jackwan1
-
Posts
16 -
Joined
-
Last visited
Content Type
Profiles
Forums
Downloads
Store
Gallery
Bug Reports
Documentation
Landing
Posts posted by jackwan1
-
-
4 hours ago, mgutt said:
Correct. I had the same situation with Minecraft servers. Finally I forwarded the ports directly to the specific containers instead of using stream hosts.
There is a third party Module available which allows SNI based forwarding with Nginx, but it's not part of NPM:
https://serverfault.com/questions/628147/nginx-proxy-based-on-sni-without-decryption
I read the installation instruction of that third party module and found the following note:
“Note, You can't use the same listening port with HTTP modules.“
it looks like with that module you still need to open an unique port for each streaming service, same as mpn, which defeats the purpose. I will keep my port forwarding ddns
-
7 hours ago, mgutt said:
No, but the stream host section in NPM is what you need. But this works domain independent. So every traffic on port X is forwarded to IP+Port Y.
Thanks
in other words, I have to open an unique port on the router for each steaming service. And thus there is no difference between ddns and npm.
-
I have a Security Camera NVR and an associated phone app using a data format called "mobile data" format to access the NVR on port XXXX. This data format is not in http format. But the proxy manager only have http and https format. How can I override this? a search of the net indicate that since Nginx 1.9.0 your can put the following in the config:
stream { upstream backend { server backend1.example.com:12345; } server { listen 12345; proxy_pass backend; } }
Is this I am supposed to put that in the "advanced" section?
-
Hi
have been running in the docker container for several months without a problem. Now I need to migrate the proxy manager to another unix host. Want to check out if move the container is good enough or some thing else needs attention.
-
The ssh login attempts described in my previous post is recorded in my edge router logs. Edge router from Ubiquiti is an industrial router, it has lot more functions than those of commercial grade. My old netgear routers for example, will never record such so you will never know.
-
@mgutt
thanks so much for your help. Yes the edge router is my only router which also is my firewall. The webmin, if it is hacked, could create havocs to my ubuntu server. After all these days of work, i am going to close down the services. Its a bad idea to begin with, not knowing the consequences of doing so.
-
side effect on opening external access to edgerouter ui using reverse proxy.
As stated before, I have no problem to access the router from external, however, I found the following side affect which is described by op in this thread.
Edgerouter Lite Logs Show Someone Trying to SSH into UniFi AC : Ubiquiti (reddit.com)
I thought I had set up the firewall rules on my edgerouter correctly to drop the packets to prevent someone from accessing my unifi AP AC Lite via ssh from outside of the network. Looking at the logs on my router today it seems as if that isn't the case. My question is, what do I have to change?
I have setup a static DNS (via duckdns) service to remotely access the edgerouter and have the AP connected to my UniFi account. That is all I need. SSH can be from inside the network only.
Port forwarding is disabled.
Snippet of my logs:
Jan 19 19:13:17 ubnt sshd[9296]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.99.182.4 user=root
Jan 19 19:13:12 ubnt sshd[9263]: PAM service(sshd) ignoring max retries; 6 > 3
Jan 19 19:13:12 ubnt sshd[9263]: PAM 5 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.99.182.4 user=root
Jan 19 19:13:05 ubnt sshd[9267]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.181 user=root
Jan 19 19:12:58 ubnt sshd[9267]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.204.181 user=root
Jan 19 19:12:55 ubnt sshd[9263]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=153.99.182.4 user=root
Jan 19 19:12:51 ubnt sshd[9232]: PAM service(sshd) ignoring max retries; 6 > 3
I can disable ssh in my Router UI, but based on the post below, it did not really solve the problem
That disables ssh access to your ERL. Your AP isn't getting any SSH attempts, your ERL is. If you've set it up properly then this shouldn't be a concern. The way it should be done is that WAN_LOCAL only allows established and related in and SSH. SSH should be configured to only allow public key authentication, no password authentication. The webui will always only authenticate with a password so make it listen only on some management IP and restrict access as you see fit, maybe even only allow access from the ERL itself and use SSH tunneling to log into the webui.
You certainly don't have to set it up this way but you need to secure any outside access such that anything on the internet can't connect without an authorized public key. From what you've told us you left the webui totally open to the world so blocking just ssh doesn't help anything, you need to block the webui from remote attackers as well.
Is there any thing Nginx can do on this, or I have to configure ssh public key? What if I forwarded to a non standard port locally.
In the same token, am I also subject to these attempts by opening webmin?
-
I forwarded the https to 443 on my router, no conflict of ports, its not running in a container. what I failed to do is turn-on websocket support in NGM, once I did that, everything worked fine.
Incidentally when I put this into the advanced section
"proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;"
The NPM entry for the edgerouter went off line, so I took it out and its all good.
-
Here is another intersting problem, this time involves Edgerouter empty GUI behind nginx reverse proxcy.
The problem manifested just as described by the op in the following thread. Basically I CAN Login to the edgerouter, but when I get there the WebGUI is empty.
There were many discussions but I can't get any out of it. There is a suggestion on a websocket fix on ubiquiti community forum.
Access Edgemax gui via nginx reverse proxy - websocket problem | Ubiquiti Community
by gainfulshrimp
"server { listen 80; server_name ubnt.mydomain.com; return 301 https://$host$request_uri; } upstream erl { server 192.168.1.1:443; keepalive 32; } server { listen 443 ssl http2; include /etc/nginx/snippets/letsencryptcerts.conf; server_name ubnt.mydomain.com; include /etc/nginx/snippets/letsencryptauth.conf; client_max_body_size 512m; location / { include /etc/nginx/snippets/localonly.conf; proxy_pass https://erl; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; } }
"
But I do not know enough of it to implement in the NPM. There was also a post indicated that haproxy will fix the problem, why there is a difference.
I added the folowing in the advanced section but it did not work
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $Host(or the domain-name);
proxy_set_header X-Real-IP $remote_addr(or the ip address:443);
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
Please help.
-
32 minutes ago, sdballer said:
Does this docker work if my isp blocks port 80? I tried the other guys repo and it was a no go so I stuck with swag. Hoping to finally use npm…
First u need to find out the http error code when they block your port 80, then you can add port 80 redirection in config. Json with some thing like this
server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;}
-
OK @mgutt
Your solution a. works, however I have to modify it as follows:
proxy_redirect
https://webmin4.dns;
Notice both urls uses https not one http and the other https. Once it passed the webmin login, the url became internal to the webmin, so it was https://dns:10000 all we have to tell nginx is to redirect it to https://dns, problem solved.
And my external http to https Json conversion also works. so now all I have to do is type in a web browser the dns without http or https and it will reach the webmin login page and when I login, it goes to the dash board.
-
1
-
-
Hi @mgutt
I have a few elementary questions about setting up https in proxy-manager.
1. Does every dns require a separate ssl certificate?
2. Does the server has to listen on port 443 for https?
I am trying to setup webmin access via proxy-manager, as you know webmin default port is 10000 and the default access scheme is https.
so here is my setting in proxy-mgr, I also ran a ssl certificate in proxy-mgr for that.
my config.json
autoindex_localtime on;
autoindex on;server {
listen 80 default_server;
server_name _;
return 301 https://$host$request_uri;}
location / {
try_files $uri /index.html;
}
when I enter in the browser webmin4.dns name
It has no problem to connect to the login page of [email protected],x (see photo)
However, after I login I got a page like this. Note the url has port 10000 defined and it returns a bad connection error.
If I remove the port designation(10000) on that error page, I will be directed to the webmin dash board, no problem
defind https://webmin4.dns name wont help
What did I do wrong?
-
thanks @mgutt
I see what you are saying and the RTMP server concept is too complicated for a home setting. I also see the nginx streaming port setting but that is the same as a simple port fowarding in my router which is the current setup and its been working for years. I guess for constant streaming video, we can only use one port for each host. I also tried rtsp on port 554, the vlc player will work only for one camera and will not work with other brands/model. Lots to learn and explore.
-
On 8/2/2021 at 12:05 AM, mgutt said:
Did you enable cache assets? (you should not)
Your said RTSP. Doesn't it use Port 554? NPM listens only to port 80 and 443. If NPM should listen to 554 you need to:
- open the port 554 on your router with NPM as your target
- open the advanced config tab of the proxy host and add the following rule:
listen 554;
If this does not work we need to check the nginx.conf. This the nginx conf, created by NPM if no option has been enabled:
# ------------------------------------------------------------ # example.com # ------------------------------------------------------------ server { set $forward_scheme http; set $server "127.0.0.1"; set $port 80; listen 80; listen [::]:80; server_name example.com; access_log /data/logs/proxy-host-2_access.log proxy; error_log /data/logs/proxy-host-2_error.log warn; location / { # Proxy! include conf.d/include/proxy.conf; } # Custom include /data/nginx/custom/server_proxy[.]conf; }As you can see it includes "/data/nginx/custom/server_proxy.conf", but this file needs to be created by the user. So it adds nothing. And it includes "conf.d/include/proxy.conf" which contains the following rules:
add_header X-Served-By $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; proxy_pass $forward_scheme://$server:$port;
Why I'm posting this: Maybe it includes a rule or misses a rule which breaks video streaming. Try to search in the internet for an nginx.conf which works for security webcams and then we compare the rules.
Dear @mgutt
Thank you for your help.
Did a little research on the net and found
NGINX RTMP Streaming Server Installation Guide (bartsimons.me)
perhaps that is the way to go. because right now nginx proxy manager (as I know and my host setup) can handle http(s) very well, but it is lacking of ability to handle streaming service in h.264 or h.265 format and the newer cameras and nvrs are no longer use RTSP streaming in their app. If I go with the installation of RTMP streaming server, what should I do with the nginx config in the proxy manager? do I add the "rtmp" set of the config in the "advanced" section?
-
Hello,
I hope I am on the right thread, if not, free to move me around.
I am new to NPM, however, I have made 7 proxy hosts already and most of them are working including all web server redirects using "A" or "CNAME".
I have a problem to set up proxy for camera streaming.
I was successful streaming an old Foscam camera by simply set the IP and port XXX. For all newer cameras or nvrs where http webserver and the image streaming (in onvif or rtsp format), I am not getting it. I am using an app called "IP CAM Viewer" and in that, I could easily view the camera by defining the http port(port forwarding and ddns), id and password to view the cameras. With the reverse proxy server, I can define the dn and port 80 to be redirected for the Foscam Camera, however, when I tried to do the same for others, I do not get the steams.
Any help is appreciated.
[Support] Nginx Proxy Manager (NPM) Official
in Docker Containers
Posted · Edited by jackwan1
Thanks guys for the answers. For now, I am going to port forward for my streaming service as usual.