docs: reverse proxy example

This commit is contained in:
Greg Heartsfield 2022-01-15 11:41:31 -06:00
parent a3124ccea4
commit 24587435ca
2 changed files with 55 additions and 1 deletions

View File

@ -44,7 +44,7 @@ https://hub.docker.com/repository/docker/scsibug/nostr-rs-relay
## Configuration ## Configuration
The sample `[config.toml](config.toml)` file demonstrates the The sample [`config.toml`](config.toml) file demonstrates the
configuration available to the relay. This file is optional, but may configuration available to the relay. This file is optional, but may
be mounted into a docker container like so: be mounted into a docker container like so:
@ -58,6 +58,12 @@ $ docker run -it -p 7000:8080 \
Options include rate-limiting, event size limits, and network address Options include rate-limiting, event size limits, and network address
settings. settings.
## Reverse Proxy Configuration
For examples of putting the relay behind a reverse proxy (for TLS
termination, load balancing, and other features), see [Reverse
Proxy](reverse-proxy.md).
License License
--- ---
This project is MIT licensed. This project is MIT licensed.

48
reverse-proxy.md Normal file
View File

@ -0,0 +1,48 @@
# Reverse Proxy Setup Guide
It is recommended to run `nostr-rs-relay` behind a reverse proxy such
as `haproxy` or `nginx` to provide TLS termination. A simple example
of an `haproxy` configuration is documented here.
## Minimal HAProxy Configuration
Assumptions:
* HAProxy version is `2.4.10` or greater (older versions not tested).
* Hostname for the relay is `relay.example.com`.
* Your relay should be available over wss://relay.example.com
* Your (NIP-11) relay info page should be available on https://relay.example.com
* SSL certificate is located in `/etc/certs/example.com.pem`.
* Relay is running on port 8080.
* Limit connections to 400 concurrent.
* HSTS (HTTP Strict Transport Security) is desired.
* Only TLS 1.2 or greater is allowed.
```
global
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
frontend fe_prod
mode http
bind :443 ssl crt /etc/certs/example.com.pem alpn h2,http/1.1
bind :80
http-request set-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https code 301 if !{ ssl_fc }
acl host_relay hdr(host) -i relay.example.com
use_backend relay if host_relay
# HSTS (1 year)
http-response set-header Strict-Transport-Security max-age=31536000
backend relay
mode http
option tcp-check
default-server maxconn 400 check inter 20s fastinter 1s
server nostr 127.0.0.1:8080
```
### Notes
You may experience WebSocket connection problems with Firefox if
HTTP/2 is enabled, for older versions of HAProxy (2.3.x). Either
disable HTTP/2 (`h2`), or upgrade HAProxy.