From 97586c08b61ad1cae26443edd55d5c0c80bf9bd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jonas=20Sch=C3=A4fer?= Date: Wed, 23 Jun 2021 19:19:43 +0200 Subject: [PATCH] reverse_proxy: split reverse proxy setup in 80/443 servers This is more compatible with the redirect to HTTPS which is done by the backend (snikket) HTTP server. --- docs/advanced/reverse_proxy.md | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/docs/advanced/reverse_proxy.md b/docs/advanced/reverse_proxy.md index 52c915c..1268552 100644 --- a/docs/advanced/reverse_proxy.md +++ b/docs/advanced/reverse_proxy.md @@ -56,6 +56,18 @@ server { listen 80; listen [::]:80; + server_name chat.example.com; + server_name groups.chat.example.com; + server_name share.chat.example.com; + + location / { + proxy_pass http://localhost:5080/; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } +} + +server { # Accept HTTPS connections listen [::]:443 ssl ipv6only=on; listen 443 ssl; @@ -67,13 +79,22 @@ server { server_name share.chat.example.com; location / { - proxy_pass http://localhost:5080/; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_pass https://localhost:5080/; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # REMOVE THIS IF YOU CHANGE `localhost` TO ANYTHING ELSE ABOVE + proxy_ssl_verify off; + proxy_set_header X-Forwarded-Proto https; + proxy_ssl_server_name on; } } ``` +**Note:** You may modify the first server block to include a redirect to HTTPS +instead of proxying plain-text HTTP traffic. When doing that, take care to +proxy `.well-known/acme-challenge` even in plain text to allow Snikket to +obtain certificates. + ### sslh sslh is a little different to the other servers listed here, as it is not a web server. However it is able