July 17, 20205 yr I also want to say thx to @maciekish and I also agree to the opinion of @Indmenity83 : "sticking with this after the responses he got". I read the post from the beginning to the end and every single follow up of all these "I know your requirements better than you"-guys, I thought: wtf ...
September 13, 20205 yr Thank you @maciekish and @Indmenity83 for pursuing the resolution of the problem presented in the OP. I too have experienced unhelpful and out of scope "resolutions" in the past. The key to this thread is that regardless of the security of the application in question, the question is not how to "be more secure" or "work around the problem"... it is about solving the problem presented. I too use a reverse proxy to access my unRaid gui... which is completely restricted to internal machines or those connected to my VPN. There is no security risk to my unRaid gui, being behind a reverse proxy that only works... on the internal network, the same as the local IP of the gui. Again, really appreciate the nginx response from @Indmenity83, thanks to you both!
September 13, 20205 yr Despite the thanks... gzip off; doesn't work for me @Indmenity83, or I am not entering it in the right .conf file. I have tried in my nginx x.subdomain.conf file (below) as well as the main nginx.conf file (changing from on to off) and the site-confs>default file. Where are you entering this? server { listen 443 ssl; listen [::]:443 ssl; server_name myunRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; gzip off; location / { include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } Edited September 13, 20205 yr by SidereusAquila
November 15, 20205 yr On 9/14/2020 at 4:46 AM, groot-stuff said: Despite the thanks... gzip off; doesn't work for me @Indmenity83, or I am not entering it in the right .conf file. I have tried in my nginx x.subdomain.conf file (below) as well as the main nginx.conf file (changing from on to off) and the site-confs>default file. Where are you entering this? server { listen 443 ssl; listen [::]:443 ssl; server_name myunRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; gzip off; location / { include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } @groot-stuff proxy_buffering off; should solve the problem. Edited November 15, 20205 yr by szwhy
July 6, 20214 yr I am using the nginx reverse proxy and tried adding the advanced config ``` proxy_buffering off; proxy_buffer_size 16k; proxy_busy_buffers_size 24k; proxy_buffers 64 4k; proxy_request_buffering off; client_max_body_size 0; gzip off; ``` No go for me /.cry
July 6, 20214 yr 1 hour ago, LukePOLO said: I am using the nginx reverse proxy and tried adding the advanced config ``` proxy_buffering off; proxy_buffer_size 16k; proxy_busy_buffers_size 24k; proxy_buffers 64 4k; proxy_request_buffering off; client_max_body_size 0; gzip off; ``` No go for me /.cry This is what I've got configured and the progress UI updates, but at a much slower rate than without using the reverse proxy (maybe every 15-30 secs), so often times the entire docker update is completed by the time it updates. When installing/updating larger dockers (like Android Studio) I can see the progress updates come through mid-process. server { listen 443 ssl; listen [::]:443 ssl; server_name unRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; # https://forums.unraid.net/topic/73158-progress-ui-not-working-through-reverse-proxy/page/2/ gzip off; proxy_buffering off; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /ldaplogin; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } Its been a while, but I think these are all of the additions I made when I was messing with it... In the server block: gzip off; proxy_buffering off; In the location block (my webui is set for HTTPS only): proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade";
August 21, 20214 yr Thank you for the information. I really appreciate finding out the actual problem. I am currently running latest NGINX Proxy Manager. The following configuration appears to be working well for me: Cache assets: false, Block common exploits: false, Websockets support: true Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true Custom Nginx Configuration: `gzip off;` Thank you, everyone.
October 1, 20214 yr On 8/21/2021 at 2:12 PM, D16R said: Thank you for the information. I really appreciate finding out the actual problem. I am currently running latest NGINX Proxy Manager. The following configuration appears to be working well for me: Cache assets: false, Block common exploits: false, Websockets support: true Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true Custom Nginx Configuration: `gzip off;` Thank you, everyone. Came here to add that I am also using NPM, with different config options that work fine. "gzip off;" in the advanced tab seems to be the only setting that matters, as I have different SSL settings and cache assets and block common exploits on. I also tried using "location /plugins { gzip off; }" kind of in line with OP's solution for Caddy, but this caused the entire docker page to get stuck with the Unraid loading icon forever. I can't find anything online to indicate that disabling gzip for the entire Unraid proxy has any downsides, so I'm going to leave it that way. Also, a hearty second to all the thanks to the folks who stuck with this and solved the problem. I would have knocked off and ended this discussion long before OP did. These "you're doing it bad and you should feel bad" responses were on an entirely different level than friendly advice, which unfortunately happens quite often in these forums. Did I mention I never let any of my disks spin down? Oops, here comes a flame war on a 3 year old thread! 🤐
October 20, 20232 yr On 8/21/2021 at 4:12 PM, D16R said: Thank you for the information. I really appreciate finding out the actual problem. I am currently running latest NGINX Proxy Manager. The following configuration appears to be working well for me: Cache assets: false, Block common exploits: false, Websockets support: true Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true Custom Nginx Configuration: `gzip off;` Thank you, everyone. Another necro-thanks here for this information specifically for NPM. I was going in circles with this, and luckily there were some persistent folks in this thread who offered actual solutions. For the record, using a reverse proxy doesn't always mean you're exposing those hosts to the internet. I use Nginx Proxy Manager so, like @Indmenity83 said, I don't have to remember a bunch of port numbers, getting granular with my password manager, and most of all, so my browsers stop bugging me about using an insecure protocol. I use a wildcard certificate with DNS challenge, so my internal services are still secured with SSL but never exposed to the internet. My mother always said not to assume things, because... Well you know.
October 20, 20232 yr Author On 7/31/2018 at 7:15 PM, JonathanM said: Correct, if a reverse proxy is done right and maintained correctly, it's just as secure as a VPN. To do it right is more work than just setting up the VPN, and has more chances of going wrong. Really? Generate a CA cert and add this to Caddy. Done. (defaults) { @exclude-paths { not path /plugins/* not path */plugins/* not path /logging.htm } encode @exclude-paths { gzip 7 zstd } log { output file /var/log/caddy/access.log { roll_size 20MiB roll_keep 5 roll_keep_for 720h } } } (client-auth) { tls { client_auth { mode require_and_verify trusted_ca_cert_file /mnt/user/appdata/caddy2/ca.crt } } } domain.name { import defaults import client-auth reverse_proxy * http://10.0.1.0 } VPNs require explicit connecting, and even stateless protocols like Wireguard have issues when you roam between unstable connections. Suddenly it just doesn't work when it still shows connected. With Caddy and split DNS i can just type in the same URL on any of my devices from anywhere in the world and access anything on my home network. Been running this exact config for over 5 years with zero issues. Can't say the same about VPNs. Edited October 20, 20232 yr by maciekish
October 20, 20232 yr 16 minutes ago, maciekish said: Really? Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open.
October 20, 20232 yr Author 13 minutes ago, JonathanM said: Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open. Very little chance of exposing something by accident? Last time i checked, a VPN exposes the entire network. Unless you configure it for specific hosts only. Which also requires configuration and knowledge, just like a reverse proxy. A reverse proxy on the other hand, only exposes a single http service. Both don't let any traffic through to the target service until you authenticate with a client certificate.
October 20, 20232 yr 2 minutes ago, maciekish said: Very little chance of exposing something by accident? Last time i checked, a VPN exposes the entire network Not if you follow the wireguard tutorials specifically for the Unraid service. https://docs.unraid.net/unraid-os/manual/security/vpn/
January 11, 20242 yr On 7/6/2021 at 2:53 PM, groot-stuff said: This is what I've got configured and the progress UI updates, but at a much slower rate than without using the reverse proxy (maybe every 15-30 secs), so often times the entire docker update is completed by the time it updates. When installing/updating larger dockers (like Android Studio) I can see the progress updates come through mid-process. server { listen 443 ssl; listen [::]:443 ssl; server_name unRaidSubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; # https://forums.unraid.net/topic/73158-progress-ui-not-working-through-reverse-proxy/page/2/ gzip off; proxy_buffering off; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /ldaplogin; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; proxy_pass https://[unRaidIP]; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; } } Its been a while, but I think these are all of the additions I made when I was messing with it... In the server block: gzip off; proxy_buffering off; In the location block (my webui is set for HTTPS only): proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; Any idea where all of this goes in nginx reverse proxy manager? I like the manager gui because it makes life easier, but when it comes to advance configs it can be a pain...
January 11, 20242 yr On 10/20/2023 at 8:06 AM, JonathanM said: Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open. OMG man let it go. Your posts are at the point of being unhelpful. We know there are guides out there for VPNs. That's a good solution for some people. Reverse proxies are also a good solution for some people. Yes, it takes correct setup as does anything. A warning about that is warranted, but you're well past that. A properly secured 2-factor authentication gateway (such as Authelia) along with HTTPS certs should be more than enough to secure the reverse proxy. No, not everyone will do that, but that's not your responsibility (and if you're reading this, PLEASE setup your reverse proxy with this kind of security, or consider not doing it at all). Off the top of my head, a couple valid use-cases: Local network only, to avoid having to remember all the ports and IPs for all your applications Remote access where a VPN isn't viable, for instance on a work PC without admin access In the future, please consider just answering the question, or don't respond. Thank you.
January 11, 20242 yr 25 minutes ago, bfenty said: don't respond Noted. You are on my don't respond list.
January 11, 20242 yr 39 minutes ago, bfenty said: Any idea where all of this goes in nginx reverse proxy manager? I like the manager gui because it makes life easier, but when it comes to advance configs it can be a pain... That is the entirety of the abc.subdomain.conf file for my unraid subdomain located in /mnt/user/appdata/swag/nginx/proxy-confs/ You may have a slightly different path to the proxy-confs folder though, depending on your setup.
January 12, 20242 yr 9 hours ago, groot-stuff said: That is the entirety of the abc.subdomain.conf file for my unraid subdomain located in /mnt/user/appdata/swag/nginx/proxy-confs/ You may have a slightly different path to the proxy-confs folder though, depending on your setup. nginx manager is a gui for nginx. It obfuscates a lot of the manual work, which is great 99% of the time. you just select url/ip/port and hit save. Only problem is if you need custom locations, it would be easier to just do it in a .conf file. I'll see if I can figure it out on my own for this one though.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.