question

matt1309 avatar image
matt1309 asked

Nginx reverse proxy

Hi,


Does anyone have an example nginx config that has reverse proxy setup for cerbo gx web ui/venus os web ui.


I understand we can access the information via VRM online however I'd quite like to also include on my own website via a reverse proxy ie solar.mydomain.com or mydomain.com/solar, if root directory is required.


Thanks,

Matt.

VRMvrm advanced
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

7 Answers
pau1phi11ips avatar image
pau1phi11ips answered ·

I'd be very weary of putting Venus on the web like that. The secure Remote Access tunnel via VRM is the way to go.

If you just want to display some of your data then there's the VRM API https://docs.victronenergy.com/vrmapi/overview.html

2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

matt1309 avatar image
matt1309 answered ·

Thanks for the heads up.

Id also put it behind additional security (I use authentik SSO) was hoping to use that with it rather than sharing my victron password or asking family to create victron accounts.


Maybe the api is my best option then. Shame it means I'll be relying on some else's cloud.




3 comments
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

matt1309 avatar image matt1309 commented ·
I can see it's difficult to do with venus os webserver using ws instead of wss for connection , so i think you're right it's not possible without a lot of leg work and I'd be better off extracting the data in lan or via the API and posting it on my own webserver rather than reverse proxying to Venus os webserver.



0 Likes 0 ·
pau1phi11ips avatar image pau1phi11ips commented ·

If you didn't want to rely on VRM, you can also extract data via MQTT on the local LAN. I've see posts from people doing this with Home Assistant https://community.victronenergy.com/questions/63997/home-assitant-integration-with-victron.html

0 Likes 0 ·
matt1309 avatar image matt1309 pau1phi11ips commented ·

Thanks Paul.

That does sound like the best option. Seen a few posts using influx/grafana. It's a shame because the venus ui is really nice haha. I'll just have to get creative and try copy it.


I had another look in venus os, i can see the files connecting to ws:// but my javascript understanding is non existent so changing them from ws to wss is beyond me.


Thanks again for the help


0 Likes 0 ·
matt1309 avatar image
matt1309 answered ·

Thanks @ikeakayke,

Does this work for you? I tried configs very similar to this and they failed. It gets stuck on Remote Consol "Connecting" page. Based on chrome consol logs I assumed it was websockets not playing nicely with the nginx forwarding.

Maybe a newer version of venus os resolves my issue. Do you mind me asking what firmware version you're running?

Thanks,
Matt.


2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

ikeakayke avatar image
ikeakayke answered ·

Kindly disregard my previous answer, I was unaware it actually uses VNC to connect to it :) I just thought it's some html5 page. Just checked and it needs port 81 for vnc client. Although this can be fixed with also setting nginx to do tcp proxy for 81 I strongly advice against it.

2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

matt1309 avatar image
matt1309 answered ·

No worries. I ran into similar issues when I originally looked into it, I did see a few posts (after I posted this one) of folk trying to edit hiawatha to use https and/or encrypt the vnc connection. Don't think they succeeded.

Was more effort than I was willing to do. I decided vpn was easier.

2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

matt1309 avatar image
matt1309 answered ·

If anyone randomly stumbles upon this. This is how i solved it.

In /var/www/venus/index.php I've editted the part where rfb object is created to edit the encrypt line to be true if connected to site via https and false otherwise (so that if im on lan it will just use ws instead of wss) The line now shows:

'encrypt': window.location.protocol === 'https:' ? WebUtil.getQueryVar('encrypt', true) : WebUtil.getQueryVar('encrypt', false),


Then in my reverse proxy (nginx in my case). I've reverse proxied from solar.domain.com to my internal ip of the venus os. And then also the websockets connection ie solar.domain.com:81/websockify (which will be done over wss if you connect via https://solar.domain.com). and forwards this from wss to ws (port 81 subdirectory /websockify I didn't bother editing).


Given the websocket is not authenticated I've added a password to the venus os page as a half arsed measure for now. I'll be looking to add some sort of authentication to websocket connection itself going forward. I have main page behind my sso but not edited the js for authentication connection on wss yet.

2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

enodev avatar image
enodev answered ·

For anybody interested in detailed solution. On Debian based systems create the following two files to configure NGINX. These have to be placed in /etc/nginx/sites-enabled/ to allow proxying local port 80 and 81 to the Venus web server and Venus Websocket server. You can then access your NGINX on port 80 and it will proxy all connections to Venus running in the following example on IP 192.168.42.17.

This will forward port 80 (Venus Remote Console) and all locations like /gui-beta (GUI v2) and /app (HTML MFD app) to given host.

server {
    listen 80;
    listen [::]:80;

    location / {
        proxy_set_header Host $http_host;
        proxy_pass http://192.168.42.17:80;
   }
}


This will handle port forward of web socket port 81 used by Venus Remote Console to a given host.

server {
    listen 81;
    listen [::]:81;

    location /websockify {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_pass http://192.168.42.17:81;
   }
}

This will handle port forward of web socket port 9001 used by HTML MFD app to a given host.

server {
    listen 9001;
    listen [::]:9001;


    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_pass http://192.168.42.17:9001;
   }
}



2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

Related Resources