Tutorial NGINX Reverse Proxy Updated

[sc0tsman]

Sounds daft, but it's easy to forget the basics when focused on something new so I'll ask, did you remember to update you MAIN servers firewall rules to allow connections from the reverse proxy server IP address?

You also need to make sure your MAIN config has the port open for receiving http messages from nginx so if your http broadcast port was 8000 or 8080 for example, you will want to include that, but you will also want to include port 80 in the main config as that is the port nginx will use for http protocol.

Edit: Ignore above, I can see from above you have included port 80 in your config.

MSG'd you I hope you don't mind.

 

[terenceslattery]

MSG'd you I hope you don't mind.

No probs, responded there, that should fix it.

 

[yourman]

I think Cloudflare is getting hammered right now, I have been using for months on the paid service, Has being fine up until now, I have it all running on LB's but now we just get constant freezing . Turn CF off and works perfectly,

 

[dotgs]

i have 1 proxy server and one proxy ip and freeze stop

cf have block fast because all ips are "greylist"

 

[delta1372]

WARNING !!!!!! This tutorial does NOT protect your IP's.

The second your Main Server issues the 302 redirect to the LB its game over and your LB's IP is exposed.

This DOES protect your Main Server IP though so it's a good start.... kind of

What happens when the APK asks player_api and panel_api for their details? the Main Server is exposed again. Your NGINX is no doing any kind of rewriting on in-line content which is a HUGE give away to finding the real details. Just put wireshark on this setup and you will see how useless it is.

You also dont have to touch the nginx.conf file on your Main Server - its not needed at all.

Final statement - this is a total waste of time.

 

[terenceslattery]

WARNING !!!!!! This tutorial does NOT protect your IP's.

The second your Main Server issues the 302 redirect to the LB its game over and your LB's IP is exposed.

This DOES protect your Main Server IP though so it's a good start.... kind of

What happens when the APK asks player_api and panel_api for their details? the Main Server is exposed again. Your NGINX is no doing any kind of rewriting on in-line content which is a HUGE give away to finding the real details. Just put wireshark on this setup and you will see how useless it is.

You also dont have to touch the nginx.conf file on your Main Server - its not needed at all.

Final statement - this is a total waste of time.

Thanks, I had just tested connectivity after updating the APK with the reverse proxy DNS address, but will test this with Wireshark and make some changes to fix the leaks, thanks for the heads up.

 

[code64]

Hello thank's for this great post

did someone try to use this nginx reverse proxy config with openvpn Server nginx proxy as openvpn server & Xtream ui main as Client and work change real ip with local private openvpn ip ?

Or someone can tell us if it possible or not ?

ps : for Delta1372 "the Main Server is exposed again " i used wireshark with http nginx reverse proxy config i never saw that wireshark can't get ip of main xtream ui server just proxy ip and in main XUI server in config i put domain name of reverse proxy and real ip of reverse proxy not main server real ip it work fine and hide main ip but i don't test with lb until now , i think it's logic that lb will be exposed but main server no .

Thank's for terenceslattery and delta1372 .

Hope we get more help for this project .

 

[terenceslattery]

Managed to find a way to hide the LB IP's when scanning network with Wireshark and playing streams.

I had to set up an additional reverse proxy server for each LB and within the nginx.conf set proxy_pass to the LB DNS. Save the config and reload it and then within the Xtream UI Admin panel go to Manage Servers and then enter the IP address of the reverse proxy in VPN field.

I then started a capture using Wireshark with apk running in Bluestacks and it only captured the IP of the reverse proxy for that load balancer when playing streams from it.

 

[delta1372]

Not a bad approach actually. What happens when you have a panel that does not support the VPN IP field? - You are almost there but there is a way to do it so its 100% panel independant The reason being, the traffic still hits the IPTV server in one way or another with your method.

 

[delta1372]

Also, what happens when you have a 10gbit LB or a 20 or a 100 gbit LB

Having a customer facing 10gbit or more server is a bad idea as the traffic spikes way to much during match day and thats easy for the FriendMTS agents / ISP's to spot which means they can see your service.

You also need to look at what other information XC based systems leak out like get.php and player_api.php etc.

 

[terenceslattery]

Also, what happens when you have a 10gbit LB or a 20 or a 100 gbit LB

Having a customer facing 10gbit or more server is a bad idea as the traffic spikes way to much during match day and thats easy for the FriendMTS agents / ISP's to spot which means they can see your service.

You also need to look at what other information XC based systems leak out like get.php and player_api.php etc.

I'm currently saving up credits for another panel as I wasted the last of them on a couple of duff resources so can only test on Xtream UI for now, but have heard that it's leaks from XC core that is enabling FriendMTS agents to identify services to block so that's definitely high on my priorities to switch over panels.

For traffic spikes I'd assume using a CDN is the only workaround for that if your client base is scattered across lots of locations?

 

[delta1372]

EZ Server is a pain in the ass to work with and nothing like XC at all. Totally different code from what I've seen.

 

[sc0tsman]

I'm currently saving up credits for another panel as I wasted the last of them on a couple of duff resources so can only test on Xtream UI for now, but have heard that it's leaks from XC core that is enabling FriendMTS agents to identify services to block so that's definitely high on my priorities to switch over panels.

For traffic spikes I'd assume using a CDN is the only workaround for that if your client base is scattered across lots of locations?

Any updates on leaks from XC core that is enabling FriendMTS agents?

 

[delta1372]

Get rid of MAGS, /c / client_area

That will help a lot

 

[zied jomaa]

Thanks i ll give it a try

 

[neoice]

Managed to find a way to hide the LB IP's when scanning network with Wireshark and playing streams.

I had to set up an additional reverse proxy server for each LB and within the nginx.conf set proxy_pass to the LB DNS. Save the config and reload it and then within the Xtream UI Admin panel go to Manage Servers and then enter the IP address of the reverse proxy in VPN field.

I then started a capture using Wireshark with apk running in Bluestacks and it only captured the IP of the reverse proxy for that load balancer when playing streams from it.

for LBs reverse proxy we need twice bandwidth. So for 10Gbits LB we need same 10Gbits server to setup proxy....is that right?

 

[hadyhady007]

Get rid of MAGS, /c / client_area

That will help a lot

I was able to get ride of client_area, thank you for this. Can you advice what do you mean by getting ride of MAGS and /c ? Isn't /wwwdir/c super used on panel?

 

[jok]

Hi Guys,

I've seen this subject come up a lot recently so hopefully this can help someone out.

I have been playing around trying to get an nginx reverse proxy server setup and after some initial frustrations I have got there in the end.

The idea is to setup a server that sits in front of your main server and load balance servers. Clients will contact the reverse proxy server which in turn communicates with your main and then passes the response back to the client so that your main server IP or DNS is not exposed to the client, only the reverse proxy server is.

See the below data flow diagram with obfuscated / mocked up DNS addresses if still unclear.

View attachment 1195

For testing this I used four dedicated servers.

Server 1: Xtream UI MAIN / Admin
Server 2: Xtream UI LB1 Server
Server 3: Xtream UI LB2 Server
Server 4: Nginx Reverse Proxy Server

I created a single user within the admin panel and added a handful of streams onto LB1 and a handful of VOD content onto LB2.

Finally I edited an APK file to point the DNS address within the APK file to the NGINX Reverse Proxy server and the HTTP broadcast port.

I won't include how to install and setup Xtream UI in this guide so will assume you already know how to do that and you now have your Xtream UI server and panel up and running and you are now ready to setup the reserve proxy.

So firstly we must SSH into the server that we are going to be using as the reverse proxy server and setup nginx.

apt-get update; apt-get install nginx;

Next we unlink the default enabled site for nginx that is setup following the installation.

unlink /etc/nginx/sites-enabled/default

Now we want to create our config file for the reserve proxy service we want to run:

nano /etc/nginx/sites-available/reverse-proxy.conf

server {
listen ####; replace hashes with the http broadcast port your service is using (such as 8080 or 25461).

location / {
      proxy_pass http://thednsoripaddressofyourmainserver;
      proxy_redirect off;
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      proxy_set_header Host $http_host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Original-Scheme $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass_request_headers on;
      proxy_max_temp_file_size 0;
      client_max_body_size 10m;
      client_body_buffer_size 128k;
      client_body_timeout 12;
      keepalive_timeout 15;
      send_timeout 10;
      proxy_connect_timeout 90;
      proxy_send_timeout 90;
      proxy_read_timeout 90;
      proxy_buffer_size 4k;
      proxy_buffers 4 32k;
      proxy_busy_buffers_size 64k;
      proxy_temp_file_write_size 64k;
}
}

Save the file and exit the editor and then copy the file from sites-available to sites-enabled:

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

Test if the config file is okay or if you have any errors run:

service nginx configtest

If the config file is okay then restart nginx

service nginx restart

To check on the status of the reverse proxy you can run:

systemctl status nginx

Next we want to update our existing nginx.conf file for Xtream UI on our Main server so we can close our SSH session on the Reverse Proxy server and SSH into our MAIN Server. We do not need to change much to the existing nginx config file for Xtream UI other than to add an entry so that we listen on port 80 for the nginx comms and that we want to set the real ip address from the proxy server.

nano /home/xtreamcodes/iptv_xtream_codes/nginx/conf/nginx.conf

user  xtreamcodes;
worker_processes  auto;

worker_rlimit_nofile 300000;
events {
    worker_connections  16000;
    use epoll;
                accept_mutex on;
                multi_accept on;
}
thread_pool pool_xtream threads=32 max_queue=0;
http {

    include       mime.types;
    default_type  application/octet-stream;

    sendfile           on;
    tcp_nopush         on;
    tcp_nodelay        on;
                reset_timedout_connection on;
    gzip off;
    fastcgi_read_timeout 200;
                access_log off;
                keepalive_timeout 10;
                include balance.conf;
                send_timeout 20m;    
                sendfile_max_chunk 512k;
                lingering_close off;
                aio threads=pool_xtream;
                client_body_timeout 13s;
                client_header_timeout 13s;
                client_max_body_size 3m;
                set_real_ip_from ##.##.#.###; This is the IP address of the proxy server that will communicate with the clients.

                limit_req_zone $binary_remote_addr zone=one:30m rate=20r/s;
    server {
        listen 8080;
        listen ####; Adjsut these ports as required based upon the ports you're using for panel and broadcasting.
                listen 25463 ssl;
                listen 80;
                ssl_certificate server.crt;ssl_certificate_key server.key; ssl_protocols SSLv3 TLSv1.1 TLSv1.2;
        index index.php index.html index.htm;
        root /home/xtreamcodes/iptv_xtream_codes/wwwdir/;
        server_tokens off;
        chunked_transfer_encoding off;

                                if ( $request_method !~ ^(GET|POST)$ ) {
                                                return 200;
                                }

        rewrite_log on;
        rewrite ^/live/(.*)/(.*)/(.*)\.(.*)$ /streaming/clients_live.php?username=$1&password=$2&stream=$3&extension=$4 break;
        rewrite ^/movie/(.*)/(.*)/(.*)$ /streaming/clients_movie.php?username=$1&password=$2&stream=$3&type=movie break;
                                rewrite ^/series/(.*)/(.*)/(.*)$ /streaming/clients_movie.php?username=$1&password=$2&stream=$3&type=series break;
        rewrite ^/(.*)/(.*)/(.*).ch$ /streaming/clients_live.php?username=$1&password=$2&stream=$3&extension=ts break;
        rewrite ^/(.*)\.ch$ /streaming/clients_live.php?extension=ts&stream=$1&qs=$query_string break;
        rewrite ^/ch(.*)\.m3u8$ /streaming/clients_live.php?extension=m3u8&stream=$1&qs=$query_string break;
                                rewrite ^/hls/(.*)/(.*)/(.*)/(.*)/(.*)$ /streaming/clients_live.php?extension=m3u8&username=$1&password=$2&stream=$3&type=hls&segment=$5&token=$4 break;
                                rewrite ^/hlsr/(.*)/(.*)/(.*)/(.*)/(.*)/(.*)$ /streaming/clients_live.php?token=$1&username=$2&password=$3&segment=$6&stream=$4&key_seg=$5 break;
                                rewrite ^/timeshift/(.*)/(.*)/(.*)/(.*)/(.*)\.(.*)$ /streaming/timeshift.php?username=$1&password=$2&stream=$5&extension=$6&duration=$3&start=$4 break;
                                rewrite ^/timeshifts/(.*)/(.*)/(.*)/(.*)/(.*)\.(.*)$ /streaming/timeshift.php?username=$1&password=$2&stream=$4&extension=$6&duration=$3&start=$5 break;
                            
                                rewrite ^/(.*)/(.*)/(\d+)$ /streaming/clients_live.php?username=$1&password=$2&stream=$3&extension=ts break;
                                #add pvr support
                                rewrite ^/server/load.php$ /portal.php break;
                            
                                location /stalker_portal/c {
                                                alias /home/xtreamcodes/iptv_xtream_codes/wwwdir/c;
                                }
                            
                                #FFmpeg Report Progress
                                location = /progress.php {
                                    allow 127.0.0.1;
                                                deny all;
                                                fastcgi_pass php;
                                                include fastcgi_params;
                                                fastcgi_ignore_client_abort on;
                                                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                                                fastcgi_param SCRIPT_NAME $fastcgi_script_name;
                                }


        location ~ \.php$ {
                                                limit_req zone=one burst=8;
            try_files $uri =404;
                                                fastcgi_index index.php;
                                                fastcgi_pass php;
                                                include fastcgi_params;
                                                fastcgi_buffering on;
                                                fastcgi_buffers 96 32k;
                                                fastcgi_buffer_size 32k;
                                                fastcgi_max_temp_file_size 0;
                                                fastcgi_keep_conn on;
                                                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                                                fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        }
    }
    server {
        listen 8081;
        listen 80;
        listen ####; As above this section relates to admin panel so if you're using 25500 then add this in here rather than 8081
                index index.php index.html index.htm;
        root /home/xtreamcodes/iptv_xtream_codes/admin/;

        location ~ \.php$ {
                                                limit_req zone=one burst=8;
            try_files $uri =404;
                                                fastcgi_index index.php;
                                                fastcgi_pass php;
                                                include fastcgi_params;
                                                fastcgi_buffering on;
                                                fastcgi_buffers 96 32k;
                                                fastcgi_buffer_size 32k;
                                                fastcgi_max_temp_file_size 0;
                                                fastcgi_keep_conn on;
                                                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                                                fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        }
    }
}

Exit the editor and save the file and the test and reload the nginx config with the following:

Test

/home/xtreamcodes/iptv_xtream_codes/nginx/sbin/nginx -t

Reload

/home/xtreamcodes/iptv_xtream_codes/nginx/sbin/nginx -s reload

Next you need to edit the APK file and ensure the DNS address uses the DNS/IP address of the reverse proxy server and the broadcast port. E.g. http://MYNGINXPROXYDNS.NET:8080

Recompile your apk and log in and you should now be to play streams from your panel that are routed from the nginx reverse proxy.

HTTPS UPDATE

Hi All,

The above config works where there are no SSL certs on the proxy or XUI servers. I had been having trouble getting this to work on servers with SSL certs, but have now managed to get this working also, In order to get this working with SSL do the following:

1) Buy any old domain (e.g. bagofvegtables.net) from somewhere like noip and then assign your proxy servers IP address to the domain and update the A records and Nameservers.
2) Install SSL cert onto proxy server with

sudo apt-get install certbot

and then

sudo certbot certonly --standalone --preferred-challenges http -d bagofvegtables.net

3) Provide E-mail and agree to terms and allow letsencrypt to install certs.

Next on your proxy server run

sudo apt-get install nginx

Once nginx is installed run

sudo nano /etc/nginx/nginx.conf

Then enter the below as your config file contents (changing the domain name from the bagofvegtables.net one I just made up to the one you actually installed the cert for and changing the example ports listed for whatever ones you're XUI is currently configured to use and also replacing the dns to your main server from the example one entered below).

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 1024;
    multi_accept on;
}

http {

    ##
    # Basic Settings
    ##
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;
    server_names_hash_bucket_size 128;
    server_name_in_redirect off;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    limit_req_zone $binary_remote_addr zone=one:10m rate=3r/m;
    ##
    # SSL Settings
    ##
    ssl_certificate /etc/letsencrypt/live/bagofvegtables.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/bagofvegtables.net/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/bagofvegtables.net/chain.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
    ssl_dhparam dhparam.pem;
    ssl_prefer_server_ciphers on;
    ##
    # Logging Settings
    ##
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;
    ##
    # Gzip Settings
    ##
    gzip on;
    gzip_disable "msie6";
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_http_version 1.1;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_vary on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
    ##
    # Virtual Host Configs
    ##
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

server {
listen 80; Example HTTP Ports
listen 8080;
listen 2095;
    return 301 https://$host$request_uri;
}

server {
listen 8443; Example HTTPS Ports
listen 443;
server_name bagofvegtables.net;

ssl_certificate           /etc/letsencrypt/live/bagofvegtables.net/fullchain.pem;
ssl_certificate_key       /etc/letsencrypt/live/bagofvegtables.net/privkey.pem;
ssl_trusted_certificate   /etc/letsencrypt/live/bagofvegtables.net/chain.pem;
    ssl on;
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/access.log;

    location / {

      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_pass          https://mymainserversdns.net:8443;
        proxy_read_timeout  90;
        proxy_redirect      off;
    proxy_http_version  1.1;
    proxy_cache_bypass  $http_upgrade;
    proxy_pass_request_headers on;
    proxy_max_temp_file_size 0;
    client_max_body_size 10m;
    client_body_buffer_size 128k;
    client_body_timeout 12;
    keepalive_timeout 15;
    send_timeout 10;
    proxy_connect_timeout 90;
    proxy_send_timeout 90;
    proxy_buffer_size 4k;
    proxy_buffers 4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;
    }
  }

}

Upon saving the nginx.conf file you will then need to run the following command:

wget --no-check-certificate "https://ssl-config.mozilla.org/ffdhe4096.txt" -O /etc/nginx/dhparam.pem

Then test if the config file is okay or if you have any errors run:

service nginx configtest

If the config file is okay then restart nginx

service nginx restart

Next you need to go to your MAIN server and update your firewall to allow connections from your proxy server IP address to your MAIN server and edit your nginx.conf to set_real_ip_from then add the ip address of your proxy server.

hi y install and funcion 5 min and later y have this error

400 Bad Request​

Request Header Or Cookie Too Large

---

nginx/1.18.0 (Ubuntu)
any solucion for this error??