Nginx Not Proxying SageX / SageAlert Properly

[KarylFStein]

I put an Nginx proxy in front of the SageTV web server. The standard EPG /sage/Home bit works fine. However, SageAlert and SageX do not.

For SageX through Nginx the page returned seems to be the HTML enclosed in something else so the site just looks like a source listing and not rendered HTML. Here is a snippit:

Code:

<html><head></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">&lt;head&gt;&lt;title&gt;Sage API - 9.0.0.8&lt;/title&gt;&lt;/head&gt;
&lt;h1&gt;Sage API - 9.0.0.8&lt;/h1&gt;
&lt;style&gt;
...

If we bypass Nginx, the output looks correct and is rendered properly in the browser:

Code:

<html><head><title>Sage API - 9.0.0.8</title></head>
<body><h1>Sage API - 9.0.0.8</h1>
<style>
.l{font-weight: bold;}
...

EDIT: Note that the Edge browser seems to render the page fine. My problems are with Chrome. I don't use Edge unless I need another browser to double check an issue.

For SageAlert it seems like connections through Nginx do not load everything. For example, these are log entries for a direct connection:

Code:

[23/Aug/2017:12:35:32 +0000] "GET / HTTP/1.1" 200 849
[23/Aug/2017:12:35:32 +0000] "GET /favicon.ico HTTP/1.1" 404 1279
[23/Aug/2017:12:35:36 +0000] "GET /sagealert HTTP/1.1" 302 0
[23/Aug/2017:12:35:36 +0000] "GET /sagealert/ HTTP/1.1" 200 2264
[23/Aug/2017:12:35:36 +0000] "GET /sagealert/resources/css/gxt-all.css HTTP/1.1" 200 152454
[23/Aug/2017:12:35:36 +0000] "GET /sagealert/sagealert/sagealert.nocache.js HTTP/1.1" 200 4925
[23/Aug/2017:12:35:36 +0000] "GET /sagealert/SageAlert.css HTTP/1.1" 200 49
[23/Aug/2017:12:35:36 +0000] "GET /sagealert/sagealert/2B32E4908E0ED7CEE2AA05A70839104B.cache.html HTTP/1.1" 200 602399
[23/Aug/2017:12:35:36 +0000] "POST /sagealert/sagealert/HandlerService HTTP/1.1" 200 2533
[23/Aug/2017:12:35:36 +0000] "POST /sagealert/sagealert/SettingsService HTTP/1.1" 200 14
[23/Aug/2017:12:35:36 +0000] "GET /sagealert/resources/images/default/window/left-corners.png HTTP/1.1" 200 200
...

But with the NginX proxy in front it stops before getting the /sagealert/sagealert/XXXX.cache.html. If I look in the Nginx logs there is also no request for the XXXX.cache.html file. An entire session looks like this in the logs and a blank page is given:

Code:

[23/Aug/2017:13:12:31 +0000] "GET /sagealert/ HTTP/1.1" 200 2264
[23/Aug/2017:13:12:31 +0000] "GET /sagealert/SageAlert.css HTTP/1.1" 200 49
[23/Aug/2017:13:12:31 +0000] "GET /sagealert/sagealert/sagealert.nocache.js HTTP/1.1" 200 4925
[23/Aug/2017:13:12:31 +0000] "GET /sagealert/resources/css/gxt-all.css HTTP/1.1" 200 152454
[23/Aug/2017:13:12:31 +0000] "GET /favicon.ico HTTP/1.1" 404 1279

Like I said, the sage/Home stuff seems to work fine. I haven't tried every single item, but I did search the EPG, add and remove a favorite and look at some of the other EPG / status pages. Any idea what Nginx is tripping over in the SageAlert and SageX pages? I uninstalled BMT trying to diagnose another issue and haven't reinstalled it, so not sure if that page works through Nginx.

EDIT: Note that to start I tried just a basic proxy_pass directive in Nginx. I have since added other things like passing of certain headers trying to see if that helped, but I have seen no change. And yes, I'm clearing my browser cache between runs.

[stuckless]

It might help if you posted your nginx proxy configurations as well. I haven't personally proxied any of those, but I'm guessing, it should work with the right settings

[KarylFStein]

Quote:

Originally Posted by stuckless

It might help if you posted your nginx proxy configurations as well. I haven't personally proxied any of those, but I'm guessing, it should work with the right settings

Here's the bit for the proxy:

Code:

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name tv.thesteins.org;

        ssl_certificate /etc/letsencrypt/live/thesteins.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/thesteins.org/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/thesteins.org/fullchain.pem;
        include /etc/nginx/snippets/ssl.conf;

        location / {
#               resolver 192.168.1.4;
#               proxy_http_version 1.1;
#               proxy_set_header HOST $host;
#               proxy_set_header X-Forwarded-Proto $scheme;
#               proxy_set_header X-Real-IP $remote_addr;
#               proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#               proxy_set_header Referer $http_referer;
                proxy_pass https://wsbr1.internal.thesteins.org:8443;
#               proxy_set_header Upgrade $http_upgrade;
#               proxy_set_header Connection 'upgrade';
#               proxy_cache_bypass $http_upgrade;
        }
}

I should probably put fail2ban on that now .

The commented out stuff is all the things I found on Google to try, but stripped it back to the basics for now.

One strange thing in the logs is that the source IP changes between v4 and v6. I'm not convinced that's an issue as the GET requests do receive data regardless of the IP used. I've been trying to force either v4 or v6, but the things I've found to try don't seem to work.

[KarylFStein]

Can anyone else using an Nginx front-end to SageTV confirm that it does not work for SageX or SageAlert? Or if it does post your proxy configuration? I haven't been able to figure this out.

[stuckless]

Quote:

Originally Posted by KarylFStein

Can anyone else using an Nginx front-end to SageTV confirm that it does not work for SageX or SageAlert? Or if it does post your proxy configuration? I haven't been able to figure this out.

I tend to read this in the morning before I start work, and then by the evening, I've totally forgot about it I'll try to post my conf tonight. It is different than yours, and I'm not sure if sagealert works, since I don't use that, but other stuff appears to work.

[stuckless]

So my basic proxy settings are (in proxy.conf)

Code:

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

Then in main conf I include proxy.conf. My conf is...

Code:

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
#server {
#	listen 80;
#	server_name _;
#	return 301 https://$host$request_uri;
#}

# main server block
server {
	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;
    
	location / {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
	
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		# With php7-cgi alone:
		fastcgi_pass 127.0.0.1:9000;
		# With php7-fpm:
		#fastcgi_pass unix:/var/run/php7-fpm.sock;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
	
	location ^~ /sage {
		include /config/nginx/proxy.conf;
		proxy_set_header Authorization "Basic XXXXXXXXXXXXXXXXXXX==";
		proxy_pass http://192.168.1.10:8080/sage;
	}
	
	
	location ^~ /bmt {
		include /config/nginx/proxy.conf;
		proxy_set_header Authorization "Basic XXXXXXXXXXXXXXXXXXX==";
		proxy_pass http://192.168.1.10:8080/bmt;
	}
	
	location ^~ /web {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.10:32400/web;
	}

	location ^~ /ftp {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.10:9999/;
	}
	


# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#	location ^~ /cp {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050/cp;
#	}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
#	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
#	ssl_dhparam /config/nginx/dhparams.pem;
#	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#	ssl_prefer_server_ciphers on;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;	
#	}
#}

[KarylFStein]

Bummer, no luck. It looks like you're just proxying BMT and Sage web. Those work fine for me. It's just SageAlert and sagex that do not. Strange.

(I think I visit SageAlert once to set it up and looking at sagex in the browser is rare, so not a big deal. I'm just going through every little thing setting up my new server and curious why they don't seem to proxy.)

[KarylFStein]

OK, I figured this out, (although I didn't set out to do so). I had cobbled my Nginx configuration from things I found on the Internet and tonight was going through each setting to get a better understanding of them and tweak some things. Based on this "cobbling" I had put in the following settings:

Code:

add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

Looking at the X-Frame-Options it seemed like using SAMEORIGIN instead of DENY would be fine and fix some other things. Indeed that fixed the SageAlert issue.

The X-Content-Type-Options I think should be nosniff, but I disabled that as a test. While that fixed the SageX issue it seems like "nosniff" incompatibility could be a simple change (?).