-
Notifications
You must be signed in to change notification settings - Fork 32
Certstream server behind a proxy
The Go programming language already offers a great web server, which this project already utilizes. But there are a lot of reasons to run a tool like the certstream server behind another web server or reverse proxy specifically. One reason might be to have certificate management separated from the actual applications.
Below you'll find the configuration samples for popular web servers. Since certstream-server-go uses WebSockets, make sure to define the "Upgrade" and "Connection" headers as seen below.
Important
Make sure to enable the webserver.real_ip setting in the config.yml file. That way, certstream is able to log the proper IP address used to connect to the service. Otherwise the source ip will be the reverse proxy.
Note
In the examples below, the port 8080 is being used as the port certstream is running on. Make sure you set the interface and port to the values you configured in your config.yml.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name sub.domain.com;
# SSL setup - you might want to add your specific TLS configurations here
# include /etc/nginx/snippets/ssl-nginx.conf;
ssl_certificate /path/to/ssl/cert/crt;
ssl_certificate_key /path/to/ssl/key/key;
# Websocket & example.json location
location ~ ^/((example\.json)?$|full-stream|domains-only)($|/example\.json$) {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_read_timeout 5s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
break;
}
# Optional location for prometheus metrics endpoint
location ~ ^/metrics$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8081;
proxy_redirect off;
proxy_read_timeout 5s;
break;
}
}
<VirtualHost *:443>
ServerName sub.domain.com
SSLEngine On
SSLCertificateFile /path/to/ssl/cert/crt
SSLCertificateKeyFile /path/to/ssl/key/key
# Protocol 'h2' is only supported on Apache 2.4.17 or newer.
Protocols h2 http/1.1
ProxyPass / http://127.0.0.1:8080/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://127.0.0.1:8080/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://127.0.0.1:8080/$1 [P,L]
</VirtualHost>sub.domain.com {
reverse_proxy 127.0.0.1:8080
}labels:
- "traefik.enable=true"
- "traefik.http.routers.certstream-server-go.rule=Host(`sub.domain.com`)"
- "traefik.http.routers.certstream-server-go.entrypoints=https"
- "traefik.http.routers.certstream-server-go.tls=true"
- "traefik.http.routers.certstream-server-go.tls.certresolver=myresolver"
- "traefik.http.services.certstream-server-go.loadBalancer.server.port=8080"
Make sure to setup the certresolver in order to have traefik handle TLS certificates.