Document alternative methods of accessing Chorus (Reverse proxy, port forwarding, via addons path, etc) #133
Comments
lozbrown
changed the title
|
For example I found the following is close but does not get the streaming working, Something needs to be corrected with the vfs path. Furthermore image paths could probably be redirected properly by someone who knows how to write rewrite rules. |
|
I'd be interested in that too! |
jez500
changed the title
|
If anyone wants to submit some nice documentation on how to do this I will gladly add it to the help section in Chorus. Ideally configuration settings for Nginx, Apache & IIS |
|
Hi @jez500,
|
|
I'm pretty close for nginx but don't really understand the rewrite rules so have asked the question in a couple of places that will hopefully yield answers and I'll get back to you if i get it working properly. http://stackoverflow.com/questions/40704417/nginx-reverse-proxy-config-for-kodi-rewrite-rule |
|
I've eventually worked out that requests passed to nginx as but somehow requests passed to nginx as which works.... |
|
I have it for nginx, I must have tried hundreds of configurations and manuals etc. I may raise a request to make the references to jsonrpc and image/ relative so that the second two blocks are not required |
jez500
changed the title
|
Nicely done. I'm sure I'm not the only one who would like SSL support (HTTP/2 would be ideal). ;) |
|
Hey @lozbrown When I try to use your configuration from November 25th, it just gives me an error 500 when I go to www.mydomain.com/kodi My setup in nginx for /kodi /image /jsonrpc is exactly as yours, except I use port 8585 instead so I just replaced 5555 with 8585. Do you know if I've done anything wrong? |
|
@lozbrown,
If enabled, /jsonrpc and /image locations aren't needed (doesn't seem to work?). Alternatively the 2 locations can be combined to save some typing. @Drsela, @Zelaf, your 500 errors are likely due to no trailing slash in your URL. Instead of: try: Alternatively, you can add another rewrite rule to add trailing slash. @war59312, you should be able to use standard method to enabled SSL in nginx. As for WebSocket over HTTP/2.0, my understanding is it is not yet supported (pending RFC?). To wrap everything up, here is a mostly complete example with trailing slash rewrite and SSL support. Thanks again @lozbrown! EDIT: commas should be spaces in server_name |
|
HUGE thanks for this @druchoo but can you edit everything that needs to be edited with something like "edit-this" as a place holder because when setting it up I only got to the nginx on debian page. Thanks again. EDIT: found out why, was being stupid, do you know how to make it on root and not on /kodi ? |
|
@Zelaf, Unless you want SSL and/or want to change the port (<=1024) then you really don't need nginx. Nevertheless, here's a solution (most likely can be done better) which should work: |
|
Thanks for the config @druchoo but I can't connect to the websocket for some reason, know why? Thanks. |
|
@druchoo I tested adding that setting this morning and removing my location settings for image and jsonrpc and it simply didn't work, I didn't get much time to investigate so added in your neater combined config, thanks for that. One question, are you sure server_name needs the commas between names? I've found space separated examples. |
|
Thanks, that did the trick! I also enabled reverse proxy support within the web interface and still used the image and jsonrpc paths just to be sure. Everything is working flawlessy :) |
|
@druchoo Now I'm not getting web socket on the /kodi config and the / config... Am I missing something? Also the first config has a typo
instead of
|
|
Hi, config: Error - Console output: After adding following lines, it takes longer to take a timeout error, see: Thank you. Regards, Klaus |
|
Bumping this up, as I would need a reverse proxy for Kodi but using LE certs in nginx. Actually I only need it to enable remote https access to my Kodi boxes to be able to connect Sonarr/Radarr notifications (to trigger a library update). I guess I don't need websocket port for that. Any help would be appreciates. Running LE 9.0.2 on Rpi. |
|
I feel this issue can be solved pretty easily, kodi needs a configuration value for the internal port (which it has) and an external port (which is needs). The host value is there already the rest is a configuration in haproxy / nginx / apache Here is a setup (mine but you can extrapolate to something else)
If the UI would honor the websocket connections based on the configured external hostname and port (not the internal one) this solution would just work with any configuration or reverse proxy. |
|
Here is my nginx config which works fine so far. hope this helps. #
# Kodi Web
#
location /kodi {
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://KODI_IP:8080 /kodi/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://KODI_IP:8080$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
location /kodi/jsonrpc
{
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://KODI_IP:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /kodi/image
{
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://KODI_IP:8080$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
} |
|
Hi, Trying to configure nginx for the same purpose. Copied ileodo's config in my file, but still getting the 404 for jsonrpc and images. Is it normal to have the /kodi/jsonrpc under /kodi and not at the same level? Or does kodi needs to be configured in a special way? |
|
@jmbreuer can you paste the entire config file ? |
|
I assume you asked it to me ;-) this is what my file looks like |
|
have you enable the "reverse proxy" in the web ui settings? |
|
Hi, Yes, option is active in Web ui. After several attemps, I tried your config again, which gives this : But browsers keep giving the following messages: Firefox can’t establish a connection to the server at wss://mydomain.abc.org:9090/jsonrpc?kodi. |
|
The following setup works well, except for the WebSocket situation: server { # Kodi Chorus2
server_name <SERVER_NAME>;
listen 443 ssl;
listen [::]:443 ssl;
location ~ ^/(image|vfs)/ {
proxy_pass http://<UPSTREAM>;
}
location / {
proxy_pass http://<UPSTREAM>/;
}
# Proxy Settings
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Script-Name /; # Same from root "location" above
proxy_redirect off;
# WebSockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Basic Authentication
auth_basic "<UPSTREAM-NAME>";
auth_basic_user_file <SERVER_NAME>.auth;
# Logging
# - Write per-host logs, on the usual location
# - gzip the logs
# - Flush every 1h, losing logs is fine by me
access_log /var/log/nginx/<SERVER_NAME>.log.gz combined gzip flush=1h;
# TLS
ssl_certificate /etc/letsencrypt/live/<SERVER_NAME>/fullchain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/<SERVER_NAME>/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/<SERVER_NAME>/privkey.pem;
}
|
|
I noticed that the advanced options for the web interface for example "Reverse proxy support" is stored using browser local storage. That is a very strange way to store these type of settings. I think the conclusion should be that reverse proxy is just not supported / working currently. There are a great number of issues with the current setup. That aside, the fact that reverse proxy settings are stored locally is a showstopper I think. |
|
I think the biggest papercut with the web interface is not being possible disallowing access to the remote control functionality, that is, only remote viewing AKA pink Chorus. |
The problemSo I have been banging my head against this particular wall for a while, and I think the solution that needs to be achieved to make reverse proxying-associated problems go away involves not only Chorus2, but also either Kodi's built-in HTTP daemon itself (using available libmicrohttpd functionality), or a third-party, external reverse proxy that covers both Kodi's JSONRPC-over-TCP-Port as well as Kodi's HTTP-for-Chorus2-Port. The core defect/problem is that Chorus seems to expect to make a second, websockets-dedicated TCP connection to an endpoint that is available to the User Agent just like the HTTP port is. In many scenarios that is impossible, or at the very least unwise. It is also unnecessary, since HTTP in general (and afaict, also libmicrohttpd in particular) allows for the well-estyablished The proper solutionImho, the "most proper" way for Kodi to handle and implement this on its own is to
Unfortunately, I don't have enough experience with either Kodi's codebase (and C++ in general) nor libmicrohttpd's API to pull this out of my hat. I did arrive at an alternative solution, however. Alternative, hackier solutionIf the above is too much of a change to be coordinated in too many places, one could achieve a similarly clean setup when involving an external HTTP proxy server, but would need to teach Chorus2 an additional trick to make it work smoothly and transparently in all cases. Right now, the {
debug
on_demand_tls {
interval 60s
burst 2
}
}
:80 :443 {
tls internal {
on_demand
}
@websockets {
header Connection *Upgrade*
header Upgrade websocket
}
reverse_proxy @websockets 127.0.0.1:9090
reverse_proxy * 127.0.0.1:8090
}Of course, Chorus2 would also have to inherit whether or not the connection is supposed to negotiate TLS from the protocol/scheme of the HTTP(S) origin it is being served from. For this example to work, the Demo / PoCTo conveniently try this yourself on a LibreELEC box (tested on 11.0 on a Raspberry Pi 4 only, but I think it should work on any aarch64 or amd64 host running LE 10 or later), you may want to configure Kodi as described above (Webserver binding to Port 8090) and use this script to bootstrap caddy with a suitable config: #!/bin/sh
LC_ALL=C
TZ=UTC
set -x
set -u
umask 0077
dir="${CADDYDIR:-/tmp/caddy-proxy-test}"
ver="${CADDYVER:-2.6.4}"
mkdir -p "${dir}"
cd "${dir}" || exit 1
case "$(uname -m)" in
amd64)
arch=amd64
;;
aarch64)
arch=arm64
;;
*)
echo "FATAL - Unexpected CPU arch - sorry." >&2
exit 1
;;
esac
if ! netstat -ntlp | awk '/.*/{if($4 ~ /:(443|80)$/){exit 1}}'
then
echo "FATAL - You already have listeners on TCP Port 80 and/or 443. Please stop/reconfigure these." >&2
exit 1
fi
if netstat -ntlp | awk -v s=1 '/kodi.bin$/{if($4 ~ /:8090$/){s=0}} END{exit s}' >/dev/null
then
: OK, Kodi on Port 8090
else
echo "FATAL - Please configure Kodi's internal webserver (for Chorus2) to listen on TCP Port 8090." >&2
exit 1
fi
: Downloading Caddy release
curl --fail -o ./caddy.tar.gz -L 'https://github.com/caddyserver/caddy/releases/download/v'"${ver}"'/caddy_'"${ver}"'_linux_'"${arch}"'.tar.gz'
: Extracting caddy executable
tar xzf caddy.tar.gz || exit 1
cat >Caddyfile <<EOF
{
debug
on_demand_tls {
interval 60s
burst 2
}
}
:80 :443 {
tls internal {
on_demand
}
@websockets {
header Connection *Upgrade*
header Upgrade websocket
}
reverse_proxy @websockets 127.0.0.1:9090
reverse_proxy * 127.0.0.1:8090
}
EOF
chmod +x caddy || exit 1
: Executing caddy, serving HTTP and HTTPS, with Caddyfile from ${PWD} ...
: Hit Ctrl+C to stop.
exec ./caddy runAfter that, make sure to set Chorus2's Websocket host to "auto", and to match the "Websocket port" to the HTTP(S) port you use (that is, either 80 or 443) to access the caddy reverse proxy. (Please note that the Caddyfile used enables production-unsafe use of dynamic TLS certificate minting. Do not use this verbatim if the resulting caddy instance is available on a non-private network!) |
and others
Whilst there are configuration to "Enable Reverse Proxy Support" because of the use of web sockets standard configurations do not appear to work for this.
Would it be possible to update the readme or wiki for this project to include suggested configurations for common server such as nginx and apache.
I seem to remember some versions of apache do not support websocket proxy.
This site becomes much more useful when available outside the home, particularly if it can be access securely over SSL which could be achieved with the proxy
The text was updated successfully, but these errors were encountered: