-
-
Notifications
You must be signed in to change notification settings - Fork 83
Exposing Hydra to the internet and using reverse proxies
If you want your Hydra instance to be accessible from other computers I strongly recommend putting it behind a basic auth protected reverse proxy (e.g. Apache or nginx).
Make sure to include all the important headers (x-forwarded-to, x-forwarded-proto and host or x-forwarded-host). Also X-Forwarded-For to get the actual IPs of callers and x-forwarded-port if the port is not 80 or 443.
It also works best if you use the same URL base in the reverse proxy and for hydra (i.e. /nzbhydra2 as the location in nginx and as URL base in the hydra config).
<VirtualHost *:443>
#If you use a different port make sure to include it in the X-Forwarded-Host header or set X-Forwarded-Port
ServerName localhost
SSLProxyEngine On
SSLProxyCheckPeerCN off
SSLProxyCheckPeerExpire off
SSLEngine on
SSLCertificateFile /etc/conf/nzbhydra.crt
SSLCertificateKeyFile /etc/conf/nzbhydra.key
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
ProxyRequests off
ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto https
#Make sure to load module remoteip
RemoteIPHeader X-Forwarded-For
RemoteIPHeader X-Real-IP
#Add missing trailing slash because otherwise you will get a 404 when calling without it
RewriteEngine on
RewriteRule ^/nzbhydra2$ /nzbhydra2/ [R]
ProxyPass /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
ProxyPassReverse /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
</VirtualHost>
server {
listen 443;
#If you use a different port make sure to include it in the X-Forwarded-Host header or set X-Forwarded-Port
server_name 192.168.1.111;
ssl on;
ssl_certificate nzbhydra.crt;
ssl_certificate_key nzbhydra.key;
location /nzbhydra2 {
#Use the URL base you entered in NZBHydra. If you didn't enter any use the URL up to the port,
#e.g. http://127.0.0.1:5076/nzbhydra2
#Use the same URL path as the location. Do not use a trailing slash!
proxy_pass http://127.0.0.1:5076/nzbhydra2;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
localhost:2015
tls self_signed # Probably Let's encrypt but that's not the focus here
proxy /nzbhydra2 127.0.0.1:5076/ {
transparent
header_upstream X-Forwarded-Host {host}
}
rewrite / {
#Rewrite URLs without trailing slash
regexp ^/nzbhydra2$
to /nzbhydra2/
}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nzbhydra-ingress-https
namespace: nzbhydra
spec:
entryPoints:
- websecure
routes:
- match: Host(`nzbhydra.example.com`)
kind: Rule
priority: 10
services:
- name: nzbhydra-service
port: 5076
Assuming you have configured the ingress with HTTPS (like in the example above) but are proxying requests to Nzbhydra in your docker / kubernetes cluster which are just listening on HTTP. You will see '400 bad request' errors. You need to tell Traefik to forward the x-forwarded- headers to the destination:
additionalArguments:
- --entryPoints.web.proxyProtocol.insecure
- --entryPoints.web.forwardedHeaders.insecure
In the main settings set your "URL base" to "/nzbhydra2" if you used a path in the reverse proxy. Leave it empty if you don't (for example "ProxyPass / http://127.0.0.1:5076/", which is unusual).
If you have selected to add NZBs to downloaders by sending links make sure that you call Hydra using an address that is reachable by the downloader.