overseerr/docs/extending-overseerr/reverse-proxy-examples.md

Reverse Proxy Examples

{% hint style="warning" %} Base URLs cannot be configured in Overseerr. With this limitation, only subdomain configurations are supported. However, a Nginx subfolder workaround configuration is provided below to use at your own risk. {% endhint %}

SWAG

A sample proxy configuration is included in SWAG (Secure Web Application Gateway). However, this page is still the only source of truth, so the SWAG sample configuration is not guaranteed to be up-to-date. If you find an inconsistency, please report it to the LinuxServer team or submit a pull request to update it.

To use the bundled configuration file, simply rename overseerr.subdomain.conf.sample in the proxy-confs folder to overseerr.subdomain.conf. Alternatively, create a new file overseerr.subdomain.conf in proxy-confs with the following configuration:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name overseerr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app overseerr;
        set $upstream_port 5055;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

}

Traefik v2

Add the following labels to the Overseerr service in your docker-compose.yml file:

labels:
  - "traefik.enable=true"
  ## HTTP Routers
  - "traefik.http.routers.overseerr-rtr.entrypoints=https"
  - "traefik.http.routers.overseerr-rtr.rule=Host(`overseerr.domain.com`)"
  - "traefik.http.routers.overseerr-rtr.tls=true"
  ## HTTP Services
  - "traefik.http.routers.overseerr-rtr.service=overseerr-svc"
  - "traefik.http.services.overseerr-svc.loadbalancer.server.port=5055"

For more information, see the Traefik documentation for a basic example.

Nginx

{% tabs %} {% tab title="Subdomain" %}

Add the following configuration to a new file /etc/nginx/sites-available/overseerr.example.com.conf:

server {
    listen 80;
    server_name overseerr.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name overseerr.example.com;

    ssl_certificate /etc/letsencrypt/live/overseerr.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/overseerr.example.com/privkey.pem;

    proxy_set_header Referer $http_referer;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Real-Port $remote_port;
    proxy_set_header X-Forwarded-Host $host:$remote_port;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-Port $remote_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Ssl on;
    real_ip_header CF-Connecting-IP;
    # Control the behavior of the Referer header (Referrer-Policy)
    add_header Referrer-Policy "no-referrer";
    # HTTP Strict Transport Security
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
    # Reduce XSS risks (Content-Security-Policy) - uncomment to use and add URLs whenever necessary
    # add_header Content-Security-Policy "default-src 'self'; connect-src 'self' https://plex.tv; style-src 'self' 'unsafe-inline' https://rsms.me/inter/inter.css; script-src 'self' 'unsafe-inline'; img-src 'self' data: https://plex.tv https://assets.plex.tv https://gravatar.com https://secure.gravatar.com https://i2.wp.com https://image.tmdb.org; font-src 'self' https://rsms.me/inter/font-files/" always;
    # Prevent some categories of XSS attacks (X-XSS-Protection)
    add_header X-XSS-Protection "1; mode=block" always;
    # Provide clickjacking protection (X-Frame-Options)
    add_header X-Frame-Options "SAMEORIGIN" always;
    # Prevent Sniff Mimetype (X-Content-Type-Options)
    add_header X-Content-Type-Options "nosniff" always;
    # Tell crawling bots to not index the site
    add_header X-Robots-Tag "noindex, nofollow" always;

    access_log /var/log/nginx/overseerr.example.com-access.log;
    error_log /var/log/nginx/overseerr.example.com-error.log;

    location / {
        proxy_pass http://127.0.0.1:5055;
    }
}

Then, create a symlink to /etc/nginx/sites-enabled:

sudo ln -s /etc/nginx/sites-available/overseerr.example.com.conf /etc/nginx/sites-enabled/overseerr.example.com.conf

{% endtab %}

{% tab title="Subfolder" %}

{% hint style="warning" %} Nginx subfolder reverse proxy is unsupported. The sub filters may stop working when Overseerr is updated. Use at your own risk! {% endhint %}

Add the following location block to your existing nginx.conf file.

location ^~ /overseerr {
    set $app 'overseerr';
    # Remove /overseerr path to pass to the app
    rewrite ^/overseerr/?(.*)$ /$1 break;
    proxy_pass http://127.0.0.1:5055;  # NO TRAILING SLASH
    # Redirect location headers
    proxy_redirect ^ /$app;
    proxy_redirect /setup /$app/setup;
    proxy_redirect /login /$app/login;
    # Sub filters to replace hardcoded paths
    proxy_set_header Accept-Encoding "";
    sub_filter_once off;
    sub_filter_types *;
    sub_filter 'href="/"' 'href="/$app"';
    sub_filter 'href="/login"' 'href="/$app/login"';
    sub_filter 'href:"/"' 'href:"/$app"';
    sub_filter '/_next' '/$app/_next';
    sub_filter '/api/v1' '/$app/api/v1';
    sub_filter '/login/plex/loading' '/$app/login/plex/loading';
    sub_filter '/images/' '/$app/images/';
    sub_filter '/android-' '/$app/android-';
    sub_filter '/apple-' '/$app/apple-';
    sub_filter '/favicon' '/$app/favicon';
    sub_filter '/logo.png' '/$app/logo.png';
    sub_filter '/site.webmanifest' '/$app/site.webmanifest';
}

{% endtab %} {% endtabs %}

Next, test the configuration:

sudo nginx -t

Finally, reload nginx for the new configuration to take effect:

sudo systemctl reload nginx