How to run a reverse proxy VM on your BI...

[mr2u53]

Do you have a domain name that you have control over? If so, you can use free Let'sEncrypt certificates to secure your web traffic.

Do I have to host it or just own it?

[mr2u53]

Nginx works by matching patterns in the URL to figure out the desired destination. If you don't have multiple web servers or domain names then you can just put the configs below in the default config.

FYI on Nginx Install Warns - You may see these warnings and can edit the main config file.

Code: Select all

[warn] 21183#0: could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size

cd /etc/nginx
vi nginx.conf # add an include for the sites-enabled directory (if you are using them), fix the warns
# server_names_hash_bucket_size 64;

I have multiple domain names I like to route separately

Code: Select all

mkdir /etc/nginxsites-enabled
vi /etc/nginxsites-enabled/domain1.com.conf
vi /etc/nginxsites-enabled/domain2.com.conf
## you most likely don't need this #htpasswd -c /etc/nginx/.htpasswd jjflynn22  # the -c only for first time # this is for passwords in Nginx

nginx -s reload  # after changes force a reload of configs

Put this relevant line in either you default or specific config.

Code: Select all

        location / {
                proxy_pass http://192.168.1.10:81;  # <--- where this is your BI instance
        }

And where does all this go. Do I access a config file or type it into the terminal?

[HeneryH]

There are two configs: one for the app and any number of site specific one.


The file "/etc/nginx/nginx/conf" has the correction to get rid of the warning and also links to any separate website specific confs.

Code: Select all

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4048;      ###### <----- this corrects the warning

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {                                            ###### <----- this is the default server if there are no other blocks that match
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location /                            {      ###### <----- You can put the proxy command here if you would like and don't have any other web configs
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

    include /etc/nginx/sites-enabled/*.conf;                ###### <----- Many people serve multiple virtual web servers 
}

[HeneryH]

Do you have a domain name that you have control over? If so, you can use free Let'sEncrypt certificates to secure your web traffic.

Do I have to host it or just own it?

Anyone can hit this server by just IP address. No problem using the default nginx server block.

If you have a domain name that resolved to your home IP address, you can set up free certificates. Now that I think about it, you really don't even need full access to the DNS records. As long as it resolves to your home IP you can set the certificates. This would be the next step after getting your reverse proxy to work.

[chuckt]

OK, I just wanna get this straight in my head... You’re running a Linux (Fedora) VM, setup with VirtualBox, and a little help from XTerm. This is all on the Windows BI machine so you can run a Nginx Reverse Proxy server. Which should be more secure than Port Forwarding for UI3.

Is that about right? Sounds awesome.

I just got a new miniPC that has Win10Pro installed on it. I got BI4 running on it with a brand new license just last night. I know I can run VMs with 10Pro so I was thinking I’d go that route, but I’ve also been thinking about Linux. I also have an ISO of Server2016 I thought I might try. Anyway, do you think it’s significantly more secure to go with the Linux VM? Or, is it also easier to setup & maintain? I was planning a FreeNas Vm in the future also.

[chuckt]

It seems like I would need a static IP from my ISP to keep the SSL certs working, or can DDNS take care of that?

[Thixotropic]

It seems like I would need a static IP from my ISP to keep the SSL certs working, or can DDNS take care of that?

I posted a short bash script here that I use (on my Linux Mint box) for uploading the current WAN IP whenever my PC reboots. It puts the IP in a text file and uploads it to one of my servers, so if I'm somewhere else and it changes (like from a power outage) all I need to do is go to the site and view the text file.

I use the webserver built into BI and it seems to work as it should.

[HeneryH]

It seems like I would need a static IP from my ISP to keep the SSL certs working, or can DDNS take care of that?

Yes, either static or DDNS. I use a service on my main PC box to update my DDSN service. There are many options and it can be updated by any machine on your home network. I actually ended up paying a small fee for some extra benefits I found useful.

[brad2388]

Will this work behind a cgnat?

[Iris]

• The reverse proxy can accept incoming connections and route those connections to BI or whatever other servers you may have running. I have a BI instance running in my home but also several other servers. The single reverse proxy knows what the incoming connection looks like and routes appropriately.

HeneryH, am I correct in assuming the solution you've outlined in this thread will allow me to host a WordPress website on a VM on a Windows Server also running Blue Iris...and make it look like the Blue Iris camera feeds are in a subdirectory of the WordPress website?

Second, is it possible to set an htaccess or NGINX rule that will, in effect, intercept connection attempts to anything within the subdirectory used to view Blue Iris camera feeds?

I have an htaccess rule that says, "If trying to access anything within a certain directory, in this case /wp-content/uploads/, instead load a PHP file, which checks to see if the traffic or connection meets certain conditions, in this case is logged into the site as a user in the WordPress database. But would this actually work with a Blue Iris camera feed that originates from the same place, accomplished presumably through a reverse proxy, when it is not technically a file?