Overview
This tutorial guides you through setting up NGINX with the NAXSI module to act as a secure reverse proxy for your Xtream UI server. This setup helps protect against common web attacks and allows for advanced filtering like GeoIP blocking. Tested on Ubuntu 18.04 LTS.
1Step 1: Installation & Initial Setup
First, install the custom Nginx build with Naxsi using the provided script. Run the following command on your proxy server:
Once installed, update the whitelist rules to ensure compatibility (fixes MAG playback issues):
2Step 2: Configure Main Server
You need to tell your Main Xtream UI Server to trust the IP address of your new proxy server. Otherwise, all user connections will look like they are coming from the proxy's IP.
Edit the Nginx config on your main server:
Find the line client_max_body_size 3m; and add the following lines immediately after it. Replace ADD-PROXY-IP-ADDRESS-HERE with your proxy server's actual IP:
Save the file and reload Nginx on the main server:
3Step 3: Learning Mode & Whitelisting
Naxsi operates by learning normal traffic patterns to distinguish them from attacks. You need to enable "Learning Mode" to populate whitelists for your Admin Panel.
1. Enable Learning Mode:
On your proxy server, edit /etc/nginx/nginx.conf. Change #LearningMode; to:
Restart Nginx: service nginx restart. Now, navigate through your Admin Panel normally so Naxsi can learn the requests.
2. Generate Rules:
Install the nxutil tool to analyze logs:
Analyze the Nginx error log to generate whitelist rules:
3. Apply Rules:
Add the generated rules to /etc/nginx/whitelist.rules. Here are some common rules for Xtream UI:
Finally, disable Learning Mode in your config and restart Nginx.
4Step 4: GeoIP Blocking (Optional)
You can block or allow traffic based on the country of origin.
Option A: Allow specific countries only
Uncomment the geo block in /etc/nginx/nginx.conf:
Then edit /etc/nginx/geoblock to define allowed countries (e.g., US, IT, UK):
Option B: Whitelist specific IPs
If you block a country (e.g., USA) but need to allow a specific IP, add it to the geo $localnet block:
Always restart Nginx after making changes: service nginx restart.
