github/Ombi
1
0
Fork 0
mirror of https://github.com/Ombi-app/Ombi.git synced 2024-10-17 20:51:01 -07:00
Code Issues Packages Projects Releases Wiki Activity
Page: Reverse Proxy v4
Pages
Api Information Arr Settings Authentication Settings Backups Building V4 Common Errors Customization Settings Discord Notification Settings Docker Containers DogNzb Settings Email Notification Settings FAQ Home Installation Issue Settings Job Settings Jobs Tasks Schedules Landing Page Settings Mass Email Migration procedure from SQLite to MySQL or MariaDB Mobile App Setup Newsletter Settings Notification Template Variables Ombi & Tautulli Ombi Settings Ombi v4 Custom CSS File Ombi v4 Custom Themes Prerequisites Pushbullet Notification Settings Pushover Notification Settings Request Workflow Reverse Proxy Examples Reverse Proxy v4 Roles and Notifications Settings Slack Notification Settings Startup Parameters Telegram Notifications Translations Twilio Update Settings User Importer Settings User Roles Using a different database (MySQL) on Windows Using a different database Vote Settings
10 Reverse Proxy v4
Twan Ariens edited this page 2020-12-05 11:59:26 +01:00
Table of Contents

This is an NGINX subdomain reverse proxy that DOES NOT use baseurl. I'm running Ombi v4 on "Docker for Windows" (sic) with NGINX running natively on Windows 10 via OrganizrInstaller.

# Ombi v4 Subdomain
# Replace DOMAIN.TLD with your domain
server {
    listen 80;
    server_name ombi.*;
    return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl http2;
    server_name ombi.*;
        server_name ombi.DOMAIN.TLD;
        ssl_certificate /nginx/ssl/DOMAIN.TLD-chain.pem;
        ssl_certificate_key /nginx/ssl/DOMAIN.TLD-key.pem;
        ssl_session_cache builtin:1000;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_tickets off;
        ssl_ecdh_curve secp384r1;
        resolver 1.1.1.1 1.0.0.1 valid=300s;
        resolver_timeout 10s;
		gzip on;
		gzip_vary on;
		gzip_min_length 1000;
		gzip_proxied any;
		gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
		gzip_disable "MSIE [1-6]\.";
    
    location / {
        proxy_pass http://127.0.0.1:5000;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
    }
# This allows access to the actual api
location /api {
        proxy_pass http://127.0.0.1:5000;
}
# This allows access to the documentation for the api
location /swagger {
        proxy_pass http://127.0.0.1:5000;
}
}

Subdirectory Configuration

This is an NGINX reverse proxy configuration that DOES use baseurl. This has been tested both from a localhost redirect as well as through a router from a DMZ machine on Unbuntu 18.04.

The advantage of this configuration is that it allows for a single certificate to provide ssl services for many different web apps.

e.g.
www.somedomain.com/ombi
www.somedomain.com/sonarr
www.somedomain.com/radarr

You would only need to install/support a certificate for www.somedomain.com.

Important note that you should use extreme care when exposing services to the internet

This configuration is if you want to run a subdirectory configuration. Note, Ombi must be started with the --baseurl /ombi option

Location Block

location /ombi {
   proxy_pass http://<ip addr or hostname>:5000;
   include /etc/nginx/proxy.conf;
}

# This allows access to the actual api
location /ombi/api {
   proxy_pass http://<ip addr or hostname>:5000;
}
# This allows access to the documentation for the api
location /ombi/swagger {
    proxy_pass http://<ip addr or hostname>:5000;
}

proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
proxy_redirect http://<ip addr or hostname>:5000 https://$host;

Home
New Docs Site

The wiki is dead! Long live the wiki!