Project

General

Profile

tvheadend over https

Added by Martin Bednar about 6 years ago

Hi, this is basically a post of my config for tvheadend forwarded through nginx.

why? Well, because I like having my to be available through the interwebs, and also know that HTTPAuth is plaintext. I also am of the opinion that SSL support is very out of scope for tvheadend.

So here goes : Generate your ssl stuff. (namely the key file and the certificate file) Self signed certificates are out of scope here.
To generate a CSR and a keyfile :

 openssl req -newkey rsa:4096 -subj /CN=<your sever's address here> -nodes -keyout <filename for your private key> -out <filename for the CSR>

I am going to assume that all SSL-related files are in /etc/ssl/nginx/
Another assumption is that tvheadend is running on the same box as the server.
Follows the nginx server section (for the rest of the nginx.conf find other tutorials ;) )
        server {
                listen 443;
                server_name tv.example.com;
                ssl_certificate /etc/ssl/nginx/tv.example.com.crt;
                ssl_certificate_key /etc/ssl/nginx/tv.example.com.key;
                location / {
                        proxy_pass http://127.0.0.1:9981;
                }
        }

What doesn't work? Network authentication : As nginx always calls in from 127.0.0.1, authenticating by source IP is no longer possible for the webui.
Pure HTSP forwarding with this setup is untested for one, and two will most likely not work, since HTSP clients don't expect HTTP headers.

Here's to hoping someone finds this useful :)


Replies (12)

RE: tvheadend over https - Added by Alex A about 6 years ago

Hi, have you tested this with a http client (like tvhclient)?

For htsp you could do an ssh tunnel between the backend and frontend, and point the htsp client to connect on localhost (meaning it goes through the tunnel).

RE: tvheadend over https - Added by Martin Bednar about 6 years ago

Indeed, tunneling over ssh is another option, tunneling through apache ( which supports blind proxying) is another.
For purists setting up a VPN between the two hosts will work too :)

Haven't tried any other clients than the webinterface, didn't know there were applications out there using the HTTP api. (tvhclient is the android client, right?)

RE: tvheadend over https - Added by Guillaume DC almost 6 years ago

Hi it works for me. Look at this thread for my nginx parameters:
https://tvheadend.org/boards/4/topics/20555

And you'll have a very good SSL security with.

Indeed tvh always see 127.0.0.1 as client so you can't use tvh acl. So I lauch tvh with --noacl" and I'm using htpasswd for nginx vhost.

RE: tvheadend over https - Added by Martin Bednar almost 6 years ago

Nice :)

I didn't know about the X-REAL-IP header... This could be something for a feature request

RE: tvheadend over https - Added by Guillaume DC almost 6 years ago

Yes, at this moment it's not possible to make real_IP working, because we can't modify tvh buildin web server. So yes, feature request :)

RE: tvheadend over https - Added by Alexandre Boilley over 4 years ago

Hello,

Sorry to dig up this post but I don't think my request needs another thread.

I try also to acces tvh over the internet. Tvh is running on a Wetek Play 2 with kodi krypton.
I've tried the nginx configuration which seems to be working IF the server is on the same machine!
My problem is, I have another server running on a Rpi which I don't want to stop, my internet box do not allow to generate a second dynDNS access. So I basicaly want to access tvh through a nginx location.

When using the nginx configuration given by Guillaume in his thread, the only answer I get is the tvh favico and an empty page.
Here is my nginx configuration:

upstream tomcat {
server 192.168.1.50:8083;
}
server {
listen 80;
server_name example.com;
location / {
proxy_pass http://tomcat/;
proxy_set_header Host $http_host;
auth_basic "Restricted";
auth_basic_user_file /home/.htpasswd;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include fastcgi_params;
}
location /tv {
proxy_pass http://192.168.1.78:9981/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
}
}

I don't get what can be the problem. Any idea?

RE: tvheadend over https - Added by Alex A over 4 years ago

Try

location ~ /tv {

and then http://example.com/tv

RE: tvheadend over https - Added by Alexandre Boilley over 4 years ago

Thank you but it doesn't work. Nginx doesn't support URI in a proxy_pass in this case.

Restarting nginx: nginx: [emerg] "proxy_pass" cannot have URI part in location given by regular expression, or inside named location, or inside "if" statement,
or inside "limit_except" block
nginx: configuration file /etc/nginx/nginx.conf test failed

RE: tvheadend over https - Added by Alex A over 4 years ago

Sorry for the bad suggestion. I see the problem now, the location /tv actually translates to accessing tvheadend as example.com:9981/tv, which it doesn't recognize as there is no such path for it, it only wants /.

RE: tvheadend over https - Added by Alexandre Boilley over 4 years ago

Sorry I had no time to look at this this week end but as far as I understand nginx the trailing / at the end of the proxy_pass should replace part of the original URI matched by the location.

RE: tvheadend over https - Added by Alexandre Boilley over 4 years ago

I failed to find a solution for this problem using a location in nginx.
So I opened a port on my box and generate another server block, listening on this port. With this configuration I've no problem.

In my opinion the block php in my first config generates the problem.

Thank you for your help.

RE: tvheadend over https - Added by Laclaro Laclaro about 4 years ago

I spent some time to finally find a solution here: https://github.com/tvheadend/tvheadend/blob/master/docs/markdown/faqs.md#q-access-tvheadend-through-http-proxy

Just add "--http_root /tv" (the equal sign is wrong there) to the start options in /etc/init.d/tvheadend on your box. The line in my file reads now

ARGS="--http_root /tv -f"

Magic!

It is also mentioned in the SSL thread linked here: https://tvheadend.org/boards/4/topics/20555

    (1-12/12)