Cannot connect to Aria2 RPC when working behind Nginx

[johnnysong-cc]

Running Context

Aria2 RPC Server is running on 192.168.1.99:6800
AriaNg client is running on 192.168.1.254:6880
They work fine together.
However when I tried to put AriaNg behind Nginx reverse proxy with the following configuration:

stream {
  map $ssl_preread_server_name $backend_name {
    aria.mydomain.com aria;
  }
  upstream aria{
    server 127.0.0.1:26880;
  }
}

http {
  server {
    listen 26880 ssl;
    server_name aria.mydomain.com;

    ssl_certificate fullchain.cer;
    ssl_certificate_key aria.mydomain.com.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_session_timeout 5m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    # ssl_verify_client off;
    # ssl_handshake_timeout 30s;

    location / {
      proxy_pass http://192.168.1.254:6880/;
      proxy_set_header Host $host;
      proxy_set_header Origin 192.168.1.254;
      proxy_set_header Referer 192.168.1.254;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
  }  
}

Symptom

When accessing via "https://aria.mydomain.com" in the browser, the AriaNg client is still accessible but it can't connect to the RPC server via 192.168.1.99:6800 anymore.

Here are the problems beyond my reach

• On the RPC Server settings, "http" and "websocket" can't be used and options were confined to "https" and "wss". However, I tried to use the certificates for "aria.mydomain.com" issued by LetsEncrypt with Aria2 RPC Server but it doesn't accept them.

  enable-rpc=true
  rpc-allow-origin-all=true
  rpc-listen-all=true
  rpc-certificate=D:\aria2-1.36.0\fullchain.cer
  rpc-private-key=D:\aria2-1.36.0\aria.mydomain.com.key
  rpc-secure=true
  

• There are many jsonrpc errors in the Network tab of Chrome DevTools. I have tried to use proxy_set_header to change the Origin and Referer headers as shown in the configuration but they remain unchanged as "https://aria.mydomain.com"

[bamtan]

Maybe these can point you in the right direction, would be interested to know if it works for you:

#681
https://kingtam.win/archives/aria2-jsonrpc.html

[mayswind]

you can read this article https://developer.chrome.com/blog/private-network-access-update/

[bamtan]

Have you tried setting the RPC port to 443 inside AriaNg? It works for me with the following nginx config (using nginx-proxy-manager):

#ARIA2
location /jsonrpc {
                proxy_pass http://$server:$port/jsonrpc;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
}

[Fabick75]

Hi,
probably you are using the wrong port on stream.

I've aria2 running on the same VM that hosts aria2ng behind nginx.
Aria2ng responds on port 443, and aria2 is listening on 127.0.0.1:6800.

My nginx config is similar to this :

server {
    listen 80;
    root /home/aria2/aria2ng;
    server_name aria2.myserver.org;

    return 307 https://$server_name$request_uri;

    ## MANAGE CERTIFICATE REQUEST WITH acme.sh AND letsencrypt
    location ^~ /.well-known/acme-challenge/ {
       default_type "text/plain";
       alias  /home/aria2/cert/.well-known/acme-challenge/;
    }
    # hiding .well-known directory
    location = /.well-known/ {
      return 404;
    }
}

server {
    listen 443 ssl http2;

    autoindex off;
    server_name aria2.myserver.org;
    root /home/aria2/aria2ng;

    # logs
    access_log /home/aria2/logs/aria2ng.log;
    error_log /home/aria2/logs/error_aria2ng.log warn;
    error_log /var/log/nginx/error.log warn;

    # SSL
    ssl_certificate /home/aria2/.acme.sh/aria2.myserver.org_ecc/aria2.myserver.org.cer;
    ssl_certificate_key /home/aria2/.acme.sh/aria2.myserver.org_ecc/aria2.myserver.org.key;

    # SSL timeout
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # Setting TLS version
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    # CYPHER
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384>

    # Enable OSCP Stapling for Nginx web server
    # If you're using the SSL from Letsencrypt,
    # use the 'chain.pem' certificate
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /home/aria2/.acme.sh/aria2.myserver.org_ecc/fullchain.cer;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Nginx protection against XSS and HSTS
    # add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options nosniff;
    add_header X-Robots-Tag none;
    # add Strict-Transport-Security to prevent man in the middle attacks
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";

    # LOCATIONS (using http_auth to a minimum interface protection)
    location / {
        auth_basic "Area2 admin area";
        auth_basic_user_file /etc/nginx/httpauth/.aria2;
        try_files $uri $uri/ =404;
    }

    location /jsonrpc {
        # Proxy jsonrpc to local aria2c server, since https page can't make "http" and "ws" connection.
        # To connect, simply connect to wss://DOMAIN_NAME:443/jsonrpc
        auth_basic off;
        # use the standard ubuntu server proxy file rules
        include ./conf.d/proxy.conf;
        proxy_pass http://127.0.0.1:6800;
    }

    location /files {
        # Aria2c download folder
        auth_basic "Area2 admin area";
        auth_basic_user_file /etc/nginx/httpauth/.aria2;
        # destination directory where the files are downloaded
        alias /mnt/share/aria2;
        autoindex on;
    }
}

When configure RPC alias inside the Aria2NG settings, you need to configure in this manner the url :

wss://aria2.myserver.org:443/jsonrpc

otherwise the proxy mode of nginx don't works correctly to redirect the request to the port on the server.

I hope that this resolve your problem.