Skip to content

External Webserver use: Reverse proxy

Jump to bottom
Aurora Lahtela edited this page Jun 11, 2022 · 18 revisions

Plan Header

External Webserver use: Reverse-proxy

Reverse-proxy is a function in some webservers where the connection is passed through to a second webserver. This can be used to host multiple HTTP services on a single machine, or routing http traffic to https since HTTP uses port 80 and HTTPS port 443.

Main use-case for use with Plan is easier https set-up and removal of :PORT from the end of the address.

⚠️ Limited support notice ⚠️
If things on this tutorial don't work for you, consult documentation of your webserver. Very limited support will be provided for configuration issues of reverse-proxies.

There is a debugging checklist at the bottom of this article to help you figure out where the issue is when you're setting up.

Nginx reverse-proxy

Following example routes traffic from http to https and utilizes a reverse-proxy (proxy_pass) to direct traffic to the Plan webserver.

HTTP version:

server {
    listen 80;
    server_name plan.example.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:8804;
    }
}

or HTTPS version:

server {
    listen 80;
    server_name plan.example.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    server_name plan.example.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_pass http://127.0.0.1:8804;
    }
}

Note that this example has installed a certificate with certbot. It is rather painless to install certificate on nginx after the HTTP example one has been set up.

After installing HTTPS on the nginx, you can set up proxy settings for Plan

Apache reverse-proxy

Credit to Benji, GoedendagMC and Kopo for Apache section.

<VirtualHost *:80>
  ServerName plan.example.com
  RewriteEngine On
  # Traffic routed to https if it is available
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [END,NE,R]
  ProxyPreserveHost On
  # Prevents certbot certificate http-challenge from being proxied
  ProxyPass /.well-known/ !
  ProxyPass / http://0.0.0.0:8804/
  ProxyPassReverse / http://0.0.0.0:8804/
</VirtualHost>
<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName plan.example.com
    DocumentRoot "/var/www/html"
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/plan.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/plan.example.com/privkey.pem
    ProxyPreserveHost On
    ProxyPass / http://0.0.0.0:8804/
    ProxyPassReverse / http://0.0.0.0:8804/
  </VirtualHost>
</IfModule>

⚠️ Make sure to replace 0.0.0.0:8804 with your server's ip and Plan port (or localhost if running on same machine)

Enable the config in apache

  • Enable the needed modules with a2enmod proxy proxy_http
  • Restart the apache webserver
sudo ln -s /etc/apache2/sites-available/plan.example.com.vhost /etc/apache2/sites-enabled/plan.example.com.vhost
sudo a2enmod rewrite proxy proxy_http
systemctl restart apache2

Set up https with apache

sudo apt update
sudo apt install -y certbot
sudo apt install -y python3-certbot-apache
certbot certonly --apache -d plan.example.com

After installing HTTPS on the Apache, you can set up proxy settings for Plan

Password bruteforce -guard and whitelist support (X-Forwarded-For)

To keep stuff that relies on IP of the requester functional behind reverse-proxy.

  • Make sure reverse-proxy is passing request IP in X-Forwarded-For header
  • Make sure Plan can't be accessed without connecting through reverse proxy
  • Enable X-Forwarded-For support under Webserver settings in Plan config

Debugging step-list for determening connection issue source

  • Check that Plan webserver has enabled (on the server console)
  • Check that you can access the Plan webserver on the local machine (something like curl http://127.0.0.1:8804), if you can't it's likely that your server is in a container (like docker) and the port is not exposed.
  • Check that you can access the nginx/apache webserver by going to http://<server_ip> on the browser. If you're redirected or shown a page you can access.
  • Check that Webserver.Alternative_IP settings in Plan point to the address you put as the reverse-proxy server_name or location. (For example plan.example.com or example.com/plan)
  • Check that your DNS A-record is routed properly with ping example.domain.com (Look that the output has server ip somewhere)
    • If you are using something like Cloudflare, I can't help you, ask them or their documentation.
  • Check that you nginx configuration does not have some * server_name or location that redirects all traffic elsewhere (In these cases you're redirected to wrong place lot of the time)

Wiki index

Documentation

Tutorials

Configuration

Customization

How-to's

Clone this wiki locally