mirror of
https://github.com/scsibug/nostr-rs-relay.git
synced 2024-11-13 22:49:07 -05:00
docs: reverse proxy example
This commit is contained in:
parent
a3124ccea4
commit
24587435ca
|
@ -44,7 +44,7 @@ https://hub.docker.com/repository/docker/scsibug/nostr-rs-relay
|
|||
|
||||
## Configuration
|
||||
|
||||
The sample `[config.toml](config.toml)` file demonstrates the
|
||||
The sample [`config.toml`](config.toml) file demonstrates the
|
||||
configuration available to the relay. This file is optional, but may
|
||||
be mounted into a docker container like so:
|
||||
|
||||
|
@ -58,6 +58,12 @@ $ docker run -it -p 7000:8080 \
|
|||
Options include rate-limiting, event size limits, and network address
|
||||
settings.
|
||||
|
||||
## Reverse Proxy Configuration
|
||||
|
||||
For examples of putting the relay behind a reverse proxy (for TLS
|
||||
termination, load balancing, and other features), see [Reverse
|
||||
Proxy](reverse-proxy.md).
|
||||
|
||||
License
|
||||
---
|
||||
This project is MIT licensed.
|
||||
|
|
48
reverse-proxy.md
Normal file
48
reverse-proxy.md
Normal file
|
@ -0,0 +1,48 @@
|
|||
# Reverse Proxy Setup Guide
|
||||
|
||||
It is recommended to run `nostr-rs-relay` behind a reverse proxy such
|
||||
as `haproxy` or `nginx` to provide TLS termination. A simple example
|
||||
of an `haproxy` configuration is documented here.
|
||||
|
||||
## Minimal HAProxy Configuration
|
||||
|
||||
Assumptions:
|
||||
|
||||
* HAProxy version is `2.4.10` or greater (older versions not tested).
|
||||
* Hostname for the relay is `relay.example.com`.
|
||||
* Your relay should be available over wss://relay.example.com
|
||||
* Your (NIP-11) relay info page should be available on https://relay.example.com
|
||||
* SSL certificate is located in `/etc/certs/example.com.pem`.
|
||||
* Relay is running on port 8080.
|
||||
* Limit connections to 400 concurrent.
|
||||
* HSTS (HTTP Strict Transport Security) is desired.
|
||||
* Only TLS 1.2 or greater is allowed.
|
||||
|
||||
```
|
||||
global
|
||||
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
|
||||
|
||||
frontend fe_prod
|
||||
mode http
|
||||
bind :443 ssl crt /etc/certs/example.com.pem alpn h2,http/1.1
|
||||
bind :80
|
||||
http-request set-header X-Forwarded-Proto https if { ssl_fc }
|
||||
redirect scheme https code 301 if !{ ssl_fc }
|
||||
acl host_relay hdr(host) -i relay.example.com
|
||||
use_backend relay if host_relay
|
||||
# HSTS (1 year)
|
||||
http-response set-header Strict-Transport-Security max-age=31536000
|
||||
|
||||
backend relay
|
||||
mode http
|
||||
option tcp-check
|
||||
default-server maxconn 400 check inter 20s fastinter 1s
|
||||
server nostr 127.0.0.1:8080
|
||||
```
|
||||
|
||||
### Notes
|
||||
|
||||
You may experience WebSocket connection problems with Firefox if
|
||||
HTTP/2 is enabled, for older versions of HAProxy (2.3.x). Either
|
||||
disable HTTP/2 (`h2`), or upgrade HAProxy.
|
Loading…
Reference in New Issue
Block a user