Skip to content

Exposing Hydra to the internet and using reverse proxies

theotherp edited this page Sep 20, 2023 · 17 revisions

If you want your Hydra instance to be accessible from other computers I strongly recommend putting it behind a basic auth protected reverse proxy (e.g. Apache or nginx).

Make sure to include all the important headers (x-forwarded-to, x-forwarded-proto and host or x-forwarded-host). Also X-Forwarded-For to get the actual IPs of callers and x-forwarded-port if the port is not 80 or 443. It also works best if you use the same URL base in the reverse proxy and for hydra (i.e. /nzbhydra2 as the location in nginx and as URL base in the hydra config).

Apache

<VirtualHost *:443>
	#If you use a different port make sure to include it in the X-Forwarded-Host header or set X-Forwarded-Port
	ServerName localhost
	SSLProxyEngine On
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerExpire off
	SSLEngine on
	SSLCertificateFile /etc/conf/nzbhydra.crt
	SSLCertificateKeyFile /etc/conf/nzbhydra.key
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

	ProxyRequests off
	ProxyPreserveHost On
	RequestHeader set X-Forwarded-Proto https
	#Make sure to load module remoteip
	RemoteIPHeader X-Forwarded-For
	RemoteIPHeader X-Real-IP
	#Add missing trailing slash because otherwise you will get a 404 when calling without it
	RewriteEngine on
	RewriteRule ^/nzbhydra2$ /nzbhydra2/ [R] 

	ProxyPass /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
	ProxyPassReverse /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
</VirtualHost>	

nginx

server {
	listen       443;
	#If you use a different port make sure to include it in the X-Forwarded-Host header or set X-Forwarded-Port
	server_name  192.168.1.111;
	ssl on;
	ssl_certificate      nzbhydra.crt;
	ssl_certificate_key  nzbhydra.key;

	location /nzbhydra2 {
        	#Use the URL base you entered in NZBHydra. If you didn't enter any use the URL up to the port,
        	#e.g. http://127.0.0.1:5076/nzbhydra2
        	#Use the same URL path as the location. Do not use a trailing slash!
		proxy_pass http://127.0.0.1:5076/nzbhydra2;
		proxy_set_header        X-Real-IP			$remote_addr;
		proxy_set_header        Host				$host;
		proxy_set_header        Scheme				$scheme;
		proxy_set_header        X-Forwarded-For		$proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto	$scheme;
		proxy_set_header        X-Forwarded-Host	$host;
		proxy_redirect off;
        	proxy_http_version 1.1;
        	proxy_set_header Upgrade $http_upgrade;
        	proxy_set_header Connection "upgrade";
	}
}

Caddy

localhost:2015
tls self_signed # Probably Let's encrypt but that's not the focus here
proxy /nzbhydra2 127.0.0.1:5076/ {
	transparent
	header_upstream X-Forwarded-Host {host}
}
rewrite / {
	#Rewrite URLs without trailing slash
	regexp ^/nzbhydra2$ 
	to /nzbhydra2/
}

Traefik

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nzbhydra-ingress-https
  namespace: nzbhydra
spec:
entryPoints:
    - websecure
routes:
  - match: Host(`nzbhydra.example.com`)
    kind: Rule
    priority: 10
    services:
      - name: nzbhydra-service
    port: 5076

Assuming you have configured the ingress with HTTPS (like in the example above) but are proxying requests to Nzbhydra in your docker / kubernetes cluster which are just listening on HTTP. You will see '400 bad request' errors. You need to tell Traefik to forward the x-forwarded- headers to the destination:

additionalArguments:
  - --entryPoints.web.proxyProtocol.insecure
  - --entryPoints.web.forwardedHeaders.insecure

General

In the main settings set your "URL base" to "/nzbhydra2" if you used a path in the reverse proxy. Leave it empty if you don't (for example "ProxyPass / http://127.0.0.1:5076/", which is unusual).

If you have selected to add NZBs to downloaders by sending links make sure that you call Hydra using an address that is reachable by the downloader.

Clone this wiki locally