Welcome to World of IPTV

The most popular IPTV Communiy.

Due to the high member request , we have removed the invitation code system.

As a registered member you only have read permissions.
For a member accounts with write permissions a account upgrade is required (12 Euro annual fee).

 Please Note! 
This is not a VIP membership and does not replace the use of credits !
This only serves to be able to use the forum fully with write permissions as a basic member!

Forum Rules

Our Community Rules.
So that nobody can say, "I didn't know"

Donate us

Help us to keep the community up to date with a small donation

Account Upgrade

Upgrade your account and get full post permissions!

Tutorial NGINX Reverse Proxy Updated

sc0tsman

Advance Member
Member
Joined
Sep 19, 2019
Messages
453
Likes
699
Points
104
Location
spain
Sounds daft, but it's easy to forget the basics when focused on something new so I'll ask, did you remember to update you MAIN servers firewall rules to allow connections from the reverse proxy server IP address?

You also need to make sure your MAIN config has the port open for receiving http messages from nginx so if your http broadcast port was 8000 or 8080 for example, you will want to include that, but you will also want to include port 80 in the main config as that is the port nginx will use for http protocol.

Edit: Ignore above, I can see from above you have included port 80 in your config.
MSG'd you I hope you don't mind.
 

yourman

Active Member
Member
Joined
Sep 22, 2019
Messages
118
Likes
416
Points
74
Location
Uk
I think Cloudflare is getting hammered right now, I have been using for months on the paid service, Has being fine up until now, I have it all running on LB's but now we just get constant freezing :( . Turn CF off and works perfectly,
 

dotgs

Active Member
Member
Joined
Sep 22, 2019
Messages
201
Likes
442
Points
74
Location
Porto
i have 1 proxy server and one proxy ip and freeze stop :D

cf have block fast because all ips are "greylist"
 

delta1372

If it moves, compile it!
Banned
Member
Joined
Jun 17, 2020
Messages
92
Likes
1,475
Points
194
Location
A Blackhole
WARNING !!!!!! This tutorial does NOT protect your IP's.

The second your Main Server issues the 302 redirect to the LB its game over and your LB's IP is exposed.

This DOES protect your Main Server IP though so it's a good start.... kind of

What happens when the APK asks player_api and panel_api for their details? the Main Server is exposed again. Your NGINX is no doing any kind of rewriting on in-line content which is a HUGE give away to finding the real details. Just put wireshark on this setup and you will see how useless it is.

You also dont have to touch the nginx.conf file on your Main Server - its not needed at all.

Final statement - this is a total waste of time.
 
Place your Business Ad here !

terenceslattery

New Member
Member
Joined
May 5, 2020
Messages
72
Likes
67
Points
29
Location
UK
WARNING !!!!!! This tutorial does NOT protect your IP's.

The second your Main Server issues the 302 redirect to the LB its game over and your LB's IP is exposed.

This DOES protect your Main Server IP though so it's a good start.... kind of

What happens when the APK asks player_api and panel_api for their details? the Main Server is exposed again. Your NGINX is no doing any kind of rewriting on in-line content which is a HUGE give away to finding the real details. Just put wireshark on this setup and you will see how useless it is.

You also dont have to touch the nginx.conf file on your Main Server - its not needed at all.

Final statement - this is a total waste of time.

Thanks, I had just tested connectivity after updating the APK with the reverse proxy DNS address, but will test this with Wireshark and make some changes to fix the leaks, thanks for the heads up.
 

code64

Active Member
Member
Joined
Sep 21, 2019
Messages
85
Likes
288
Points
64
Location
Algiers
Hello thank's for this great post

did someone try to use this nginx reverse proxy config with openvpn Server nginx proxy as openvpn server & Xtream ui main as Client and work change real ip with local private openvpn ip ?

Or someone can tell us if it possible or not ?

ps : for Delta1372 "the Main Server is exposed again " i used wireshark with http nginx reverse proxy config i never saw that wireshark can't get ip of main xtream ui server just proxy ip and in main XUI server in config i put domain name of reverse proxy and real ip of reverse proxy not main server real ip it work fine and hide main ip but i don't test with lb until now , i think it's logic that lb will be exposed but main server no .

Thank's for terenceslattery and delta1372 .

Hope we get more help for this project .
 

terenceslattery

New Member
Member
Joined
May 5, 2020
Messages
72
Likes
67
Points
29
Location
UK
Managed to find a way to hide the LB IP's when scanning network with Wireshark and playing streams.

I had to set up an additional reverse proxy server for each LB and within the nginx.conf set proxy_pass to the LB DNS. Save the config and reload it and then within the Xtream UI Admin panel go to Manage Servers and then enter the IP address of the reverse proxy in VPN field.

I then started a capture using Wireshark with apk running in Bluestacks and it only captured the IP of the reverse proxy for that load balancer when playing streams from it.
 

delta1372

If it moves, compile it!
Banned
Member
Joined
Jun 17, 2020
Messages
92
Likes
1,475
Points
194
Location
A Blackhole
Not a bad approach actually. What happens when you have a panel that does not support the VPN IP field? - You are almost there but there is a way to do it so its 100% panel independant :p The reason being, the traffic still hits the IPTV server in one way or another with your method.
 

delta1372

If it moves, compile it!
Banned
Member
Joined
Jun 17, 2020
Messages
92
Likes
1,475
Points
194
Location
A Blackhole
Also, what happens when you have a 10gbit LB or a 20 or a 100 gbit LB

Having a customer facing 10gbit or more server is a bad idea as the traffic spikes way to much during match day and thats easy for the FriendMTS agents / ISP's to spot which means they can see your service.

You also need to look at what other information XC based systems leak out like get.php and player_api.php etc.
 
Place your Business Ad here !

terenceslattery

New Member
Member
Joined
May 5, 2020
Messages
72
Likes
67
Points
29
Location
UK
Also, what happens when you have a 10gbit LB or a 20 or a 100 gbit LB

Having a customer facing 10gbit or more server is a bad idea as the traffic spikes way to much during match day and thats easy for the FriendMTS agents / ISP's to spot which means they can see your service.

You also need to look at what other information XC based systems leak out like get.php and player_api.php etc.

I'm currently saving up credits for another panel as I wasted the last of them on a couple of duff resources so can only test on Xtream UI for now, but have heard that it's leaks from XC core that is enabling FriendMTS agents to identify services to block so that's definitely high on my priorities to switch over panels.

For traffic spikes I'd assume using a CDN is the only workaround for that if your client base is scattered across lots of locations?
 

delta1372

If it moves, compile it!
Banned
Member
Joined
Jun 17, 2020
Messages
92
Likes
1,475
Points
194
Location
A Blackhole
EZ Server is a pain in the ass to work with and nothing like XC at all. Totally different code from what I've seen.
 

sc0tsman

Advance Member
Member
Joined
Sep 19, 2019
Messages
453
Likes
699
Points
104
Location
spain
I'm currently saving up credits for another panel as I wasted the last of them on a couple of duff resources so can only test on Xtream UI for now, but have heard that it's leaks from XC core that is enabling FriendMTS agents to identify services to block so that's definitely high on my priorities to switch over panels.

For traffic spikes I'd assume using a CDN is the only workaround for that if your client base is scattered across lots of locations?
Any updates on leaks from XC core that is enabling FriendMTS agents?
 
Place your Business Ad here !

neoice

Active Member
Member
Joined
Sep 21, 2019
Messages
40
Likes
263
Points
64
Location
us
Managed to find a way to hide the LB IP's when scanning network with Wireshark and playing streams.

I had to set up an additional reverse proxy server for each LB and within the nginx.conf set proxy_pass to the LB DNS. Save the config and reload it and then within the Xtream UI Admin panel go to Manage Servers and then enter the IP address of the reverse proxy in VPN field.

I then started a capture using Wireshark with apk running in Bluestacks and it only captured the IP of the reverse proxy for that load balancer when playing streams from it.
for LBs reverse proxy we need twice bandwidth. So for 10Gbits LB we need same 10Gbits server to setup proxy....is that right?
 
shape1
shape2
shape3
shape4
shape5
shape6
Top