web gui over nginx proxy only

janc1 · September 12, 2019, 8:22am

I have router which is like “syncthing server”. All my PC at home is syncing with router.

I am also running some other services on router and those are accessible over local subdomain. For example service monitorix is accesible only over address “monitorix.router.local”

So I decide to do same config for syncthing. I dont want to access syncthing web gui over “IP_of_router:8384” but over address “syncthing.router.local”

I did read https://docs.syncthing.net/users/reverseproxy.html and https://docs.syncthing.net/users/guilisten.html

here is my nginx config

server {
    listen 80;
    listen [::]:80;
    server_name syncthing.router.local;
    allow  192.168.x.x/24;
    deny   all;
    proxy_buffering off;
    error_page 403 /custom_403.html;
    location = /custom_403.html {
        root /usr/share/nginx/html;
	allow all;
    }
    location / {
        proxy_set_header Host localhost;
        proxy_pass http://localhost:8384;
    }
}

I did change GUI Listen Address to 127.0.0.1:8384. Also add new DNS config to dnsmasq. And reload dnsmasq, nginx and syncthing.

I did get error : Host check error

After while I did find out that most important is line proxy_set_header Host localhost;

Documentation is saying proxy_set_header Host $host;.

We dont want to past hostname of client to syncthing but hostname of “localhost” because web gui is accessible only from same computer. I am not sure, but I will somehow update docs to mentioned that.

janc1 · September 18, 2019, 5:46am

I forgot to mention nginx config file which is including syncthing config. So to be correct here is my nginx config:

worker_processes  auto;
events {
    worker_connections  1024;
    use epoll;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    types_hash_max_size 4096;
    server_names_hash_bucket_size 128;
    sendfile       on;
    tcp_nopush     on;
    tcp_nodelay    off;
    server_tokens off;
    keepalive_timeout  5;
    proxy_redirect     off;
    proxy_set_header   Host              $host;
    proxy_set_header   X-Real-IP         $remote_addr;
    proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Proto $scheme;
    proxy_max_temp_file_size 0;
    proxy_connect_timeout      90;
    proxy_send_timeout         120;
    proxy_read_timeout         120;
    proxy_buffer_size          4k;
    proxy_buffers              4 32k;
    proxy_busy_buffers_size    64k;
    proxy_temp_file_write_size 64k;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    server {
        listen       80  default_server;
        server_name  _;
        return       444;
    }
    include             /etc/nginx/sites-enabled/*;
}

Andruha · August 28, 2023, 9:49am

You helped me a lot!