Progress UI not working through reverse proxy


Recommended Posts

  • 1 month later...

Thank you @maciekish and @Indmenity83 for pursuing the resolution of the problem presented in the OP. I too have experienced unhelpful and out of scope "resolutions" in the past. 

 

The key to this thread is that regardless of the security of the application in question, the question is not how to "be more secure" or "work around the problem"... it is about solving the problem presented. 

 

I too use a reverse proxy to access my unRaid gui... which is completely restricted to internal machines or those connected to my VPN. There is no security risk to my unRaid gui, being behind a reverse proxy that only works... on the internal network, the same as the local IP of the gui.

 

Again, really appreciate the nginx response from @Indmenity83, thanks to you both!

  • Like 1
Link to comment

Despite the thanks... gzip off; doesn't work for me @Indmenity83, or I am not entering it in the right .conf file.

 

I have tried in my nginx x.subdomain.conf file (below) as well as the main nginx.conf file (changing from on to off) and the site-confs>default file. Where are you entering this?

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name myunRaidSubdomain.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    gzip off;

	location / {
		include /config/nginx/proxy.conf;
		proxy_pass https://[unRaidIP];
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "Upgrade";
    }
}

 

Edited by SidereusAquila
Link to comment
  • 2 months later...
On 9/14/2020 at 4:46 AM, groot-stuff said:

Despite the thanks... gzip off; doesn't work for me @Indmenity83, or I am not entering it in the right .conf file.

 

I have tried in my nginx x.subdomain.conf file (below) as well as the main nginx.conf file (changing from on to off) and the site-confs>default file. Where are you entering this?


server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name myunRaidSubdomain.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    gzip off;

	location / {
		include /config/nginx/proxy.conf;
		proxy_pass https://[unRaidIP];
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "Upgrade";
    }
}

 

@groot-stuff

 

proxy_buffering off;

 

should solve the problem.

Edited by szwhy
Link to comment
  • 7 months later...

I am using the nginx reverse proxy and tried adding the advanced config 

 

 

```

proxy_buffering off; 
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k; 
proxy_buffers 64 4k; 
proxy_request_buffering off;
client_max_body_size 0;
gzip off;

```

 

No go for me /.cry 

 

 

Link to comment
1 hour ago, LukePOLO said:

I am using the nginx reverse proxy and tried adding the advanced config 

 

 

```

proxy_buffering off; 
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k; 
proxy_buffers 64 4k; 
proxy_request_buffering off;
client_max_body_size 0;
gzip off;

```

 

No go for me /.cry 

 

 

This is what I've got configured and the progress UI updates, but at a much slower rate than without using the reverse proxy (maybe every 15-30 secs), so often times the entire docker update is completed by the time it updates. When installing/updating larger dockers (like Android Studio) I can see the progress updates come through mid-process.

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name unRaidSubdomain.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    # https://forums.unraid.net/topic/73158-progress-ui-not-working-through-reverse-proxy/page/2/
    gzip off;
    proxy_buffering off;
    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;
        # enable for Authelia
        #include /config/nginx/authelia-location.conf;
        include /config/nginx/proxy.conf;
        proxy_pass https://[unRaidIP];
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

 

Its been a while, but I think these are all of the additions I made when I was messing with it...

In the server block:

gzip off; 

proxy_buffering off;

 

In the location block (my webui is set for HTTPS only):

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
 

Link to comment
  • 1 month later...

Thank you for the information.  I really appreciate finding out the actual problem.  I am currently running latest NGINX Proxy Manager.  The following configuration appears to be working well for me:

  • Cache assets: false, Block common exploits: false, Websockets support: true
  • Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true
  • Custom Nginx Configuration:
    • `gzip off;`

Thank you, everyone.

  • Like 2
  • Upvote 1
Link to comment
  • 1 month later...
On 8/21/2021 at 2:12 PM, D16R said:

Thank you for the information.  I really appreciate finding out the actual problem.  I am currently running latest NGINX Proxy Manager.  The following configuration appears to be working well for me:

  • Cache assets: false, Block common exploits: false, Websockets support: true
  • Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true
  • Custom Nginx Configuration:
    • `gzip off;`

Thank you, everyone.

 

Came here to add that I am also using NPM, with different config options that work fine. "gzip off;" in the advanced tab seems to be the only setting that matters, as I have different SSL settings and cache assets and block common exploits on.

 

I also tried using "location /plugins { gzip off; }" kind of in line with OP's solution for Caddy, but this caused the entire docker page to get stuck with the Unraid loading icon forever. I can't find anything online to indicate that disabling gzip for the entire Unraid proxy has any downsides, so I'm going to leave it that way.

 

 

Also, a hearty second to all the thanks to the folks who stuck with this and solved the problem. I would have knocked off and ended this discussion long before OP did. These "you're doing it bad and you should feel bad" responses were on an entirely different level than friendly advice, which unfortunately happens quite often in these forums. Did I mention I never let any of my disks spin down? Oops, here comes a flame war on a 3 year old thread! 🤐

  • Like 2
Link to comment
  • 2 years later...
On 8/21/2021 at 4:12 PM, D16R said:

Thank you for the information.  I really appreciate finding out the actual problem.  I am currently running latest NGINX Proxy Manager.  The following configuration appears to be working well for me:

  • Cache assets: false, Block common exploits: false, Websockets support: true
  • Force SSL: true, HTTP/2 Support: true, HSTS Enabled: true, HSTS subdomains: true
  • Custom Nginx Configuration:
    • `gzip off;`

Thank you, everyone.

Another necro-thanks here for this information specifically for NPM. I was going in circles with this, and luckily there were some persistent folks in this thread who offered actual solutions.

 

For the record, using a reverse proxy doesn't always mean you're exposing those hosts to the internet. I use Nginx Proxy Manager so, like @Indmenity83 said, I don't have to remember a bunch of port numbers, getting granular with my password manager, and most of all, so my browsers stop bugging me about using an insecure protocol. I use a wildcard certificate with DNS challenge, so my internal services are still secured with SSL but never exposed to the internet.

 

My mother always said not to assume things, because... Well you know.

Link to comment
On 7/31/2018 at 7:15 PM, JonathanM said:

Correct, if a reverse proxy is done right and maintained correctly, it's just as secure as a VPN. To do it right is more work than just setting up the VPN, and has more chances of going wrong.


Really? Generate a CA cert and add this to Caddy. Done.
 

(defaults) {
        @exclude-paths {
                not path /plugins/*
                not path */plugins/*
                not path /logging.htm
        }

        encode @exclude-paths {
                gzip 7
                zstd
        }

        log {
                output file /var/log/caddy/access.log {
                        roll_size 20MiB
                        roll_keep 5
                        roll_keep_for 720h
                }
        }
}
(client-auth) {
        tls {
                client_auth {
                        mode require_and_verify
                        trusted_ca_cert_file /mnt/user/appdata/caddy2/ca.crt
                }
        }
}
domain.name {
    import defaults
    import client-auth
    reverse_proxy * http://10.0.1.0
}

 

VPNs require explicit connecting, and even stateless protocols like Wireguard have issues when you roam between unstable connections. Suddenly it just doesn't work when it still shows connected. With Caddy and split DNS i can just type in the same URL on any of my devices from anywhere in the world and access anything on my home network. Been running this exact config for over 5 years with zero issues. Can't say the same about VPNs.

Edited by maciekish
Link to comment
13 minutes ago, JonathanM said:

Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open.

 

Very little chance of exposing something by accident? Last time i checked, a VPN exposes the entire network. Unless you configure it for specific hosts only. Which also requires configuration and knowledge, just like a reverse proxy. A reverse proxy on the other hand, only exposes a single http service. Both don't let any traffic through to the target service until you authenticate with a client certificate.

Link to comment
  • 2 months later...
On 7/6/2021 at 2:53 PM, groot-stuff said:

This is what I've got configured and the progress UI updates, but at a much slower rate than without using the reverse proxy (maybe every 15-30 secs), so often times the entire docker update is completed by the time it updates. When installing/updating larger dockers (like Android Studio) I can see the progress updates come through mid-process.

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name unRaidSubdomain.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    # https://forums.unraid.net/topic/73158-progress-ui-not-working-through-reverse-proxy/page/2/
    gzip off;
    proxy_buffering off;
    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;
        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;
        # enable for Authelia
        #include /config/nginx/authelia-location.conf;
        include /config/nginx/proxy.conf;
        proxy_pass https://[unRaidIP];
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}

 

Its been a while, but I think these are all of the additions I made when I was messing with it...

In the server block:

gzip off; 

proxy_buffering off;

 

In the location block (my webui is set for HTTPS only):

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
 


Any idea where all of this goes in nginx reverse proxy manager? I like the manager gui because it makes life easier, but when it comes to advance configs it can be a pain...

Link to comment
On 10/20/2023 at 8:06 AM, JonathanM said:

Yes really. Just because you are capable of setting up a secure reverse proxy doesn't mean it's easy for someone else. The good thing about a VPN is there is very little chance of exposing something by accident. Fail safe vs. fail open.

OMG man let it go. Your posts are at the point of being unhelpful. We know there are guides out there for VPNs. That's a good solution for some people. Reverse proxies are also a good solution for some people. Yes, it takes correct setup as does anything. A warning about that is warranted, but you're well past that. A properly secured 2-factor authentication gateway (such as Authelia) along with HTTPS certs should be more than enough to secure the reverse proxy. No, not everyone will do that, but that's not your responsibility (and if you're reading this, PLEASE setup your reverse proxy with this kind of security, or consider not doing it at all).

Off the top of my head, a couple valid use-cases:

  1. Local network only, to avoid having to remember all the ports and IPs for all your applications
  2. Remote access where a VPN isn't viable, for instance on a work PC without admin access

In the future, please consider just answering the question, or don't respond. Thank you.

Link to comment
39 minutes ago, bfenty said:


Any idea where all of this goes in nginx reverse proxy manager? I like the manager gui because it makes life easier, but when it comes to advance configs it can be a pain...

That is the entirety of the abc.subdomain.conf file for my unraid subdomain located in /mnt/user/appdata/swag/nginx/proxy-confs/

You may have a slightly different path to the proxy-confs folder though, depending on your setup.

Link to comment
9 hours ago, groot-stuff said:

That is the entirety of the abc.subdomain.conf file for my unraid subdomain located in /mnt/user/appdata/swag/nginx/proxy-confs/

You may have a slightly different path to the proxy-confs folder though, depending on your setup.

nginx manager is a gui for nginx. It obfuscates a lot of the manual work, which is great 99% of the time. you just select url/ip/port and hit save. Only problem is if you need custom locations, it would be easier to just do it in a .conf file. I'll see if I can figure it out on my own for this one though.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.