Suddenly getting UI3 javascript errors for external access through nginx reverse proxy

[kars85]

I've attached a clean access.log when attempting to access my BI subdomain externally.

172.69.70.52 - - [07/Jul/2022:09:15:34 -0500] "GET /login.htm?page=%2F HTTP/2.0" 200 6355 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.70.34 - - [07/Jul/2022:09:15:34 -0500] "GET /applet/launcher-icon.png?v=27-5.5.9.3 HTTP/2.0" 200 41321 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.70.114 - - [07/Jul/2022:09:15:34 -0500] "GET /applet/loginScripts.js?v=27-5.5.9.3 HTTP/2.0" 200 109775 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
108.162.221.222 - - [07/Jul/2022:09:15:34 -0500] "GET /applet/logos/launcher-icon48.png?v=27-5.5.9.3 HTTP/2.0" 200 4730 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:39 -0500] "POST /json HTTP/2.0" 200 62 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:39 -0500] "POST /json HTTP/2.0" 200 119 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:39 -0500] "POST /json HTTP/2.0" 200 2635 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:40 -0500] "GET /?session=2fd03653443237916c5e2f69167f48e3 HTTP/2.0" 302 0 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:40 -0500] "GET /ui3.htm HTTP/2.0" 200 8999 "https://obfuscatedcom/login.htm?page=%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.70.206 - - [07/Jul/2022:09:15:40 -0500] "GET /ui3/ui3-local-overrides.css?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.70.68 - - [07/Jul/2022:09:15:40 -0500] "GET /ui3/ui3.css?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.253 - - [07/Jul/2022:09:15:40 -0500] "GET /ui3/libs-ui3.css?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:40 -0500] "GET /login.htm?page=%2Fui3%2Fui3.css%3Fv=221-5.5.9.3 HTTP/2.0" 200 6355 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:40 -0500] "GET /login.htm?page=%2Fui3%2Fui3-local-overrides.css%3Fv=221-5.5.9.3 HTTP/2.0" 200 6353 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:40 -0500] "GET /login.htm?page=%2Fui3%2Flibs-ui3.css%3Fv=221-5.5.9.3 HTTP/2.0" 200 6355 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
108.162.221.146 - - [07/Jul/2022:09:15:40 -0500] "GET /ui3/libs-ui3.js?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.71.80 - - [07/Jul/2022:09:15:41 -0500] "GET /ui3/ui3.js?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.68.205 - - [07/Jul/2022:09:15:41 -0500] "GET /ui3/ui3-local-overrides.js?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.245 - - [07/Jul/2022:09:15:41 -0500] "GET /ui3/ajax-loader-big.gif?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:41 -0500] "GET /login.htm?page=%2Fui3%2Flibs-ui3.js%3Fv=221-5.5.9.3 HTTP/2.0" 200 6354 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:41 -0500] "GET /login.htm?page=%2Fui3%2Fui3.js%3Fv=221-5.5.9.3 HTTP/2.0" 200 6355 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:41 -0500] "GET /login.htm?page=%2Fui3%2Fui3-local-overrides.js%3Fv=221-5.5.9.3 HTTP/2.0" 200 6355 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.69.45 - - [07/Jul/2022:09:15:41 -0500] "GET /login.htm?page=%2Fui3%2Fajax-loader-big.gif%3Fv=221-5.5.9.3 HTTP/2.0" 200 6355 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
172.69.68.212 - - [07/Jul/2022:09:15:42 -0500] "GET /ui3/launcher-icon.png?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"
108.162.221.202 - - [07/Jul/2022:09:15:42 -0500] "GET /ui3/logos/launcher-icon48.png?v=221-5.5.9.3 HTTP/2.0" 302 0 "https://obfuscatedcom/ui3.htm" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0"

Here is my nginix subdomain.conf for BI that's been working fine for years, up until the past few weeks (I'm actually not sure when it quit working as I normally use the BI iOS app).

        listen 443 ssl http2;
        server_name obfuscated.com www.obfuscated.com;
        include /config/nginx/ssl.conf;
        access_log /config/log/nginx/dingnut.access.log;
        error_log /config/log/nginx/dingnut.error.log;
        location / {
        #proxy_set_header Host $host;
        #proxy_set_header X-Real-IP $remote_addr;
        #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        #proxy_set_header X-Forwarded-Proto $scheme;
    proxy_buffering off;  # Prevents low-bandwidth streams from stuttering
    tcp_nodelay on;       # Helps keep delay at a minimum when streaming
    proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://10.10.100.22;
        proxy_read_timeout 90;
        }
}

If something needs to be changed with my config, without diving into a bunch of reading on the different nginx reverse proxy properties, the emphasis was that external access attempts don't get the IP stripped. That way, LAN access requires no authentication.

[bp2008]

Hi. Sorry I did not answer this sooner. Somehow I missed it.

Your log indicates that requests for script/style/etc files such as /ui3/ui3.js were being redirected to the login page (hence the error complaining about an unexpected < symbol at the start of what was supposed to be a JavaScript file). This redirect is what Blue Iris does when it can't identify a valid session for a request and you have "Use secure sessions keys and login page" enabled. I wish Blue Iris would refuse requests for such files by delivering an HTTP 403 response, because that would yield a much more appropriate error message. Or better yet just deliver them because they don't contain any sensitive information (unless the user modified the file and added sensitive information. lol). But I don't control Blue Iris's web server at all so this is the way it is.

Anyway, usually the session string is sent in an HTTP cookie called "session", so this situation occurs when something is interfering with the normal operation of HTTP cookies. I don't see anything wrong in your nginx configuration to cause this. One possibility is that you have/had some other web site being hosted on the same domain, and open in another browser tab, and this other web site was deleting or overwriting the session cookie.

[bp2008]

Late January brought a BI update that provides the HTTP 403 responses I was wanting. UI3-231 now can detect this failure condition and provide a cleaner error message and an automatic redirect to the login page. It won't solve the underlying issue but it will certainly make it more clear what is going wrong.