How to run a reverse proxy VM on your BI...

General discussion about Blue Iris
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

Next up us updating your OS using the command line tools and installing Nginx and setting it up as a reverse proxy. I'll paste the commands here so that will be easy to do.
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

Upgrade the core operating system. As far as noting the differences between Fedora and Ubuntu, one of the most visible is that Fedora uses yum or dnf while Ubuntu uses apt-get. So any package install or update will be different.

We want to update the OS and install the nginx package as well as the http-tools package that will help with adding authenticated users.

Fedora
https://docs.fedoraproject.org/en-US/qu ... m-upgrade/

Code: Select all

$ su  # switch to a root shell, otherwise put "sudo" in front of every command below.

dnf update -y --refresh
dnf install -y nginx httpd-tools  # https://fedoraproject.org/wiki/Nginx
systemctl enable nginx.service
systemctl stop nginx.service # stop/start/restart the process with these commands
systemctl start nginx.service
systemctl restart nginx.service
nginx -s reload # reload the config without restarting the process
Ubuntu
https://itsfoss.com/update-ubuntu/

Code: Select all

sudo ls  # I like to do a simple command such as ls with root to get the password question out of they way, then you can paste the following commands with multiple lines in one paste.
sudo apt update
sudo apt upgrade -y
sudo apt install -y nginx apache2-utils  # https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-18-04
sudo systemctl start nginx  # stop/start/restart the process with these commands
sudo systemctl stop nginx
sudo systemctl restart nginx
sudo systemctl reload nginx # reload the config without restarting the process
This gets us a running web server with a sample web page BUT... we might need to tweak the security settings for each distribution to allow connections from outside the server itself (kind of like Windows Firewall).

SELinux is the aspect of Linux that is controlling extra security which is very important in commercial deployments. I know that Fedora has this turned on by default, not sure about Ubuntu. I will experiment with Ubuntu today and report back.
Last edited by HeneryH on Sun Jan 19, 2020 9:13 pm, edited 3 times in total.
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

Relax some of the Fedora SELinux controls and let http and https through the firewall...

Fedora

Code: Select all

# while still under the su root shell or put "sudo" in front of every command below.

# THIS IS AN EDITOR COMMAND, get used to your to-be favorite command line editor.  If you use vi or emacs you have entered geek zone.  Embrace it!!!
vi /etc/selinux/config  # edit this file and set protection level to "permissive"

dnf install -y setroubleshoot-server policycoreutils-python-utils
sealert -a /var/log/audit/audit.log

#This was for a connect error when doing proxy-pass
setsebool -P httpd_can_network_connect 1


firewall-cmd --get-active-zones
#     FedoraServer   <-- output of active zones.  Note this response and fill in below.
#     interfaces: enp0s3
firewall-cmd --permanent --zone=FedoraServer --add-service=http
firewall-cmd --permanent --zone=FedoraServer --add-service=https
systemctl restart firewalld.service

Image

No extra steps were needed for Ubuntu
Image
Last edited by HeneryH on Sun Jan 19, 2020 9:15 pm, edited 1 time in total.
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

This seems like a lot, but if you have the commands queued up, it really only takes a very little amount of effort to spin one up.

Next step is to set the configuration of Nginx to act as a reverse proxy and route any incoming connections to the appropriate server (ie BI).
mr2u53
Posts: 18
Joined: Fri Jan 17, 2020 2:17 am

Re: How to run a reverse proxy VM on your BI...

Post by mr2u53 »

HeneryH wrote: Sun Jan 19, 2020 5:27 pm Upgrade the core operating system. As far as noting the differences between Fedora and Ubuntu, one of the most visible is that Fedora uses yum or dnf while Ubuntu uses apt-get. So any package install or update will be different.

We want to update the OS and install the nginx package as well as the http-tools package that will help with adding authenticated users.

Fedora
https://docs.fedoraproject.org/en-US/qu ... m-upgrade/

Code: Select all

$ su  # switch to a root shell, otherwise put "sudo" in front of every command below.

dnf update -y --refresh
dnf install -y nginx httpd-tools  # https://fedoraproject.org/wiki/Nginx
systemctl enable nginx.service
systemctl stop nginx.service # stop/start/restart the process with these commands
systemctl start nginx.service
systemctl restart nginx.service
nginx -s reload # reload the config without restarting the process
So this is the error I am getting when I upgrade

Image
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

Do the su command first and by itself because you need to enter your password to get the root shell.

Maybe you pasted the other commands right behind it and the su didn't work.
mr2u53
Posts: 18
Joined: Fri Jan 17, 2020 2:17 am

Re: How to run a reverse proxy VM on your BI...

Post by mr2u53 »

HeneryH wrote: Tue Jan 21, 2020 1:50 pm Do the su command first and by itself because you need to enter your password to get the root shell.

Maybe you pasted the other commands right behind it and the su didn't work.
Success

Image
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

Awesome, next is configuring the Nginx to act as a reverse proxy. I'll paste those steps in just a few minutes.

Do you have a domain name that you have control over? If so, you can use free Let'sEncrypt certificates to secure your web traffic.
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

Nginx works by matching patterns in the URL to figure out the desired destination. If you don't have multiple web servers or domain names then you can just put the configs below in the default config.

FYI on Nginx Install Warns - You may see these warnings and can edit the main config file.

Code: Select all

[warn] 21183#0: could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

cd /etc/nginx
vi nginx.conf # add an include for the sites-enabled directory (if you are using them), fix the warns
# server_names_hash_bucket_size 64;
I have multiple domain names I like to route separately

Code: Select all

mkdir /etc/nginx/sites-enabled
vi /etc/nginxsites-enabled/domain1.com.conf
vi /etc/nginxsites-enabled/domain2.com.conf
## you most likely don't need this #htpasswd -c /etc/nginx/.htpasswd jjflynn22  # the -c only for first time # this is for passwords in Nginx

nginx -s reload  # after changes force a reload of configs
Put this relevant line in either you default or specific config.

Code: Select all

        location / {
                proxy_pass http://192.168.1.10:81;  # <--- where this is your BI instance
        }
Last edited by HeneryH on Tue Jan 21, 2020 6:52 pm, edited 1 time in total.
HeneryH
Posts: 678
Joined: Thu Jul 18, 2019 2:50 pm

Re: How to run a reverse proxy VM on your BI...

Post by HeneryH »

Here is my full config in the sites-enabled directory, but I am using Let's Encrypt which takes much of the http config and moves it to the https config then reroutes incoming http to https. :

Code: Select all

server {
    server_name  video.[mydomain].org;
    root         /usr/share/nginx/html;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
 #      proxy_pass http://i9-9900k:81; #lately I was getting errors on start on boot due to hostname not found.
       proxy_pass http://192.168.1.151:81;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/flynnhome.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/flynnhome.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = video.[mydomain].org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen       80;
    listen       [::]:80;
    server_name  video.[mydomain].org;
    return 404; # managed by Certbot


}
Post Reply