From 24587435ca64bab95b6268828bd091398dcc28a6 Mon Sep 17 00:00:00 2001 From: Greg Heartsfield Date: Sat, 15 Jan 2022 11:41:31 -0600 Subject: [PATCH] docs: reverse proxy example --- README.md | 8 +++++++- reverse-proxy.md | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 reverse-proxy.md diff --git a/README.md b/README.md index f2a88b5..bac7e72 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ https://hub.docker.com/repository/docker/scsibug/nostr-rs-relay ## Configuration -The sample `[config.toml](config.toml)` file demonstrates the +The sample [`config.toml`](config.toml) file demonstrates the configuration available to the relay. This file is optional, but may be mounted into a docker container like so: @@ -58,6 +58,12 @@ $ docker run -it -p 7000:8080 \ Options include rate-limiting, event size limits, and network address settings. +## Reverse Proxy Configuration + +For examples of putting the relay behind a reverse proxy (for TLS +termination, load balancing, and other features), see [Reverse +Proxy](reverse-proxy.md). + License --- This project is MIT licensed. diff --git a/reverse-proxy.md b/reverse-proxy.md new file mode 100644 index 0000000..998d74c --- /dev/null +++ b/reverse-proxy.md @@ -0,0 +1,48 @@ +# Reverse Proxy Setup Guide + +It is recommended to run `nostr-rs-relay` behind a reverse proxy such +as `haproxy` or `nginx` to provide TLS termination. A simple example +of an `haproxy` configuration is documented here. + +## Minimal HAProxy Configuration + +Assumptions: + +* HAProxy version is `2.4.10` or greater (older versions not tested). +* Hostname for the relay is `relay.example.com`. +* Your relay should be available over wss://relay.example.com +* Your (NIP-11) relay info page should be available on https://relay.example.com +* SSL certificate is located in `/etc/certs/example.com.pem`. +* Relay is running on port 8080. +* Limit connections to 400 concurrent. +* HSTS (HTTP Strict Transport Security) is desired. +* Only TLS 1.2 or greater is allowed. + +``` +global + ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 + ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets + +frontend fe_prod + mode http + bind :443 ssl crt /etc/certs/example.com.pem alpn h2,http/1.1 + bind :80 + http-request set-header X-Forwarded-Proto https if { ssl_fc } + redirect scheme https code 301 if !{ ssl_fc } + acl host_relay hdr(host) -i relay.example.com + use_backend relay if host_relay + # HSTS (1 year) + http-response set-header Strict-Transport-Security max-age=31536000 + +backend relay + mode http + option tcp-check + default-server maxconn 400 check inter 20s fastinter 1s + server nostr 127.0.0.1:8080 +``` + +### Notes + +You may experience WebSocket connection problems with Firefox if +HTTP/2 is enabled, for older versions of HAProxy (2.3.x). Either +disable HTTP/2 (`h2`), or upgrade HAProxy.