has anyone found a solution?
 
note that the lag seems only affecting the android app ... the video feed seems fine on desktop chrome with the reverse proxy
 
I have nginx reverse proxy with SSL and both Android app and PC web browsers work fine when accessed from the outside.
 
NGINX: 
server {
    listen 443 ssl;
    listen [::]:443;

    server_name blueiris.xxx.xxx;

    error_log /var/log/nginx/blueiris_error.log;
    access_log /var/log/nginx/blueiris_access.log;
    
    ssl_certificate     /etc/letsencrypt/live/xxx.xxx/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.xxx/privkey.pem;
    
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Front-End-Https   on;

        proxy_pass http://192.168.xx.xx;
        proxy_read_timeout 90;

        proxy_redirect off;
    }
}
 
  • Like
Reactions: yeahman
753951 said:
NGINX: 
server {
    listen 443 ssl;
    listen [::]:443;

    server_name blueiris.xxx.xxx;

    error_log /var/log/nginx/blueiris_error.log;
    access_log /var/log/nginx/blueiris_access.log;
   
    ssl_certificate     /etc/letsencrypt/live/xxx.xxx/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/xxx.xxx/privkey.pem;
   
    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Front-End-Https   on;

        proxy_pass http://192.168.xx.xx;
        proxy_read_timeout 90;

        proxy_redirect off;
    }
}
Click to expand...

thx but still the same... video playback and live feed on android app is stuttering with reverse proxy :(
 
You must log in or register to reply here.
Top Bottom