mirror of
https://github.com/scsibug/nostr-rs-relay.git
synced 2024-11-14 06:59:07 -05:00
docs: reverse proxy example
This commit is contained in:
parent
a3124ccea4
commit
24587435ca
|
@ -44,7 +44,7 @@ https://hub.docker.com/repository/docker/scsibug/nostr-rs-relay
|
||||||
|
|
||||||
## Configuration
|
## Configuration
|
||||||
|
|
||||||
The sample `[config.toml](config.toml)` file demonstrates the
|
The sample [`config.toml`](config.toml) file demonstrates the
|
||||||
configuration available to the relay. This file is optional, but may
|
configuration available to the relay. This file is optional, but may
|
||||||
be mounted into a docker container like so:
|
be mounted into a docker container like so:
|
||||||
|
|
||||||
|
@ -58,6 +58,12 @@ $ docker run -it -p 7000:8080 \
|
||||||
Options include rate-limiting, event size limits, and network address
|
Options include rate-limiting, event size limits, and network address
|
||||||
settings.
|
settings.
|
||||||
|
|
||||||
|
## Reverse Proxy Configuration
|
||||||
|
|
||||||
|
For examples of putting the relay behind a reverse proxy (for TLS
|
||||||
|
termination, load balancing, and other features), see [Reverse
|
||||||
|
Proxy](reverse-proxy.md).
|
||||||
|
|
||||||
License
|
License
|
||||||
---
|
---
|
||||||
This project is MIT licensed.
|
This project is MIT licensed.
|
||||||
|
|
48
reverse-proxy.md
Normal file
48
reverse-proxy.md
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
# Reverse Proxy Setup Guide
|
||||||
|
|
||||||
|
It is recommended to run `nostr-rs-relay` behind a reverse proxy such
|
||||||
|
as `haproxy` or `nginx` to provide TLS termination. A simple example
|
||||||
|
of an `haproxy` configuration is documented here.
|
||||||
|
|
||||||
|
## Minimal HAProxy Configuration
|
||||||
|
|
||||||
|
Assumptions:
|
||||||
|
|
||||||
|
* HAProxy version is `2.4.10` or greater (older versions not tested).
|
||||||
|
* Hostname for the relay is `relay.example.com`.
|
||||||
|
* Your relay should be available over wss://relay.example.com
|
||||||
|
* Your (NIP-11) relay info page should be available on https://relay.example.com
|
||||||
|
* SSL certificate is located in `/etc/certs/example.com.pem`.
|
||||||
|
* Relay is running on port 8080.
|
||||||
|
* Limit connections to 400 concurrent.
|
||||||
|
* HSTS (HTTP Strict Transport Security) is desired.
|
||||||
|
* Only TLS 1.2 or greater is allowed.
|
||||||
|
|
||||||
|
```
|
||||||
|
global
|
||||||
|
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||||
|
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||||
|
|
||||||
|
frontend fe_prod
|
||||||
|
mode http
|
||||||
|
bind :443 ssl crt /etc/certs/example.com.pem alpn h2,http/1.1
|
||||||
|
bind :80
|
||||||
|
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||||
|
redirect scheme https code 301 if !{ ssl_fc }
|
||||||
|
acl host_relay hdr(host) -i relay.example.com
|
||||||
|
use_backend relay if host_relay
|
||||||
|
# HSTS (1 year)
|
||||||
|
http-response set-header Strict-Transport-Security max-age=31536000
|
||||||
|
|
||||||
|
backend relay
|
||||||
|
mode http
|
||||||
|
option tcp-check
|
||||||
|
default-server maxconn 400 check inter 20s fastinter 1s
|
||||||
|
server nostr 127.0.0.1:8080
|
||||||
|
```
|
||||||
|
|
||||||
|
### Notes
|
||||||
|
|
||||||
|
You may experience WebSocket connection problems with Firefox if
|
||||||
|
HTTP/2 is enabled, for older versions of HAProxy (2.3.x). Either
|
||||||
|
disable HTTP/2 (`h2`), or upgrade HAProxy.
|
Loading…
Reference in New Issue
Block a user