Security Camera handy links

gistfile1.md

Cheap gear to get the job done

1. Reolink PoE 5MP RLC-522 - https://www.amazon.ca/gp/product/B01AL5D85W/ref=ppx_yo_dt_b_asin_title_o06_s00
2. Mokerlink 1 to 4 port PoE switch - https://www.amazon.ca/MokerLink-Ethernet-Support-IEEE802-3af-Fanless/dp/B07SGBQNLM/ref=sr_1_4
3. (Kind of works) Raspberry Pi 4 - https://www.amazon.ca/CanaKit-Raspberry-Starter-Kit-4GB/dp/B07WRMR2CX/ref=sr_1_4 3a. (Recommended) Nanopi R4S (Way better performance but likely has to ship from China, but it is the far superior device for same price)
4. Recommended: Also get yourself a USB 3.0 portable hard drive, preferably 2TB+, of your preferred brand

Also likely needed:

1. Bulk Ethernet Cable (to connect your cameras to your PoE Switch so they get both a connection, and power)

• If you aren't comfertable wiring this up yourself, you can hire an electrician to come in and run/snake the cables for you. This will likely be the most expensive part of the setup, depending on where you place the cameras.
• If your cameras however arent too far from the Raspberry Pi / Switch, you can just run very long ethernet cables to them, which you can buy off amazon as well.

Guide:

1. https://projects.raspberrypi.org/en/projects/raspberry-pi-setting-up

• When you select your image for the pi, choose Raspberry Pi OS Lite, which is found under Raspberry Pi OS (Other)
• This OS is terminal/console only, but trust me its not too bad to use, Ill try and include everything needed below for getting through the process
• Ignore everything from "Start up your Raspberry Pi" on because thats for the non-lite OS
• Plug your Pi into a monitor via HDMI or etc, plug a keyboard into it, and turn it on
• default login should be pi with password raspberry I believe to start
• Be Admin, type in su sudo and type in the password again raspberry

2. Next we need to first off delete the default user and make our own admin. Run the following commands:

• sudo groupadd <Username> && useradd -m -d /home/<Username> -s /bin/bash -G sudo -g <Username> <Username>
• IE if you want the username steve you would execute sudo groupadd steve && useradd -m -d /home/steve -s /bin/bash -G sudo -g steve steve
• It should prompt you for a password for this new account you are making
• If not, execute sudo passwd <YourUsername> and it will prompt for the password
• sudo reboot now This will rebot the device. Now login as the user you just made instead of pi Once again, type in sudo su to become admin, then finally:
• sudo deluser -r pi And hit "yes" to acknowledge you want to do this. Now you are the admin of your pi!
• Note if you login and are getting $ instead of <Username>@<domain> (I think its @Raspberry by default), execute chsh -s /bin/bash while logged in as that user.

3. Execute sudo raspi-config, lets setup wifi, clock time, and our network name

   • First off, System Options > Wireless Lan, fill in your wireless networks name and password
   • Interface Options > SSH > Yes
   • Locale Options > Timezone > Set your timezone (For Alberta its under America > Mountain)
   • Select Finish
   • sudo ifconfig wlan0 down
   • sudo ifconfig wlan0 up
   • And now to see if it worked, wait 2 seconds and then type: sudo ifconfig wlan0
   • What we are looking for is a line that says inet <some IP Address, it probably starts with 192.168.0 or 192.168.1
   • This indicates your raspberry pi is now connected over your wifi and has internet, nice!

4. Next we are gonna set our hostname, which is just the name of the machine (which will make it way easier to do the following steps)

   • sudo nano /etc/hostname
   • Now is when you need to learn how to use nano. To keep it simple, heres the basics:
   • First: Right click is paste, so dont hit it if you dont wanna paste
   • Ctrl+O to save
   • Ctrl+X to exit out
   • Other than that its just a super simple text editor
   • Change the text you see in hostname to be SecurityCameras, thats it, just that.
   • Ctrl+O to save, then Ctrl+X to exit.
   • sudo nano reboot, log back in, and then sudo su again as usual.
   • execute the command hostname to verify it says SecurtyCameras now
   • On a different computer on the same network, assuming its a windows computer, open command prompt
   • WinKey > cmd > enter to open command prompt easily
   • In windows command prompt execute ping SecurityCameras
   • You should see Reply from <ip address> bytes=32 etc etc 4 times
   • Congrats, you're raspberry pi is now online, but now we need to secure it!

5. Next up, lets get ourselves setup so we can easily SSH into our Raspberry pi from our personal windows PC. This will make it so you can do stuff like copy paste commands into the terminal and whatnot. Also its way more secure. To start we need to generate a secure SSH key to login with. Dont worry if you dont know what that means, its just A fancy super secure login method to prevent being hacked and spied on. You are gonna want it!

   • Install "PuTTY" which is the popular SSH tool for windows, on your windows machine.
   • Link: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html
   • You want the one under "Package files" labeled "64-bit x86" most likely.
   • Once installed, you should be able to hit Win key, and type in "puttygen", to run the program "PuTTYgen"
   • If that doesnt work, it should be located in C:\Program Files\PuTTY
   • Once open, hit the "generate" button and follow the "shake your mouse" instructions
   • Click "Save public key" and save it to a safe place, I recommend making a folder in "My Documents" called "SSH Keys"
   • Do the same with "Save private key"
   • Keep this window open, you'll need it for later

6. Open PuTTY itself

   • Should be able to just hit the win key and type "Putty" and you will see it, if not it is also located in C:\Program Files\PuTTY
   • Note we now want "PuTTY" not "PuTTYkeygen"
   • Theres a lot to take in here but for now all we care about is the "Host Name" field, type SecurityCameras into it
   • Then just hit the "Open" button and you should have a familiar terminal pop up, asking for login. Login exactly The same way as before to your pi. Congrats, you are now SSHd into your raspberry pi
   • Tip: From here on out, you can copy paste commands from this guide Into the terminal via copying it, then right click in the terminal to paste, same as nano
   • In your SSH Terminal you now have open, run sudo install -d -m 700 ~/.ssh
   • Next, execute sudo nano ~/.ssh/authorized_keys
   • Remember how I mentioned right click to paste in Nano? We are doing that now. Paste all the text of that SSH private key here
   • Make sure to copy ALL of the text from the box "Public key for pasting into OpenSSH authorized_keys file:" in PuttyGen, which you should still have open
   • Its multiple lines and has a scroll bar, quadruple check you copied it all. It should start with ssh-rsa
   • Ctrl-O, Ctrl-X to save.
   • Execute the follow commands:
   • sudo chmod 700 ~/.ssh
   • sudo chmod 600 ~/.ssh/authorized_keys
   • sudo chown <YourUsername>:<YourUsername> ~/.ssh -R
   • For the second command <YourUserName> is what you have been logging in with. IE if you named the account steve you would do `sudo chown steve:steve ~/.ssh -R
   • Okay now we can test trying to login with the key, here we go!

7. Close PuTTY, and Re-Open it. Dont login yet, we have some new stuff to do

   • Again enter SecurityCameras as the hostname
   • Under Connection > Data > Auto-login username, put your Username in here.
   • Under Connect > SSH > Auth (You have to expand SSH, but dont expand Auth), click "Browse" for Private Key File
   • Go find that .ppk private key file you saved back in Step 5, select it
   • Optional: Click Window > Appearance For Font Settings, select Antialiased for Font Quality, and pick a more readable font by hitting the "Change..." button
   • Click on Session again at the top of the 'menu' thing on the left (Its at the very top, might need to scroll)
   • Type "Security Cameras" into "Saved Sessions" box
   • Hit Save, this saves all these settings now as a "remembered" connection, you'll see it get added to the box
   • Double click "Security Cameras" in that box
   • If everything went right, you should automatically log into SSH without being prompted for a password, alright!
   • Close PuTTY entirely and do one last sanity check. Reopen PuTTY again, double click "Security Cameras" and verify you still login
   • Now we will disable password logging in for SSH
   • In the terminal execute sudo nano /etc/ssh/sshd_config
   • Scroll down and find the line PasswordAuthentication yes
   • Change that to now be PasswordAuthentication no, save changes as usual (Ctrl+O > Ctrl+X)
   • Once again, sudo reboot now to reboot the device and load the new config
   • Now to make sure this works, try logging in the original way you did in Step 6, with just the manual username+password
   • If you did everything right, it will fail, but, if you do it this Step 7 way with the private key, it will work
   • NEVER DELETE THAT PRIVATE KEY FILE
   • BACK UP THAT PRIVATE KEY FILE SOMEWHERE SAFE
   • Congrats, you can now disconnect the raspberry pi from the keyboard and screen, since everything from here forward can be done through SSH

8. Okay, time to setup DHCP. Dont worry if you dont know what that means, its basically just a simple system for making your Raspberry pi be the "owner" of the security cameras you plug into it.

   • First off, remember back how we pinged SecurityCameras in command prompt at the end of step 4? Do that again
   • This time, take special note of the IP address. The first 3 numbers of the IP address is called the "subnet", you can think of this as like the "neighboorhood" or "street", and the last number like the house number on that street
   • For example, if the IP is 192.168.0.22, then the subnet is 192.168.0 and the address is 22
   • This subnet is the one your home router from your ISP (shaw or telus or whatever) gave you, you can think of it as your "home network's neighbourhood"
   • To make life easy, I will refer to subnets with a .x at the end, x being the "address" part, ie 192.168.0.x
   • What we need to do is decide on a new and different subnet for the cameras. Easiest is to just add 1.
   • So if your "home" neighbourhood is 192.168.0.x, then I would decide on 192.168.1.x as the Camera subnet
   • This number is different for every router, its commonly 192.168.0.x, but sometimes its other stuff depending on model
   • For future reference I will from here on out refer to the first subnet as <Home Subnet> and the second as <Camera Subnet>
   • Write these numbers down on a piece of paper or notepad if needed. They will come up a fair bit

9. In the raspberry terminal, lets start by making sure we are up to date and have a static ethernet address

   • sudo apt-get update
   • sudo apt-get upgrade
   • sudo nano /etc/network/interfaces.d/eth0
   • Paste all of this in, and make sure to change <CameraSubnet> to be correct:

auto eth0
iface eth0 inet static
address <CameraSubnet>.1
netmask 255.255.255.0

• Save and exit
• Example if your camera subnet is 192.168.1.x:

auto eth0
iface eth0 inet static
address 192.168.1.1
netmask 255.255.255.0

• Next up, sudo nano /etc/network/interfaces.d/wlan0
• Paste in the following

allow-hotplug wlan0
iface wlan0 inet dhcp
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

• Save and Exit
• Now we test if it worked, try the following:
• sudo ifconfig eth0 down && ifconfig eth0 up then ifconfig eth0
• You should see inet <CameraSubnet>.1 netmask 255.255.255.0 etc etc as the first or second line or so
• If it still isn't present, try sudo ip addr flush eth0 and then ifconfig eth0 again
• Grats, you have a static ethernet IP and can server as a router
• Time to test if the wlan setting also worked, comment if it doesnt and I can try to help you
• sudo reboot now and your PuTTY terminal will lose connection. Wait 45 seconds or so, then try and reconnect
• If all went well, it should keep working and wifi will continue to be functional
• Double check sudo ifconfig eth0 that it still has the static IP assigned as well

10. Time to setup DHCP

• First off lets get all software up to date
• sudo apt-get update && apt-get upgrade -y && apt-get autoremove && apt-get autoclean
• sudo apt-get install isc-dhcp-server
• You probably will see errors here. Ignore them, we didnt configure the DHCP stuff yet is why it error'd
• sudo nano /etc/default/isc-dhcp-server
• Change this line: INTERFACESv4="" to be INTERFACESv4="eth0", then save and exit
• This line tells DHCP to only operate on our ethernet line and ignore the wifi line, since the wifi is gonna operate on <Home Subnet>
• sudo nano /etc/dhcp/dhcpd.conf
• For this file it comes with a bunch of preset stuff, we can just wipe it all. Hold down Ctrl+K to delete all the lines, wipe it clean.
• Paste the following in, once again modifying all the <CameraSubnet> stuff to be what you wrote down for it

option domain-name "security.cams";
option domain-name-servers 1.1.1.1, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

subnet <CameraSubnet>.0 netmask 255.255.255.0 {
    authoritative;
    range <CameraSubnet>.20 <CameraSubnet>.100;
    option subnet-mask 255.255.255.0;
    option routers <CameraSubnet>.1;
    option broadcast-address <CameraSubnet>.255;
}

• Save and exit Example config:

option domain-name "security.cams";
option domain-name-servers 1.1.1.1, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0 {
    authoritative;
    range 192.168.1.20 192.168.1.100;
    option subnet-mask 255.255.255.0;
    option routers 192.168.1.1;
    option broadcast-address 192.168.1.255;
}

• Now you should be able to run sudo service isc-dhcp-server restart to restart DHCP
• Run sudo systemctl status isc-dhcp-server.service to see its status, you are hoping to see in green text: "active (running)" and no angry errors.
• Grats! Your DHCP server is now running.

11. Updating Camera Firmware

• For Reolink cams they probably shipped with outdated firmware. To update them we first need to figure out their IP address
• Type in arp -a into windows command prompt, take a look at the list. You should see a bunch of devices in ascending order starting with <HomeSubnet>. The .1 address is always your router, then it probably starts at 10 or 11 and goes up in ascending order.
• To power up the camera we need to plug it into the Power over Ethernet Switch, it will need to be one of the "power" ports
• Usually theres 1 or 2 seperate "uplink" ports seperated from a bunch of "power" ports together in a cluster.
• To connect that to your router, you need to plug a cable from your Router to the "uplink" or "in" port of your switch
• Okay, now plug your camera via the Ethernet cable to your router, and wait 2 minutes
• run arp -a again and now there should be a new entry added to the list. Thats your camera!
• (Note: If you already plugged the camera into your network prior to this guide, it probably already got an IP, thats okay! Its extremely likely to be at the end of the list. If this is the case, just type ping <ip address> to ping it while its connected to the network, you should get a response back. If you dont, just work your way up the list. It should definitely be close to the end of the list of <Home Subnet> though if you recently connected it.)
• Copy that IP address and just punch it right into your browsers address bar.
• You should be presented with a login screen for your Reolink camera, default login is usually admin with a blank password
• Click the gear icon on the top right to go to the admin menu.
• Follow Reolinks guide here to find out your Firmware version and hardware version: https://support.reolink.com/hc/en-us/articles/360018878154 Click on I think its "Admin" or "system" or something, and "maintenence"
• You are looking for a "firmware update" button.
• Go to this page here: https://support.reolink.com/hc/en-us/sections/360002374874-Firmware
• Ctrl+F to search in your browser, and paste in that hardware version
• For the RLC-522 model recommended by this guide, the hardware should be IPC_51516M5M
• Find the most recent firmware download closest to the top, open its page up.
• Make sure it has a RLC-522 entry on its table on this page, if not, keep going down the list
• Click the link (it should be a number, something like 20121111 or whatever) and you'll download a zip file
• Unzip it, theres a .pak file in there, drag and drop that out to your desktop or whatever
• In the Camera's page admin menu again, find the Firmware update option, its usually under "Maintenence"
• Click the browse option to find that .pak file, then hit update and wait.
• You should now get logged out and have to log back in

12. Camera setup

• (Normal screen, not admin panel) Under Basic Settings > OSD Tab > Name, Give your camera a name for where its going to go, and hit save
• Basic Settings > Encode, Check off "Record Audio" if you want to enable audio recording off the camera, and hit save
• Now moving on back to the Admin panel via the gear icon
• Camera > Display: Turn off Watermark (Gets rid of the annoying Reolink watermark)
• System > Date and Time, hit the button/link to update its time to match local PC (I forgot how its worded but it should stick out)
• Change to 12 hour format if you wish
• System > More, Disable "Auto Reboot", this breaks things on Shinobi (Our security software)
• Finally, System > User Management, Change password to something secure.
• Log out and back in to confirm the new password works
• Repeat this whole process for every one of your cameras you bought!

13. DHCP Static IP Configuration

• Nearly done! Now we just need to setup static IPs for all the cameras.
• Disconnect the Power over Ethernet switch from your router, and disconnect all cameras from the switch. Do this first!
• Now, connect the ethernet port of your raspberry pi to the "uplink" port of the switch, leave all other ports empty for now
• In your terminal run sudo systemctl status isc-dhcp-server again and take note of the latest couple lines. You might need to hit "Ctrl+C" to get back out
• Plug one camera in, wait 1~2 minutes
• Run sudo systemctl status isc-dhcp-server again. You will see new lines with "DHCPREQUEST" and "DHCPACK"
• At the end of the line is a 6 pair set of characters seperated by colons, something like a1:b2:c3:d4:e5:f6, this is the cameras MAC address
• Copy that mac address down noting which camera it is for.
• Disconnect the camera, now repeat this process for each camera. You should have now have note of each cameras mac address and which camera it is
• sudo nano /etc/dhcp/dhcpd.conf again, you will recognize this file from Step 10
• For each camera, you need to paste the following to the bottom of the file:

host <CameraName> {
  hardware ethernet <CamerasMacAddress;
  fixed-address <CameraSubnet>.<Address>;
}

• For <Address>, Start at 101, then go up by 1 for each. Each Camera should have a unique fixed-address entry.
• Save and exit Example file:

option domain-name "security.cams";
option domain-name-servers 1.1.1.1, 8.8.8.8;

default-lease-time 600;
max-lease-time 7200;

# The ddns-updates-style parameter controls whether or not the server will
# attempt to do a DNS update when a lease is confirmed. We default to the
# behavior of the version 2 packages ('none', since DHCP v2 didn't
# have support for DDNS.)
ddns-update-style none;

subnet 192.168.1.0 netmask 255.255.255.0 {
    authoritative;
    range 192.168.1.20 192.168.1.100;
    option subnet-mask 255.255.255.0;
    option routers 192.168.1.1;
    option broadcast-address 192.168.1.255;
}

host FrontCam {
    hardware ethernet ab:12:cd:34:ef:56;
    fixed-address 192.168.1.101;
}

host SideCam {
    hardware ethernet 12:cd:34:ef:56:ab;
    fixed-address 192.168.1.102;
}

host BackCam {
    hardware ethernet cd:34:ef:56:ab:12;
    fixed-address 192.168.1.103;
}

• Execute sudo service isc-dhcp-server restart again
• Check sudo systemctl status isc-dhcp-server after a second to make sure everything is working
• Now, plug a camera in again, noting which one it is (I like to label my cameras with a sharpy marker on the underside, by the way, to keep them organized)
• Execute sudo systemctl status isc-dhcp-server again after waiting a minute. You might now see some angry error about "DHCP Lease already assigned" you can ignore that.
• What you want to make sure is you see a DHCPOFFER entry, with the IP address you assigned to that camera, for that camera, and a matching DHCPACK entry (Thats the camera going "Okay, I will use that then)
• You can confirm this by running ping <ThatIpAddress> in the Terminal (Not windows command prompt), and you'll get a ping back.
• (Hit Ctrl+C to exit out of the ping)
• Double check this works for every camera
• Congrats! You now have DHCP setup for all the cameras. Id recommend taking a second here now to write down what IP Addresses you have assigned to every camera btw, you'll need that for the next step

14. Setting up your firewall

• To further tighten things down we can quickly add a firewall via a popular firewall called ufw
• sudo apt-get install ufw
• sudo ufw default deny incoming
• sudo ufw default allow outgoing
• For all the following commands, replace <HomeSubnet> with <YourHomeSubnet>.0/24, IE 192.168.0.0/24
• sudo ufw allow from <HomeSubnet> to any port 8080
• Example for this one, sudo ufw allow from 192.168.0.0/24 to any port 8080
• sudo ufw allow from <HomeSubnet> to any port 22
• Sudo ufw allow 67
• Sudo ufw allow 68
• Port 8080 is what shinobi will use, this lets us view Shinobi only from computers on the same network as the Pi's Wife (So you have to be connected to your home routers)
• Port 22 is for SSH, this rule specifies we can only SSH into the Raspberry pi, once again, from computers on the same network
• Ports 67 and 68 are for UDP, which is necessary for our DHCP server to work
• run sudo ufw enable to turn the firewall on, if you did everything right, SSH wont die on you.
• If SSH died on you, you can follow this guide here on how to turn off firewall settings and etc: https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server
• Note that if SSH has died you'll need to manually log into the pi directly, by plugging it into a screen and using a mouse and keyboard etc etc.

15. Installing Shinobi

• Take a breather, we are almost there!
• Execute bash <(curl -s https://gitlab.com/Shinobi-Systems/Shinobi-Installer/raw/master/shinobi-install.sh)
• Choose the "Ubuntu Touchless" option
• Wait for everything to install. If you encounter issues here, best to check in with their discord: https://shinobi.video/support (Near the bottom)
• You should see something akin to "Now running on <HomeSubnetIPAddress>:8080"
• Copy that address (Excluding the :8080 part), IE 192.168.0.21
• Back in windows, hit win key, type "Notepad", and right click it and select "Run as Administrator"
• In Notepad, paste C:\Windows\System32\drivers\etc\hosts into the address bar and hit open
• Scroll to the bottom and add this entry: <HomeSubnetIpAddress> SecurityCameras
• IE, if the original address given was 192.168.0.21:8080 you would add the line 192.168.0.21 SecurityCameras
• Save and exit
• Open up your browser and type in SecurityCameras:8080/super and hit enter
• You should be presented with the Shinobi Login page, see here for default login: https://shinobi.video/docs/start#content-set-up-superuser-access
• Right away, change your admin password to no longer be the default (It should be under "Preferences" tab)
• Verify you now login to the admin account via the new password
• Under Accounts tab, add a non admin user to login as via the +Add button
• Set the Email, Password fields, you can set Email Authentication to No for now, set Permissions to "All Privileges"
• Save, then exit out

16. Setting up your cameras

• Navigate now to just SecurityCameras:8080 (No super at the end)
• Login with that non-admin account you made
• You should now be looking at your security camera panel, time to add a camera!
• On the very top left click the dropdown (should be your email), and select "ONVIF"
• Enter in the IP address of a camera you noted down at the end of step 13
• Enter in "admin" for the username, and the password you set on the camera way back on step 11 when you set the camera up
• Hit "Search" and wait. Now it will start by saying "Nothing found" but keep waiting, it might take a bit to show up. The search button might stop spinning its wheels, but sometimes it takes a minute.
• Ignore the "Port 80" result, keep waiting. You will see a box with "Manufacturer" "Model" etc. Its likely on port 8000 if a Reolink camera
• Double click that box that appeared, A popup will appear
• Scroll down to "Connection" and hit the big green "Probe" button and wait until the "Please Wait" button turns into "Probe" and a bunch of text appears
• Hit the Import button
• Scroll back up to "Identity" and set the "Name" field to whatever makes sense for you
• IMPORTANT Scroll down to "Input" and Select "Yes" for "Accelerator", and then for "Video Decoder" select "H.264 (Raspberry Pi)"
• This setting is crucial to make your Raspberry pi render the video feed WAAAAAY better and use a fraction of the CPU and memory.
• Hit Save.
• You should see a box appear on the top left for your camera. Wait a moment, then double click it to add it to the main screen
• Viola! You should be able to see what the camera sees now, repeat the process for each camera

17. Done? Kind of?

• You probably have a lot more stuff you want to setup now. I am not a shinobi master, you can request help on their discord community here: https://shinobi.video/support (Near the bottom for discord)
• Shinobi also supports lots of cool features, I wont get into details but check their wiki and docs out here: https://shinobi.video/docs/start
• You probably want to start saving footage to that portable hard drive right? Follow these guides on how to mount the portable hard drive, and how to set it up for storage
• https://www.raspberrypi.org/documentation/configuration/external-storage.md
• https://shinobi.video/docs/start#content-configuration-file

18. Want to be able to see your videos from anywhere with internet? You can buy a domain name and then use NGINX to set up a reverse proxy to serve shinobi on it:

• https://phoenixnap.com/kb/nginx-reverse-proxy
• To make websockets work for nginx though you will need the following in your host entry, heres an example for if you own the domain "mywebsite.com"

    server {
        listen       80;
        server_name mywebsite.com www.mywebsite.com;

        location / {
            proxy_set_header Host $Host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_pass http://127.0.0.1:8080;
        }
    }

• Note to reverse proxy you need to add an A entry on your Domain pointing to your public IP: https://www.whatsmyip.org/
• Then you will also need to port forward your router to your raspberry pi, so external requests to your public ip go to your raspberry pi. This is different for every router, best to consult your routers documentation online, but its usually on a tab or page called "Port Forwarding", look up "How do I log into my router" and "How do I port forward my router"
• Finally you will need to open the HTTP port 80 on your ufw router to all public traffic. You just want to execute sudo ufw allow 80 on the pi.
• How this works is:
• When someone goes to "mywebsite.com" your DNS you bought it from will redirect to <Your public IP> via that A entry.
• That public IP is your Home Router your ISP gave you. The Port forwarding on your Router then forwards that traffic to the Raspberry Pi
• The Raspberry Pi NGINX config then is listening on port 80 and follows up by redirecting one last time to actually be port 8080
• What this does it performs a global mapping of "mywebsite.com" to localhost:8080 on the raspberry pi, congrats, you have a reverse proxy!
• If you wanna secure it with HTTPS (highly recommend this as well) check out https://certbot.eff.org/ to do it for free

are your instructions different for the Nanopi R4S?