6.0.3.1 - Broke my webserver

[Vettester]

Has anyone tried today's 6.0.3.2 to see if any (most?) of the problems/concerns have been addressed?

Yes and the web server issue has been resolved. However, the Bi integration in Home Assistant is still broken.

 

[bctrainers]

Not sure why we even need this if you use a VPN? I don't get ANY connections other than my own. Just glad mine still works

This. I can't fathom a reason why anyone would be hosting services without using ZeroTier or Tailscale.

Please do not assume (and what seemingly appears to be bashing on the fact) that just because we are using a reverse proxy, that we did not take additional security measures, or have it configured in a way so that it is not exposed to the internet.

While I cannot speak on behalf of the other folks using a reverse proxy and their configured settings... however, in my use case, items such as Home Assistant, Blue Iris, among some other in-house items, they're not explicitly exposed to the internet. They're humming away on their own virtual/physical machines, on their own VLAN network - routed to and from via a nginx reverse proxy. Yes, these services do have an actual domain and sub domain names, and SSL terminated at the nginx reverse proxy, but are explicitly configured to only permit traffic from my LAN and VPN subnets to the reverse proxy. Within LAN/VPN connectivity, the domains have their own IP local addresses configured, and do not utilize a WWW/WAN based DNS resolver.

A reverse proxy, once configured correctly, removes the guesswork, changing 192.168.6.123:8080 into cctv.mydomain.tld, or 192.168.6.231:8213 and translating that into ha.mydomain.tld. Those domains, for example, all route to 192.168.6.1 and the rest goes down stream from thereon. It sounds confusing, sure, it sounds time consuming, sure - but hey, this configuration simply works, and is secure (to my standards anyways). The domain names makes it far easier to connect to a service without having to remember what IP and port goes to what.

There is absolutely no way that will I ever directly expose Blue Iris to the WWW. The same applies to having SSH exposed to the internet. It's poor security practices by doing that.

 

[jsunjones]

Has anyone tried today's 6.0.3.2 to see if any (most?) of the problems/concerns have been addressed?

no luck for me

 

[Techie007L]

@jsunjones What appears in the Blue Iris log when you attempt to do whatever is not working for you?

 

[jsunjones]

@jsunjones What appears in the Blue Iris log when you attempt to do whatever is not working for you?

I don't see anything in the blue iris log for my connection attempts, i get 502 Bad Gateway (when accessing through HAProxy). Once I revert to 6.0.2.10 it starts working again and shows login/connected events. I've been up and down my HAProxy config with no luck

EDIT: CORRECTION: log file does show "malformed Host header"

 

[Techie007L]

@jsunjones After poking around to duplicate that error, it probably has something to do with this: https://stackoverflow.com/questions/57394787/preserve-header-capitalization-in-haproxy

 

[reotto]

Yes and the web server issue has been resolved. However, the Bi integration in Home Assistant is still broken.

Remove python from the Ban User Agents under Advanced on the Webserver tab.

Delete your Blue Iris integration, reboot HA, add your Blue Iris integration back in.

 

[jsunjones]

@jsunjones After poking around to duplicate that error, it probably has something to do with this: https://stackoverflow.com/questions/57394787/preserve-header-capitalization-in-haproxy

Thanks for taking a look. this reddit post (not started by me) has the same issue. I tried what they suggested and moved things forward a little bit. I think they are on to. something with user-agent truncation at the specific backslash

 

[Vettester]

Remove python from the Ban User Agents under Advanced on the Webserver tab.

Delete your Blue Iris integration, reboot HA, add your Blue Iris integration back in.

Thank you! This worked perfectly.

 

[calvolson]

Has anyone gotten 6.0.3.2 working with nginx reverse proxy? I just upgraded from v5 today and spent way too much time trying to get this working.

 

[indi1984]

Has anyone gotten 6.0.3.2 working with nginx reverse proxy? I just upgraded from v5 today and spent way too much time trying to get this working.

No luck as of tonight... best bet is to install the latest stable 6.0.2.10 for now. Works fine with HAProxy, and I suspect with nginx. I tend to try the bleeding edge releases, but they don't always work 100 percent.

 

[VLITKOWSKI]

6.0.3.2 not working with nginx - error 502
026/02/27 08:48:08 [error] 656#656: *179917 upstream prematurely closed connection while reading response header from upstream,

i found something strange in the limit access configuration
This is my original config and the config running
^10.0.0.3 (my master reverse proxy)
^10.0.0.4
+192.168.2.0/24
+192.168.1.0/24

and once i did the rollback from 6.0.3.2 to 6.0.2.10 the configuration is changed this way
^10.0.0.3
^10.0.0.4
+192.168.2.0/24
+192.168.1.0/24
-[::ffff:10.0.0.3] => my master reverse proxy is blocked !

 

[indi1984]

6.0.3.2 not working with nginx - error 502
026/02/27 08:48:08 [error] 656#656: *179917 upstream prematurely closed connection while reading response header from upstream,

i found something strange in the limit access configuration
This is my original config and the config running
^10.0.0.3 (my master reverse proxy)
^10.0.0.4
+192.168.2.0/24
+192.168.1.0/24

and once i did the rollback from 6.0.3.2 to 6.0.2.10 the configuration is changed this way
^10.0.0.3
^10.0.0.4
+192.168.2.0/24
+192.168.1.0/24
-[::ffff:10.0.0.3] => my master reverse proxy is blocked !

Yes, the 6.0.3.2 version auto added that block to mine every time I hit the server. When I rolled back I had to go in and delete that line. I saw the same.

 

[TheWaterbug]

For a lot of people, locking their Blue Iris web server away behind a VPN is not a practical option because they want to be able to simply share a link and credentials with people to give them remote access without making anybody jump through the hoops of VPN client setup.

Yes, it absolutely should make you nervous to port forward directly to Blue Iris, and using a reverse proxy or Cloudflare tunnel or similar is not actually much better. I see it as a good thing that Blue Iris is making efforts to reduce the risks of this exposure.

Can someone explain, in simpler terms if possible, with the hosts field protects against? e.g. what requests would get denied and what requests would get permitted?

 

[calvolson]

No luck as of tonight... best bet is to install the latest stable 6.0.2.10 for now. Works fine with HAProxy, and I suspect with nginx. I tend to try the bleeding edge releases, but they don't always work 100 percent.

Roll back works with NGINX as well. Thanks

 

[indi1984]

Filed a bug report with support and Ken fixed the issue in 6.0.3.3 out now. I just installed and confirm everything is working.

 

[jsunjones]

Filed a bug report with support and Ken fixed the issue in 6.0.3.3 out now. I just installed and confirm everything is working.

Good deal, I'm not sure if you noticed on the Reddit thread, I did get it to work with 6.0.3.2 (opnsense/haproxy)

 

[indi1984]

Good deal, I'm not sure if you noticed on the Reddit thread, I did get it to work with 6.0.3.2 (opnsense/haproxy)

I did see your fix, but not until after I had installed 6.0.3.3. Nice work though.