Preloader
Security Tutorial

NGINX + NAXSI Reverse Proxy for Xtream UI

Advanced protection for your panel using a Web Application Firewall (WAF) and GeoIP blocking.

Overview

This tutorial guides you through setting up NGINX with the NAXSI module to act as a secure reverse proxy for your Xtream UI server. This setup helps protect against common web attacks and allows for advanced filtering like GeoIP blocking. Tested on Ubuntu 18.04 LTS.

1Step 1: Installation & Initial Setup

First, install the custom Nginx build with Naxsi using the provided script. Run the following command on your proxy server:

wget https://dev.d-dtox.com/nginx/script/install.sh && chmod +x install.sh && ./install.sh

Once installed, update the whitelist rules to ensure compatibility (fixes MAG playback issues):

rm /etc/nginx/whitelist.rules && wget --no-check-certificate https://dev.d-dtox.com/nginx/conf/whitelist.rules -O /etc/nginx/whitelist.rules && service nginx restart

2Step 2: Configure Main Server

You need to tell your Main Xtream UI Server to trust the IP address of your new proxy server. Otherwise, all user connections will look like they are coming from the proxy's IP.

Edit the Nginx config on your main server:

nano /home/xtreamcodes/iptv_xtream_codes/nginx/conf/nginx.conf

Find the line client_max_body_size 3m; and add the following lines immediately after it. Replace ADD-PROXY-IP-ADDRESS-HERE with your proxy server's actual IP:

real_ip_header X-Forwarded-For; set_real_ip_from ADD-PROXY-IP-ADDRESS-HERE; real_ip_recursive on;

Save the file and reload Nginx on the main server:

/home/xtreamcodes/iptv_xtream_codes/nginx/sbin/nginx -s reload

3Step 3: Learning Mode & Whitelisting

Naxsi operates by learning normal traffic patterns to distinguish them from attacks. You need to enable "Learning Mode" to populate whitelists for your Admin Panel.

1. Enable Learning Mode:

On your proxy server, edit /etc/nginx/nginx.conf. Change #LearningMode; to:

LearningMode;

Restart Nginx: service nginx restart. Now, navigate through your Admin Panel normally so Naxsi can learn the requests.

2. Generate Rules:

Install the nxutil tool to analyze logs:

cd /home/nginx-waf git clone https://github.com/prajal/nxutil.git cd nxutil python setup.py install

Analyze the Nginx error log to generate whitelist rules:

python nx_util.py -l /var/log/nginx/error.log -o -p 1

3. Apply Rules:

Add the generated rules to /etc/nginx/whitelist.rules. Here are some common rules for Xtream UI:

BasicRule wl:16 "mz:$URL:/api.php|BODY"; BasicRule wl:1310 "mz:$URL:/table_search.php|$ARGS_VAR:columns[0][data]|NAME"; BasicRule wl:1311 "mz:$URL:/table_search.php|ARGS|NAME"; BasicRule wl:1310 "mz:$URL:/table_search.php|ARGS|NAME";

Finally, disable Learning Mode in your config and restart Nginx.

4Step 4: GeoIP Blocking (Optional)

You can block or allow traffic based on the country of origin.

Option A: Allow specific countries only

Uncomment the geo block in /etc/nginx/nginx.conf:

geo $localnet { default 0; 10.0.0.0/8 1; 192.168.0.0/16 1; } ... include geoblock;

Then edit /etc/nginx/geoblock to define allowed countries (e.g., US, IT, UK):

if ($geoip_country_code !~ (US|IT|UK)) { return 444; }

Option B: Whitelist specific IPs

If you block a country (e.g., USA) but need to allow a specific IP, add it to the geo $localnet block:

geo $localnet { default 0; ... 222.222.222.222 1; # Whitelisted IP }

Always restart Nginx after making changes: service nginx restart.