Tutorial NGINX Reverse Proxy Updated

[sc0tsman]

Sounds daft, but it's easy to forget the basics when focused on something new so I'll ask, did you remember to update you MAIN servers firewall rules to allow connections from the reverse proxy server IP address?

You also need to make sure your MAIN config has the port open for receiving http messages from nginx so if your http broadcast port was 8000 or 8080 for example, you will want to include that, but you will also want to include port 80 in the main config as that is the port nginx will use for http protocol.

Edit: Ignore above, I can see from above you have included port 80 in your config.

MSG'd you I hope you don't mind.

 

[terenceslattery]

MSG'd you I hope you don't mind.

No probs, responded there, that should fix it.

 

[yourman]

I think Cloudflare is getting hammered right now, I have been using for months on the paid service, Has being fine up until now, I have it all running on LB's but now we just get constant freezing . Turn CF off and works perfectly,

 

[dotgs]

i have 1 proxy server and one proxy ip and freeze stop

cf have block fast because all ips are "greylist"

 

[delta1372]

WARNING !!!!!! This tutorial does NOT protect your IP's.

The second your Main Server issues the 302 redirect to the LB its game over and your LB's IP is exposed.

This DOES protect your Main Server IP though so it's a good start.... kind of

What happens when the APK asks player_api and panel_api for their details? the Main Server is exposed again. Your NGINX is no doing any kind of rewriting on in-line content which is a HUGE give away to finding the real details. Just put wireshark on this setup and you will see how useless it is.

You also dont have to touch the nginx.conf file on your Main Server - its not needed at all.

Final statement - this is a total waste of time.

 

[terenceslattery]

WARNING !!!!!! This tutorial does NOT protect your IP's.

The second your Main Server issues the 302 redirect to the LB its game over and your LB's IP is exposed.

This DOES protect your Main Server IP though so it's a good start.... kind of

What happens when the APK asks player_api and panel_api for their details? the Main Server is exposed again. Your NGINX is no doing any kind of rewriting on in-line content which is a HUGE give away to finding the real details. Just put wireshark on this setup and you will see how useless it is.

You also dont have to touch the nginx.conf file on your Main Server - its not needed at all.

Final statement - this is a total waste of time.

Thanks, I had just tested connectivity after updating the APK with the reverse proxy DNS address, but will test this with Wireshark and make some changes to fix the leaks, thanks for the heads up.

 

[code64]

Hello thank's for this great post

did someone try to use this nginx reverse proxy config with openvpn Server nginx proxy as openvpn server & Xtream ui main as Client and work change real ip with local private openvpn ip ?

Or someone can tell us if it possible or not ?

ps : for Delta1372 "the Main Server is exposed again " i used wireshark with http nginx reverse proxy config i never saw that wireshark can't get ip of main xtream ui server just proxy ip and in main XUI server in config i put domain name of reverse proxy and real ip of reverse proxy not main server real ip it work fine and hide main ip but i don't test with lb until now , i think it's logic that lb will be exposed but main server no .

Thank's for terenceslattery and delta1372 .

Hope we get more help for this project .

 

[terenceslattery]

Managed to find a way to hide the LB IP's when scanning network with Wireshark and playing streams.

I had to set up an additional reverse proxy server for each LB and within the nginx.conf set proxy_pass to the LB DNS. Save the config and reload it and then within the Xtream UI Admin panel go to Manage Servers and then enter the IP address of the reverse proxy in VPN field.

I then started a capture using Wireshark with apk running in Bluestacks and it only captured the IP of the reverse proxy for that load balancer when playing streams from it.

 

[delta1372]

Not a bad approach actually. What happens when you have a panel that does not support the VPN IP field? - You are almost there but there is a way to do it so its 100% panel independant The reason being, the traffic still hits the IPTV server in one way or another with your method.

 

[delta1372]

Also, what happens when you have a 10gbit LB or a 20 or a 100 gbit LB

Having a customer facing 10gbit or more server is a bad idea as the traffic spikes way to much during match day and thats easy for the FriendMTS agents / ISP's to spot which means they can see your service.

You also need to look at what other information XC based systems leak out like get.php and player_api.php etc.

 

[terenceslattery]

Also, what happens when you have a 10gbit LB or a 20 or a 100 gbit LB

Having a customer facing 10gbit or more server is a bad idea as the traffic spikes way to much during match day and thats easy for the FriendMTS agents / ISP's to spot which means they can see your service.

You also need to look at what other information XC based systems leak out like get.php and player_api.php etc.

I'm currently saving up credits for another panel as I wasted the last of them on a couple of duff resources so can only test on Xtream UI for now, but have heard that it's leaks from XC core that is enabling FriendMTS agents to identify services to block so that's definitely high on my priorities to switch over panels.

For traffic spikes I'd assume using a CDN is the only workaround for that if your client base is scattered across lots of locations?

 

[delta1372]

EZ Server is a pain in the ass to work with and nothing like XC at all. Totally different code from what I've seen.

 

[sc0tsman]

I'm currently saving up credits for another panel as I wasted the last of them on a couple of duff resources so can only test on Xtream UI for now, but have heard that it's leaks from XC core that is enabling FriendMTS agents to identify services to block so that's definitely high on my priorities to switch over panels.

For traffic spikes I'd assume using a CDN is the only workaround for that if your client base is scattered across lots of locations?

Any updates on leaks from XC core that is enabling FriendMTS agents?

 

[delta1372]

Get rid of MAGS, /c / client_area

That will help a lot

 

[zied jomaa]

Thanks i ll give it a try

 

[neoice]

Managed to find a way to hide the LB IP's when scanning network with Wireshark and playing streams.

I had to set up an additional reverse proxy server for each LB and within the nginx.conf set proxy_pass to the LB DNS. Save the config and reload it and then within the Xtream UI Admin panel go to Manage Servers and then enter the IP address of the reverse proxy in VPN field.

I then started a capture using Wireshark with apk running in Bluestacks and it only captured the IP of the reverse proxy for that load balancer when playing streams from it.

for LBs reverse proxy we need twice bandwidth. So for 10Gbits LB we need same 10Gbits server to setup proxy....is that right?

 

[hadyhady007]

Get rid of MAGS, /c / client_area

That will help a lot

I was able to get ride of client_area, thank you for this. Can you advice what do you mean by getting ride of MAGS and /c ? Isn't /wwwdir/c super used on panel?