Welcome to the forum, Guest

TOPIC: Yacreader Server Behind Nginx Reversed Proxy

Yacreader Server Behind Nginx Reversed Proxy 6 months 2 days ago #5247

Joe

Offline

Fresh Boarder

Posts: 13

Thank you received: 1

Karma: 0

To the YacReader team,

I just dicovered your work and bought your really well made ios application.

As I wanted to access it on the internet, I set it behind a nginx server reverse proxy.

This way, it is possible to give it a name and a letsenctrypt ssl certificate.

It is even possible to set a basic http authentication.

I can now access the server in the ios application by putting the address : login:password@domain.tld

My only problem so far is that the ios application do not accept https but only http , so the login and password can be passed securely to nginx. It has forced me to base64 encode the informations, and even there, it not secured.

Would you be so kind to allow https communication in the ios application so we can pass our login and password securely ?

Regards,

Joe

PS : Here is my very basic nginx configuration
server {
    listen       80 ;
    server_name  domain.tld;
    return       301 https://domain.tld$request_uri;

    access_log /var/log/nginx/yac.access.log;
    error_log /var/log/nginx/yac.error.log;

}


server {
    listen 443;

    server_name domain.tld;
    client_max_body_size 10G;
    auth_basic "yac";
    auth_basic_user_file "/etc/nginx/passwd/yac_passwd";

    ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;

    #enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    #Disables all weak ciphers
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SH$
    ssl_prefer_server_ciphers on;


    location ~* ^/(img|css|font|js)/ {
        try_files $uri @yac;
    }

    location / {
        try_files $uri @yac;

    }


    location @yac {
        # Adapt this to your configuration

       proxy_pass  http://127.0.0.1:9999;

        # Really important! Lufi uses WebSocket, it won't work without this
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # If you want to log the remote port of the image senders, you'll need that
        proxy_set_header X-Remote-Port $remote_port;
        proxy_set_header X-Forwarded-Proto $scheme;

        # We expect the downsteam servers to redirect to the right hostname, so don't do any rewrites here.
        proxy_redirect     off;
    }
}
Last Edit: 6 months 2 days ago by Joe.
The administrator has disabled public write access.

Yacreader Server Behind Nginx Reversed Proxy 6 months 2 days ago #5248

selmf

Offline

Developer

Posts: 553

Thank you received: 115

Karma: 11

Hi Joe,

nice to see someone doing things properly and not just exposing the server to the whole world. YACReader for iOS is closed source, so Luis needs to act for it to support https, though I think he'll be forced to add it sooner or later anyways thanks to Apple appstore regulations.
You could also set up a ssh tunnel instead and just forward the local YACReader port to your iOS device. That also would add authentification and encryption and you would be independent from the app's capabilities.
My answers are not necessarily official YACReader statements but mostly represent my own opinion in technical matters.
The administrator has disabled public write access.
The following user(s) said Thank You: Joe

Yacreader Server Behind Nginx Reversed Proxy 6 months 2 days ago #5249

Joe

Offline

Fresh Boarder

Posts: 13

Thank you received: 1

Karma: 0

Hi selmf,

Thanks for your quick answer.

I did think and actually did try the ssh tunnel solution (with openvpn) which works very well as you said, but being on freeBSD 11.3 locally, I did not managed to build the YacReader server : I passed an afternoon to compile it but with all dependencies it throws a lot of errors and I could not go as far as the other user on the linux subforum (I will probably add a post to his then).

Thanks anyway, I will keep an eye on this ssl support Luis may add in the future !

Regards,

Joe
The administrator has disabled public write access.
Powered by Kunena Forum