Skip to content

Exposing Hydra to the internet and using reverse proxies

Jump to bottom
theotherp edited this page Jan 17, 2018 · 17 revisions

If you want your Hydra instance to be accessible from other computersI strongly recommend putting it behind a basic auth protected reverse proxy (e.g. Apache or nginx).

Apache

<VirtualHost *:4001>
	ServerName localhost
	SSLProxyEngine On
	SSLProxyCheckPeerCN off
	SSLProxyCheckPeerExpire off
	SSLEngine on
	SSLCertificateFile /etc/conf/nzbhydra.crt
	SSLCertificateKeyFile /etc/conf/nzbhydra.key
	SSLProtocol all -SSLv2 -SSLv3
	SSLHonorCipherOrder On
	SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

	ProxyRequests off
	ProxyPreserveHost On
	RequestHeader set X-Forwarded-Proto https
	#Make sure to load module remoteip
	RemoteIPHeader X-Forwarded-For
	RemoteIPHeader X-Real-IP
	#Set to the port of the VirtualHost
	RequestHeader set X-Forwarded-Port 4001
	#Add missing trailing slash because otherwise you will get a 404 when calling without it
	RewriteEngine on
	RewriteRule ^/nzbhydra2$ /nzbhydra2/ [R] 

	ProxyPass /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
	ProxyPassReverse /nzbhydra2/ http://127.0.0.1:5076/nzbhydra2/
</VirtualHost>

Make sure to include all the important headers (x-forwarded-to, x-forwarded-proto and host or x-forwarded-host. Also X-Forwarded-For to get the actual IPs of callers and x-forwarded-port if the port is not 80

nginx

server {
	listen       4000;
	#If you use a differenr port make sure to include it in the X-Forwarded-Host header
	server_name  yourdomain;
	ssl on;
	ssl_certificate      nzbhydra.crt;
	ssl_certificate_key  nzbhydra.key;

	location /nzbhydra2 {
		proxy_pass http://127.0.0.1:5076/nzbhydra2/;
		proxy_set_header        X-Real-IP			$remote_addr;
		proxy_set_header        Host				$host;
		proxy_set_header        Scheme				$scheme;
		proxy_set_header        X-Forwarded-For		$proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto	$scheme;
		proxy_set_header        X-Forwarded-Host	$host:4000; #It's important to include the port if it's != 80 or set x-forwarded-port
		proxy_redirect off;
		#You might want to read https://serverfault.com/questions/314574/nginx-real-ip-header-and-x-forwarded-for-seems-wrong/414166#414166 to get the actual real IPs
	}
}

Caddy

localhost:2015
tls self_signed # Probably Let's encrypt but that's not the focus here
proxy /nzbhydra2 127.0.0.1:5076/ {
	transparent
	header_upstream X-Forwarded-Host {host}
}
rewrite / {
	#Rewrite URLs without trailing slash
	regexp ^/nzbhydra2$ 
	to /nzbhydra2/
}

In the main settings set your "URL base" to "/nzbhydra2" if you used a path in the reverse proxy. Leave it empty if you don't (for example "ProxyPass / http://127.0.0.1:5076/", which is unusual).

If you have selected to add NZBs to downloaders by sending links make sure that you call Hydra using an address that is reachable by the downloader.

Clone this wiki locally