Cloudflare, IIS, Nginx

[JSingDreams]

I followed Object's TUT to making a retro for IIS.
I have an issue with CF randomly disconnecting people and was told to use a TCP Proxy or Reverse Proxy,
so I installed Nginx on Windows, but not sure how to configure with IIS.

Is there a tutorial for this? I just want to remove the random disconnection while staying protected.
I know it's been done on Windows, but haven't seen much detail on it.

 

[airilxx]

You should be able to run both Nginx and IIS instance in a same server, just need to listen Nginx on different port.

For instance, IIS would run on port 80 to serve website, client and game assets. Nginx will function as a reverse-proxy to allow websocket connection from nitro client <-> emulator.

Let's say on your emulator and nitro client, you're listening on port 2096 for websocket connections. You may create a config file for Nginx which listens on different port, lets say 2087 and forward it up to your existing port, which is 2096. which it would be like this:

nitro client <-> Nginx <-> emulator

Which completely eliminates the need of Cloudflare proxies that will randomly disconnects users on specific occasions.

However to achieve this, you would need an SSL for the websocket domain, as it will be fully handled by Nginx independently. Easy way is to obtain free SSL certificate from Lets Encrypt, you can achieve this by using Certbot (

You must be registered for see links

)

Once you've obtained your free SSL certificate, you'll need to adjust Nginx config to allow websocket proxy. Here is a reference for the guide on creating websocket proxy config (

You must be registered for see links

)
Here is a config example:

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;
    keepalive_timeout  65;

    # WebSocket
    server {
        listen 2087 ssl;
        server_name ws.domain.com;
    
        location / {
            proxy_pass http://127.0.0.1:2096;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_cache_bypass $http_upgrade;
          }
      
          # SSL Config
          ssl_certificate C:/Certbot/live/ws.domain.com/fullchain.pem; # managed by Certbot
          ssl_certificate_key C:/Certbot/live/ws.domain.com/privkey.pem; # managed by Certbot
    }
}

Lastly on Cloudflare, you will need to disable the proxy for the websocket domain (the orange cloud) on DNS records, and also you will need to adjust page rule for the websocket domain by settting SSL to Full.

Once all is done, you will need to create a script to start Nginx server manually, or on each server startup.

These are the default setup that I've personally used years ago, as I've hosted IIS and Nginx on same machine due to best server resources we've had. Someone might come with better solutions nowadays.

However I would recommend that you use separate server to host the Nginx proxy to avoid future issue, unless your current VPS has good protections.

 

[Puffin]

I’d recommend getting a separate VPS for this, as the proxy’s IP will always be publically available

 

[Johno]

You can use a separate VPS or firewall your server that any IP addresses that do not

Come from Cloudflare on your HTTP & web socket will instantly fail
Check your EMU cannot be flooded with requests, max X amount of requests then drop and ban that IP for x amount of time
Stop stop any remote SQL connections unless from your allowed IP's if using external SQL

Optionally put your CMS and nitro files on a shared hosting such as cPanel/Directadmin from a provider using servers in the same datacentre (a quick google search would give you that)

 

[JSingDreams]

So many great tips! Thank you guys so much! I'll look more into having a separate VPS. I know Contabo VPS has ddos protection, but I don't know how good that protection is. Probably safer to just proxy on separate VPS. People are getting too clever with attacks these days.

 

[Johno]

So many great tips! Thank you guys so much! I'll look more into having a separate VPS. I know Contabo VPS has ddos protection, but I don't know how good that protection is. Probably safer to just proxy on separate VPS. People are getting too clever with attacks these days.

It is true when it comes to DDOS attacks they are becoming smarter.

I am in the process myself of adding the options for further specialised DDOS protection to all VPS I offer.

Already invested a lot in the past few weeks getting things prepared to add this option to VPS

You must be registered for see links

 

[JSingDreams]

I got a OVHcloud Ubuntu VPS, but somehow can't make a certificate with certbot. Tells me it's unauthorized.

 

[Johno]

are you using Cloudflare for the record pointing to that server?

 

[JSingDreams]

are you using Cloudflare for the record pointing to that server?

I do have a DNS record on Cloudflare pointing to the domain.

 

[Johno]

turn off cloudflare for a moment, issue the SSL and enable it again