Setting up SimpleHelp behind Nginx reverse proxy

Rob_Nicholson · October 27, 2023, 7:56am

Has anyone had any experience of accessing SimpleHelp through Nginx reverse proxy? Or in fact, any reverse proxy would help.

My current SimpleHelp installation is bound to port 8008 for historical reasons. Originally I had IIS and SH running on the same Windows server so couldn’t use port 80. This works most of the time except I’ve got a couple of clients where their firewall doesn’t allow 8008 through.

These days, I’ve moved from IIS to Nginx running on a Linux virtual machine. Port 80 is forwarded to this server. I’ve got Nginx configured for a couple of web sites bound on different ports and they work fine. In fact, SimpleHelp website works fine but the neither the remote access client or technician client work. Whilst it shows the connection in the remote access client is okay (green tick), it never registers in the console.

This is the very basic reverse proxy Nginx configuration that works for the website:

server {
    listen 80;
    server_name remote.mydomain.co.uk;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    location / {
        proxy_pass http://192.168.0.6:8008;
    }
}

I must admit my knowledge of Nginx reverse proxy is rather limited. I suspect I might have to dive into snooping the network to see what’s going on.

I notice that SimpleHelp registers itself on the Windows firewall so as well the UDP & TCP inbound firewall rules that I’ve manually added on port 8008.

Furkan · November 2, 2023, 6:12pm

Hey,
in one article SImpleHelp had mentioned they dont support NGINX Reverse Proxy for their Service.
I couldnt find the article, but i also spend a good amount of time to make it work with nginx, failed.

Rob_Nicholson · November 2, 2023, 8:35pm

Ohh that’s a shame - not exactly an uncommon requirement to be behind a single static IP with multiple backend servers

OrsirisdeJong · November 3, 2023, 5:26pm

I’ve had the (non) pleasure to do this with HaProxy.
Since Simplehelp uses various non HTTP protocols, it is really hard to achieve.

I’ve had HaProxy detect various Simplehelp protocols. Here’s the interesting config part of my setup:

frontend main
    bind :::80

    # Optional Redirect if HTTPS is *not* used
    #redirect scheme https code 301 if !{ ssl_fc }

	# We use TCP mode since do want to check TCP payloads, else we could use http mode
    mode tcp
    option tcplog
    option http-keep-alive
    option forwardfor

    log global
    log 127.0.0.1 local2 debug
    log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %[capture.req.hdr(0)]"
    tcp-request inspect-delay 1s

    # Let's capture the first 300 bytes of any request
    tcp-request content capture payload(0,300) len 300

    # Letsencrypt override
    # Both syntax work in tcp and http mode, using faster non regex version
    # acl lets_encrypt_url url_reg ^\/\.well-known\/acme-challenge\/.*$
    acl lets_encrypt_url path_beg /.well-known/acme-challenge/


    # Those ACL works for tcp haproxy mode
    
	# brute destination host discovery
	#acl simplehelp_protocol_pl req.payload(0,500) -m sub "support.mydomain.tld"
	# simplehelp protocol discovery
    acl simplehelp_protocol_ident req.payload(0,4) -m bin 4e444c4b

	# Example to get POST and GET requests (be aware that below url_reg acls are mich cleaner)
    # Begin after payload 5 bytes "POST "
    #acl simplehelp_lossyproc payload(5,10) -m str "/lossyproc"
    # Begin after payload 4 bytes "GET "
    #acl simplehelp_ping payload(4,8) -m str "/machine"
    # Let's stick to the backend when the ACL is true

    # This ACL works for tcp and http haproxy mode
    acl simplehelp_url  hdr(host) -i support.mydomain.tld
    # GET /machine-1626426453697?ping= where the number is a epoch, hence 13 chars
    acl simplehelp_ping url_reg -i ^\/machine-[0-9]{13}\?ping=.*$
    # GET /lossyproc?rand=0.xxxx
    acl simplehelp_lossyproc url_reg -i ^/lossyproc\?rand=.*$


    use_backend lets_encrypt_server if lets_encrypt_url

    use_backend simplehelp          if simplehelp_protocol_ident
    use_backend simplehelp          if simplehelp_ping
    use_backend simplehelp          if simplehelp_lossyproc
    use_backend simplehelp          if simplehelp_url
    use_backend simplehelp          if { sc0_conn_rate(stick_table_tcp_src) gt 0 }

The setup works, but Simplehelp won’t be able to use UDP, and protocol switch times weren’t good.

I’ve ended up buying more public IPs since Simplehelp’s best working protocol is UDP, and no UDP proxy exists AFAIK.

I tent to be able to have multiple POP/IMAP/SMTP servers behind one public IP, but this one isn’t just TCP.
If someone has achieved this, I’m all in

realmx2 · November 9, 2023, 5:18pm

reading through the documentation: https://simple-help.com/kb---network-ports-and-routing-requirements-for-the-simplehelp-server#network-ports-and-routing-requirements

Keep in mind that the proxy server is handling only http traffic, Simple-Help is doing other types of applications across both UDP and TCP on the ports you have configured in the Admin settings. So a Nginx proxy is insufficient because of this.

In your case @Rob_Nicholson you should just be forwarding those ports you’ve configured (both UPD and TCP) to the SH server directly.