Merge pull request #42 from horazont/feature/reverse-proxy-guide-fixes
Some fixes for the reverse proxy guide
This commit is contained in:
commit
01211ecab6
|
@ -20,7 +20,7 @@ need to instruct it to forward Snikket traffic to Snikket.
|
|||
It is important to get certificates correct when deploying Snikket behind a reverse
|
||||
proxy. Snikket needs to obtain certificates from Let's Encrypt in order to secure
|
||||
the non-HTTP services it provides. Be careful that your reverse proxy does not
|
||||
requests from Let's Encrypt that are intended for the Snikket service.
|
||||
intercept requests from Let's Encrypt that are intended for the Snikket service.
|
||||
|
||||
# Configuration
|
||||
|
||||
|
@ -56,6 +56,21 @@ server {
|
|||
listen 80;
|
||||
listen [::]:80;
|
||||
|
||||
server_name chat.example.com;
|
||||
server_name groups.chat.example.com;
|
||||
server_name share.chat.example.com;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:5080/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
|
||||
# A bit of headroom over the 16MB accepted by Prosody.
|
||||
client_max_body_size 20MB;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
# Accept HTTPS connections
|
||||
listen [::]:443 ssl ipv6only=on;
|
||||
listen 443 ssl;
|
||||
|
@ -67,13 +82,25 @@ server {
|
|||
server_name share.chat.example.com;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:5080/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_pass https://localhost:5080/;
|
||||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
# REMOVE THIS IF YOU CHANGE `localhost` TO ANYTHING ELSE ABOVE
|
||||
proxy_ssl_verify off;
|
||||
proxy_set_header X-Forwarded-Proto https;
|
||||
proxy_ssl_server_name on;
|
||||
|
||||
# A bit of headroom over the 16MB accepted by Prosody.
|
||||
client_max_body_size 20MB;
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
**Note:** You may modify the first server block to include a redirect to HTTPS
|
||||
instead of proxying plain-text HTTP traffic. When doing that, take care to
|
||||
proxy `.well-known/acme-challenge` even in plain text to allow Snikket to
|
||||
obtain certificates.
|
||||
|
||||
### sslh
|
||||
|
||||
sslh is a little different to the other servers listed here, as it is not a web server. However it is able
|
||||
|
|
Loading…
Reference in New Issue