chorus2
chorus2 copied to clipboard
xbmc
Document alternative methods of accessing Chorus (Reverse proxy, port forwarding, via addons path, etc)
Whilst there are configuration to "Enable Reverse Proxy Support" because of the use of web sockets standard configurations do not appear to work for this.
Would it be possible to update the readme or wiki for this project to include suggested configurations for common server such as nginx and apache.
I seem to remember some versions of apache do not support websocket proxy.
This site becomes much more useful when available outside the home, particularly if it can be access securely over SSL which could be achieved with the proxy
For example I found the following is close but does not get the streaming working, Something needs to be corrected with the vfs path. Furthermore image paths could probably be redirected properly by someone who knows how to write rewrite rules.
location /kodi {
rewrite ^/kodi$ https://home.example.com/kodi/ permanent;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://localhost:5555 /kodi/;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://localhost:5555;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /image
{
proxy_pass http://localhost:5555;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /vfs
{
proxy_pass http://localhost:5555;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /jsonrpc
{
proxy_pass http://localhost:5555;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
I'd be interested in that too! Trying the same with Nginx - so that it is possibly to use my HTTPS-Webserver from outside the LAN.
If anyone wants to submit some nice documentation on how to do this I will gladly add it to the help section in Chorus. Ideally configuration settings for Nginx, Apache & IIS
Hi @jez500, I also created a ticket with Kodi and they say that it is something you need to add to the web service.
We actually store the HTTP (or any other paths) we got the image from in case we want to refresh it at some point. To make it accessible we add the "image://" VFS protocol in front of it to know that it's a cached image. Webinterfaces and other remotes that want to access these images over the webserver need to URL-encode the whole image:// path which already encodes all the remaining slashes etc. So Chorus2 needs to add that URL encoding step to be fully compatible with how it should be.
I'm pretty close for nginx but don't really understand the rewrite rules so have asked the question in a couple of places that will hopefully yield answers and I'll get back to you if i get it working properly.
http://stackoverflow.com/questions/40704417/nginx-reverse-proxy-config-for-kodi-rewrite-rule
https://forum.nginx.org/read.php?11,271074
I've eventually worked out that requests passed to nginx as home.example.com/kodi/vfs/%2fmedia%2fVirtual%2fVideos%2fMovies%2f10_Items_or_Less.%5b2006%5d.avi get passed to the server as /vfs/media/Virtual/Videos/Movies/10_Items_or_Less.[2006].avi which fails
but somehow requests passed to nginx as https://home.example.com/vfs/%2fmedia%2fVirtual%2fVideos%2fMovies%2f10_Items_or_Less.%5b2006%5d.avi gets passed to the kodi webserver as /vfs/%2fmedia%2fVirtual%2fVideos%2fMovies%2f10_Items_or_Less.%5b2006%5d.avi
which works.... so somehow its unencodeing the vfs path, but the rewrite rule is passing it to the correct place
I have it for nginx, I must have tried hundreds of configurations and manuals etc. But finally I have it working.
location /kodi{
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://localhost:5555 /kodi/;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://localhost:5555$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /image
{
proxy_pass http://localhost:5555;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /jsonrpc
{
proxy_pass http://localhost:5555;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
I may raise a request to make the references to jsonrpc and image/ relative so that the second two blocks are not required
Nicely done.
I'm sure I'm not the only one who would like SSL support (HTTP/2 would be ideal). ;)
Hey @lozbrown
When I try to use your configuration from November 25th, it just gives me an error 500 when I go to www.mydomain.com/kodi
My setup in nginx for /kodi /image /jsonrpc is exactly as yours, except I use port 8585 instead so I just replaced 5555 with 8585. Do you know if I've done anything wrong?
Hello, I'm trying to do this as well and I can't find a way to do it. Anyone know a way? @lozbrown your config gave me the same error as @Drsela.
Thanks for any help.
@lozbrown, This probably wasn't available when you posted your config but there is reverse proxy support now.
Settings -> Web interface -> Reverse proxy support
If enabled, /jsonrpc and /image locations aren't needed (doesn't seem to work?). Alternatively the 2 locations can be combined to save some typing.
location ~ ^/(image|jsonrpc) {
proxy_pass http://localhost:5555;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
@Drsela, @Zelaf, your 500 errors are likely due to no trailing slash in your URL.
Instead of:
www.mydomain.com/kodi
try:
www.mydomain.com/kodi/
Alternatively, you can add another rewrite rule to add trailing slash.
...
rewrite ^ $request_uri;
rewrite ^([^.]*[^/])$ $1/ permanent;
rewrite ^/kodi/(.*) /$1 break;
...
@war59312, you should be able to use standard method to enabled SSL in nginx. As for WebSocket over HTTP/2.0, my understanding is it is not yet supported (pending RFC?).
To wrap everything up, here is a mostly complete example with trailing slash rewrite and SSL support.
upstream kodi {
server my-kodi-server:8080;
keepalive 512;
}
# Redirect http -> https
server {
listen 80;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name 192.168.1.100 kodi kodi.tld.org;
# Do SSL stuff...
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_timeout 5m;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
# Optionally add basic auth
auth_basic "Authorization Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
locaton /kodi {
rewrite ^ $request_uri;
rewrite ^([^.]*[^/])$ $1/ permanent;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://kodi /kodi/;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://kodi$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# _Shouldn't_ need this if you turned on proxy headers? (Settings -> Web interface -> Reverse proxy support)
location ~ ^/(image|jsonrpc) {
proxy_pass http://kodi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Thanks again @lozbrown!
EDIT: commas should be spaces in server_name
HUGE thanks for this @druchoo but can you edit everything that needs to be edited with something like "edit-this" as a place holder because when setting it up I only got to the nginx on debian page.
Thanks again.
EDIT: found out why, was being stupid, do you know how to make it on root and not on /kodi ?
@Zelaf, Unless you want SSL and/or want to change the port (<=1024) then you really don't need nginx.
Nevertheless, here's a solution (most likely can be done better) which should work:
...
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://kodi$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/(image|jsonrpc) {
proxy_pass http://kodi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
..
Thanks for the config @druchoo but I can't connect to the websocket for some reason, know why?
Thanks.
@druchoo I tested adding that setting this morning and removing my location settings for image and jsonrpc and it simply didn't work, I didn't get much time to investigate so added in your neater combined config, thanks for that.
One question, are you sure server_name needs the commas between names? I've found space separated examples.
@Zelaf, Hmm not sure. Seemed to work before but not now.
@lozbrown, my mistake. commas should be spaces (previous comment edited). And yea, 'Reverse proxy support' seemed to work before but not now.
Either something was cached or I just totally screwed up my testing for those 2 cases.
@druchoo I'm, pretty sure it worked in the original chorus but not chorus 2, hence why i raised https://github.com/xbmc/chorus2/issues/140 which is all that's really required to make this work
@druchoo
Thanks, that did the trick! I also enabled reverse proxy support within the web interface and still used the image and jsonrpc paths just to be sure. Everything is working flawlessy :)
@druchoo Now I'm not getting web socket on the /kodi config and the / config... Am I missing something?
Also the first config has a typo
locaton /kodi {
instead of
location /kodi {
Hi, thanks for the configs, but i can't get the websocket to work.
config:
upstream kodi {
server 192.168.1.155:8080;
}
server {
listen 80;
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://kodi$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location ~ ^/(image|jsonrpc) {
proxy_pass http://kodi;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Error - Console output:
WebSocket connection to 'ws://home:9090/jsonrpc?kodi' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED
After adding following lines, it takes longer to take a timeout error, see: 1. pending 2. TimeOut
server {
listen 9090;
location / {
access_log off;
proxy_pass http://192.168.1.155:9090;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# WebSocket support (nginx 1.4)
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Thank you.
Regards,
Klaus
I cant get it to work, this is my nginx reverse file? can anyone tell me what i need to edit?
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name xxx 10.3.1.2;
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include /etc/nginx/snippets/strong-ssl.conf;
ssl_certificate /etc/letsencrypt/live/xxx/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx/privkey.pem;
error_log /var/log/nginx/xxx.error.log;
# Root location
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
# Basic Auth to protect the site
# auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
# Change the client side error pages (4xx) to prevent some information disclosure
error_page 401 403 404 /404.html;
# First attempt to serve request as file, then as directory,
# then fall back to displaying a 404.
# location / {
# try_files $uri $uri/ =404;
# }
# Deny access to .htaccess files, if Apache's document
# root concurs with nginx's one
location ~ /\.ht {
deny all;
}
# Let's Encrypt Webroot plugin location -- allow access
location ^~ /.well-known/acme-challenge/ {
auth_basic off;
autoindex on;
}
# Location settings for reverse proxy; enable those you wish to use
# by removing the # from the section between the location line and the last }
# SABnzb
location /sabnzb {
proxy_pass http://127.0.0.1:9190;
proxy_redirect default;
}
# Sonarr
location /sonarr {
proxy_pass http://127.0.0.1:8989;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Radarr
location /radarr {
proxy_pass http://127.0.0.1:7878;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Homeassistant
location / {
proxy_pass http://localhost:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Homeassistant websocket
location /api/websocket {
proxy_pass http://localhost:8123/api/websocket;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
# Kodi
location /kodi{
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://localhost:8180 /kodi/;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://localhost:5555$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Bumping this up, as I would need a reverse proxy for Kodi but using LE certs in nginx. Actually I only need it to enable remote https access to my Kodi boxes to be able to connect Sonarr/Radarr notifications (to trigger a library update). I guess I don't need websocket port for that. Any help would be appreciates. Running LE 9.0.2 on Rpi.
I feel this issue can be solved pretty easily, kodi needs a configuration value for the internal port (which it has) and an external port (which is needs). The host value is there already the rest is a configuration in haproxy / nginx / apache
Here is a setup (mine but you can extrapolate to something else)
- I run HAProxy on port 443 and 80
- I evaluate a set of SNI host entries for backend route for 443 and a few hostname entries on 80 for backends
- I want to add my custom acl in HAproxy to look for the upgrade header for websockets and add it to a new route for my kodi instance based on the SNI name and the websocket custom acl to point to a different backend (the kodi_websocket port 9090) and not kodi (the webserver 8080)
If the UI would honor the websocket connections based on the configured external hostname and port (not the internal one) this solution would just work with any configuration or reverse proxy.
Here is my nginx config which works fine so far. hope this helps.
#
# Kodi Web
#
location /kodi {
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://KODI_IP:8080 /kodi/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://KODI_IP:8080$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
location /kodi/jsonrpc
{
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://KODI_IP:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /kodi/image
{
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://KODI_IP:8080$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Hi,
Trying to configure nginx for the same purpose. Copied ileodo's config in my file, but still getting the 404 for jsonrpc and images. Is it normal to have the /kodi/jsonrpc under /kodi and not at the same level?
Or does kodi needs to be configured in a special way?
I assume you asked it to me ;-)
this is what my file looks like
server {
listen 80;
location /kodi {
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://192.168.1.12:8080 /kodi/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://192.168.1.12:8080$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
location /kodi/jsonrpc
{
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://192.168.1.12:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /kodi/image
{
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://192.168.1.12:8080$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
Hi, Sorry for my late reply. Didn't see your last comment.
Yes, option is active in Web ui.
After several attemps, I tried your config again, which gives this :
upstream KODI_IP {
server 192.168.1.2:8080;
}
# Redirect http -> https
server {
if ($host = mydomain.abc.org){
return 301 https://$host$request_uri;
}
listen 8080;
server_name mydomain.abc.org;
return 404;
}
server {
listen 443 ssl;
server_name mydomain.abc.org;
# Do SSL stuff...
ssl_certificate /etc/letsencrypt/live/mydomain.abc.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.abc.org/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
location /kodi {
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_redirect http://KODI_IP /kodi/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_pass http://KODI_IP$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
location /kodi/jsonrpc {
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://KODI_IP;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /kodi/image {
rewrite ^ $request_uri;
rewrite ^/kodi/(.*) /$1 break;
proxy_pass http://KODI_IP$uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
}
But browsers keep giving the following messages:
Firefox can’t establish a connection to the server at wss://mydomain.abc.org:9090/jsonrpc?kodi.
The following setup works well, except for the WebSocket situation:
server { # Kodi Chorus2
server_name <SERVER_NAME>;
listen 443 ssl;
listen [::]:443 ssl;
location ~ ^/(image|vfs)/ {
proxy_pass http://<UPSTREAM>;
}
location / {
proxy_pass http://<UPSTREAM>/;
}
# Proxy Settings
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Script-Name /; # Same from root "location" above
proxy_redirect off;
# WebSockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
# Basic Authentication
auth_basic "<UPSTREAM-NAME>";
auth_basic_user_file <SERVER_NAME>.auth;
# Logging
# - Write per-host logs, on the usual location
# - gzip the logs
# - Flush every 1h, losing logs is fine by me
access_log /var/log/nginx/<SERVER_NAME>.log.gz combined gzip flush=1h;
# TLS
ssl_certificate /etc/letsencrypt/live/<SERVER_NAME>/fullchain.pem;
ssl_trusted_certificate /etc/letsencrypt/live/<SERVER_NAME>/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/<SERVER_NAME>/privkey.pem;
}
-
<UPSTREAM>: Kodi server @ LAN (includes port) -
<SERVER_NAME>: External Hostname -
UPSTREAM-NAME>: Basic Auth to protect the juicy Kodi API. Don't just expose Chorus2 to the web publicly.
