-
Notifications
You must be signed in to change notification settings - Fork 10
Certstream server behind a proxy
Rico edited this page Nov 28, 2023
·
4 revisions
The Go programming language already offers a great webserver, which this project already utilizes. But there are a lot of reasons to run a tool like the certstream server behind another webserver or reverse proxy specifically. One reason might be to have certificate management separated from the actual applications.
Below you'll find the configuration samples for popular webservers. Since certstream-server-go uses WebSockets, make sure to define the "Upgrade" and "Connection" headers as seen below.
Note: In the examples the port 8080 is being used. Make sure you set the interface and port to the values you configured in your config.yml
.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name sub.domain.com;
# SSL setup - you might want to add your specific TLS configurations here
# include /etc/nginx/snippets/ssl-nginx.conf;
ssl_certificate /path/to/ssl/cert/crt;
ssl_certificate_key /path/to/ssl/key/key;
# Websocket & example.json location
location ~ ^/((example\.json)?$|full-stream|domains-only)($|/example\.json$) {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8080;
proxy_redirect off;
proxy_read_timeout 5s;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
break;
}
# Optional location for prometheus metrics endpoint
location ~ ^/metrics$ {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8081;
proxy_redirect off;
proxy_read_timeout 5s;
break;
}
}
<VirtualHost *:443>
ServerName sub.domain.com
SSLEngine On
SSLCertificateFile /path/to/ssl/cert/crt
SSLCertificateKeyFile /path/to/ssl/key/key
# Protocol 'h2' is only supported on Apache 2.4.17 or newer.
Protocols h2 http/1.1
ProxyPass / http://127.0.0.1:8080/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} =websocket
RewriteRule /(.*) ws://127.0.0.1:8080/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://127.0.0.1:8080/$1 [P,L]
</VirtualHost>
sub.domain.com {
reverse_proxy 127.0.0.1:8080
}
labels:
- "traefik.enable=true"
- "traefik.http.routers.certstream-server-go.rule=Host(`sub.domain.com`)"
- "traefik.http.routers.certstream-server-go.entrypoints=https"
- "traefik.http.routers.certstream-server-go.tls=true"
- "traefik.http.routers.certstream-server-go.tls.certresolver=myresolver"
- "traefik.http.services.certstream-server-go.loadBalancer.server.port=8080"
Make sure to setup the certresolver in order to have traefik handle TLS certificates.