Local Reflector using nginx

I know I can use the Indigo Reflectors as part of my subscription but I prefer to a DIY solution where I am the only one who knows how to connect to my Indigo Server. I also found that the Reflectors add too much latency to my liking (it's not that much but I am picky! ). So I am using nginx as a reverse proxy to be able to use Indigo Touch over the internet with a custom domain name, dnsomatic for dynamic DNS and SSL certificates fromLet's Encrypt.. The only cost on this setup is the domain registration which I get from Cloudflare at around $8/year. Recently I was checking my nginx logs and saw lots of primitive attack attempts. This is pretty normal in the internet these days, if you have a public port opened to the world you will get constant attacks. This is usually referred to as Internet Background Radiation.

Having said that I wasn't happy with the fact that I was forwarding all requests to Indigo so I set myself into improving the security of my setup. First I needed to know what paths I needed to redirect, for which I found this post (10+ years thread but still useful!). Below is a section of my final nginx.conf server section config which I added comments to explain all the different settings I use:

Code: Select all

   server {

        # Add Strict-Transport-Security to my domain
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

        # Reduces information returned on errors
        server_tokens off;

        # Block any user agents that are not Indigo Touch
        if ($http_user_agent !~* (Indigo%20Touch) )
        {
            # 444 is a non-standard HTTP status code used to instruct nginx to close the connection without sending
            # a response to the client, most commonly used to deny suspected malicious or malformed requests
            return 444;
        }

        # Block any methods other than GET, HEAD or POST
        if ($request_method !~ ^(GET|HEAD|POST)$ )
        {
            # 444 is a non-standard HTTP status code used to instruct nginx to close the connection without sending
            # a response to the client, most commonly used to deny suspected malicious or malformed requests
            return 444;
        }

        listen 4321 ssl;

        # Enforce TSL v1.2 or above
        ssl_protocols TLSv1.2 TLSv1.3;

        # Reverse proxies for Indigo Touch
        location /indigo/ {
            proxy_pass http://localhost:1234/indigo/;
        }

        location /serverrequest {
            proxy_pass http://localhost:1234/serverrequest;
        }

        location /servercommand {
            proxy_pass http://localhost:1234/servercommand;
        }


For obvious reasons I have changed the port numbers that I use but in the above example I listen publicly on port 4321 and forward to my local machine in port 1234. Also note I use localhost since I am running nginx on the same Mac that Indigo runs but if you had nginx running on another machine this would be your local address of your Indigo Server.

Enjoy!

[matt (support)]

Great tip. Blocking any HTTP request that isn't using the Indigo Touch user agent will probably filter out all the nefarious attacks by itself (but other filters don't hurt of course!).