How to Setup a Reverse Proxy on Home Network
ฝัง
- เผยแพร่เมื่อ 27 มิ.ย. 2024
- In this video, I explain how to set up a reverse proxy on your home network to eliminate the need to attach port numbers when you try to browse to your locally-hosted services. (Instead of typing "service.lan:8080", you can just type "service.lan") This is only one of the functions of a reverse proxy so if you are looking for an in-depth video on reverse proxies...this is not it.
We will be using NGINX as our reverse proxy and we will be configuring it to proxy our requests for UNMS, Unifi Controller, Plexpy (Tautulli), and Pihole. For this to work, you need to have local DNS already configured. I have a video on how to set this up using Pihole on a Raspberry Pi.
Timestamps:
Drawing it out: 1:34
Installing NGINX: 6:08
Beginning Configuration: 8:30
Generating Certificates: 17:20
Updating DNS Records: 20:50
Verifying Everything Works: 22:56
Troubleshooting: 24:12
Rambling Outro: 25:09
Below are some of the configurations and commands I use in the video. Just modify them to suit your needs.
Regular port 80 proxy.
server{
listen 80;
server_name myserver.domain;
location / {
proxy_pass "xx.xx.xx.xx:xxxx";
}
}
Port 80 redirect to 443
server{
listen 80;
server_name myserver.domain;
location / {
return 301 $host$request_uri;
}
}
Port 443 proxy using SSL (Used for UNMS or similar)
server{
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/mydomaincert.crt;
ssl_certificate_key /etc/nginx/ssl/myprivatekey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name myserver.domain;
location / {
proxy_pass "xx.xx.xx.xx:xxxx";
}
}
Port 443 proxy using SSL and header modification (Used for Unifi Controller
server{
listen 443 ssl http2;
ssl_certificate /etc/nginx/ssl/mydomaincert.crt;
ssl_certificate_key /etc/nginx/ssl/myprivatekey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
server_name myserver.domain;
location / {
proxy_pass "xx.xx.xx.xx:xxxx";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
}
location /wss {
proxy_pass "xx.xx.xx.xx:xxxx";
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_read_timeout 86400;
}
}
Ubuntu command to generate certificates and create SSL directory
sudo mkdir /etc/nginx/ssl/
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/myprivatekey.key -out /etc/nginx/ssl/mydomaincert.crt
Ubuntu command if restarting NGINX fails due to .PID file missing.
sudo mkdir /etc/systemd/system/nginx.service.d
printf "[Service]
ExecStartPost=/bin/sleep 0.1
" | \
sudo tee /etc/systemd/system/nginx.service.d/override.conf
sudo systemctl daemon-reload
sudo systemctl restart nginx
![[UNCUT] ฝันรักห้วงนิทรา | EP.8 (4/4)](http://i.ytimg.com/vi/RDYJYiDwsj0/mqdefault.jpg)
I am surprised to see that how complete your video is even you mentioned that you don't know much of the configs. They all fit nicely in the flow and are very understandable. Great job.
Glad I randomly found this video. Probably the best tutorial I’ve seen all month and believe me I’ve watched too many to try to get everything running. Cheers.
OMG!!! This video is SOLID-EFFING-GOLD!! I have literally watched 100 other videos that were c-r-a-p examples....this is the first one that actually worked! and did not make me feel stupid for not understanding this stuff....awesome work Toasty!!!!
Thank you for this! Great walkthrough/tutorial in a step-by-step way.
Wow this actually helped me resolve my issue. Thank you for explaining this in simple terms.
The best tutorial in this topic I've seen
Thank you!
Your video is a great contribution to all of us who need these computer tools, but we are not programmers or coders. Very clear and explanatory within a simple and informative language. I encourage you to make another video (as a second part) for the use of the reverse proxy for other services or servers, along with the use of SSL Let’s Encrypt certificates. Thanks a lot.
thnQ thnQ thnQ thnQ. finally, someone can speak detailes
Nice job explaining in layman's terms, I appreciate the work you put into this. No need to really explain the inner workings it is good for them to research it on their own to learn. Again Good Job on the video, thanks.
Awesome tutorial. But for me I would separate config file based on the host you want to connect, that way if I messed up the config it will not affect the other host. Also, always use sudo nginx -t to test configuration before actually apply the config. And finally, I would always do sudo nginx -s reload to load the configuration without having to restart the service
Nice guide 👍
When 4:28 hits I was like this guy is dope sounding like a sys admin
Every thing is well explained. For Font size to be visible I had to use bootaddam
Thank you! :-)
Thank a lot!
thanks man
Hi! Im recently getting into nginx, found out that nginx supported reverse proxy so im now giving it a try
Thanks so much for this video, everything is so useful and easy to understand
If i may clarify, so if i understood correct, the "server_name" key in the config file doesnt define a domain server name, but essentially tells the nginx server that "this server block is for the specified server address"
But the domain name itself still has to be defined in a dns server like pihole because nginx itself doesnt define any domain names right?
ty ty
why you not do it in unraid! darn would have loved that
Thank you for the video @Toasty_answers,
Are you using different devices/servers for each application (UNMS, Unifi)? I see different IP addresses for UNMS and Unifi...
can they be installed in the same server and just use different ports ?
I use separate VMs for each application hosted between two physical servers which is why there is a unique IP for every service. You should be able to run both UNMS and Unifi on the same host without much issue. UNMS uses 80/443 while Unifi uses 8080/8443 by default, so you could just point NGINX to the corresponding port number. I can't recall off the top of my head if they have any overlapping ports for control traffic though...
@@ToastyAnswers XD I forgot that we could use VMs for each application. I'm also having trouble with pi-hole because if you install it it will run on lighttdp and you we stop it to install nginx, pihole will stop working. I'm trying to install everything in the same machine but maybe it's not the easiest way :P
Using multiple VMs is my preferred way to do it for simplicity and to avoid the situation you find yourself in.
The reason one of them stops working is because each of them function as a web server. Pihole runs lighttdp on port 80 which listens for requests, but NGINX also listens for requests on port 80. For this reason, one of them causes the other to not function correctly. To get around this, you can change the port lighttdp uses. Then, you could configure NGINX to forward requests for the Pihole to this unique port number unless you want to manually specify the port number for Pihole.
The more services you try to stack on top of each other, the more you're going to run into issues like this. My recommendation would be to leave NGINX default (listening on ports 80/443) and manually configure conflicting ports on all other applications. Things can get hairy though, which is why I choose the simple route and use separate VMs (or dockers) for every service.
do you need to have those domains name after ""server_name" created like in a DNS server or are you just creating them in the nginx config file?
They're also created in an external DNS server ahead of time.
I'm extremely new to reverse proxy, what that means is know nothing at all about how it works. Or at least I didn't till I saw the beginning of your video. That explained it so well! Thank you for that! But once you started explaining how to set it up, you completely lost me :( can anyone else point me to a more dumbed down version on setting up a reverse proxy. I am not able to find anything on the internet on how to do that. All the tutorials get extremely confusing after about step 2.
can I reverse proxy any website on my domain?
Theoretically, yes. However, some are a lot more complicated than others. These are just the ones I know how to configure.
Thank you for the information brother but I'm facing a small issue that only js and CSS is not loading in my reverse proxy. It would be a great help if you can help me.
This is something I struggle with as well and I'm not really qualified to answer haha.
I was able to figure out how to set this up for a handful of applications, but I'm not an expert with reverse proxies and there are a TON of additional options which can be configured. There are a few applications I've never been able to fully pass through the proxy. I wish I could help... but this one was a bit out of my range of expertise.
I can only speculate that there are probably some proxy_pass statements that need to be added to the configuration in order to forward the headers for js and CSS properly.
Great Tutorial! Can mobile devices resolve this kind of domain?
Yes, this will work on mobile devices as well. As always, there may be more or less configuration required depending on the application or page you are putting through the proxy.
👌
am i the only one who noticed this dude sounds so much like Casually Explained lol
Hi, I have an Asus router running ddwrt on wifi client mode attached to a router that I do not have access to the port forwarding settings. I'm trying to get openvpn to connect to the external ip but, I don't have the ability to port forward on the other router which is the isp modem/router arris cable modem becuase, I don't own the the Arris modem. Can a reverse proxy be the solution to this problem? If it isn't can you point me in the right direction?
Unfortunately, a reverse VPN isn't going to solve your problem. Outside traffic still needs to hit the proxy, and you would need port-forwarding of some sort to accomplish this.
However, if you are able to replace your ISP modem/router with something you own then you would be able to do the necessary configuration. Or, you could check the IP you are receiving on your DDWRT router and see if the ISP modem/router is just passing through the public address. If it is, then you can configure port forwarding as normal.
Because of the way TCP/IP works, you have to be able to establish a connection into your network from outside, and NAT and firewalls get in the way of this.
@@ToastyAnswers Oh Ok, so port forwarding is required if you want to connect to anything from the wan? what I mean't to say was the isp modem is owned by someone else in the residence I'm living in but, I don't think they want me in the interface of the isp modem. Also, is it possible by any means to connect to any service from the wan other than this? I'm
using ssh tunneling but, is there a way to get pass the firewall of the router I don't have access to that my router is connected to for internet access? I'm trying to securely set up a remote file server. At the moment I just want to open port 443 which ssh is listening on over the wan of my router but, the other router I can't get access to the port forwarding.
Generally speaking, port-forwarding is required in order to access an internal resource (your reverse proxy) from an external source (anything outside your local network). However, there are a couple ways around this such as reverse-ssh tunneling, but these require a third device somewhere on the internet that can be used as a relay. I don't really have any experience with this, so I can't be of much help in this area, but maybe you are aware of this since you brought up ssh tunneling.
The problem you run into is NAT and/or Firewall rules on the ISP router. Anything from the public internet is going to try to access the public IP of the ISP router on a specific port number (i.e. port 443 from a random public IP). The ISP router isn't going to have an existing "NAT translation" using port 443 as the local destination, so it is going to assume the traffic is destined for the router itself. Since the router isn't (or...should not be...) running any service on port 443 accessible from the outside, the traffic will be dropped.
If someone else owns the router, you could see if they don't mind forwarding that port. If you can't get that port forwarded you will have to do something creative using a relay elsewhere on the internet and establishing a connection to the relay.
Also, a reverse-proxy isn't required for any of this. Typically, you use a reverse proxy if you are trying to achieve load-balancing between multiple servers, an additional layer of security, or you have multiple servers either using the same port or non-standard port numbers. For a single machine, you could simply forward (or relay) the traffic directly to/from that machine.
Try nginx proxy manager ( docker ) ...saves you ton of your time
I think I've given this a shot in the past and couldn't get it running properly. Looked like a great tool though!
I skipped some of the video so maybe I missed it but how do I make dns quires go from my dns server to nginx and then back to the client
I'm not really sure what you are asking, but you would configure your DNS server to point the configured FQDN to the NGINX server. When the NGINX server receives the traffic it will know where to send it based on the headers.
Basically, anything handled by your NGINX reverse proxy will have the IP of the NGINX server in DNS for each FQDN.
how fast of computer do I need? I have an old XP machine I was hoping to use.
I don't know the specifics, but this can run on pretty low-end hardware. I'd imagine an XP machine would be capable.
Sir Can Guide Me How To Setup Reverse Proxy On Server-B With Nginx And Redirect To Server-A
I Am Currently Doing That Via aaPanel But Its Not Stable.
Please Guide Me With Another Way.
Thanks
Question. nginx makes it so easy, but I don't want to install another server. Can you make a video that shows how to do it with Apache? Everything I've tried from google/serverfault simply doesn't work. :(
I tried the Apache path once and couldn't ever really get it to do what I want. I would definitely make a video on this if I knew how.
The 'squiggly bracket" is called a 'curly brace'. Good video though.
Haha, thanks!
Where is mentions documents root path
I have to node
Would this method work with a steam dedicated server?
Possibly... I could see the benefit but I couldn't begin to tell you how to set it up or if it would work as expected.
Toasty Answers yeah, I was thinking I could do this so my ip is better hidden
Toasty Answers from my understanding you have to do something with upstream of whatever that is
couldnt for the life of me get pihole to work... my browser continually says theres a dns error despite pihole being updated and restarted.
Are you seeing any traffic on the PiHole dashboard? Check your interface settings in the PiHole and make sure it will respond to DNS requests on any interface or network. Sometimes this causes it not to work at all if your network is setup differently than normal.
..............# Port 80 redirect to 443
server{
listen 443;
server_name myserver.domain;.............
should be listening to port 80 in the description.
Great catch! It has been changed. Thank you!
Please for the love og God rename this video to LINUX
Not a bad suggestion