nostr-rs-relay

My dev fork of nostr-rs-relay
git clone git://jb55.com/nostr-rs-relay
Log | Files | Refs | README | LICENSE

reverse-proxy.md (3229B)

      1 # Reverse Proxy Setup Guide
      2 
      3 It is recommended to run `nostr-rs-relay` behind a reverse proxy such
      4 as `haproxy` or `nginx` to provide TLS termination.  Simple examples
      5 of `haproxy` and `nginx` configurations are documented here.
      6 
      7 ## Minimal HAProxy Configuration
      8 
      9 Assumptions:
     10 
     11 * HAProxy version is `2.4.10` or greater (older versions not tested).
     12 * Hostname for the relay is `relay.example.com`.
     13 * Your relay should be available over wss://relay.example.com
     14 * Your (NIP-11) relay info page should be available on https://relay.example.com
     15 * SSL certificate is located in `/etc/certs/example.com.pem`.
     16 * Relay is running on port 8080.
     17 * Limit connections to 400 concurrent.
     18 * HSTS (HTTP Strict Transport Security) is desired.
     19 * Only TLS 1.2 or greater is allowed.
     20 
     21 ```
     22 global
     23     ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
     24     ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
     25 
     26 frontend fe_prod
     27     mode    http
     28     bind    :443 ssl crt /etc/certs/example.com.pem alpn h2,http/1.1
     29     bind    :80
     30     http-request set-header X-Forwarded-Proto https if { ssl_fc }
     31     redirect scheme https code 301 if !{ ssl_fc }
     32     acl host_relay hdr(host) -i relay.example.com
     33     use_backend relay if host_relay
     34     # HSTS (1 year)
     35     http-response set-header Strict-Transport-Security max-age=31536000
     36 
     37 backend relay
     38     mode http
     39     timeout connect 5s
     40     timeout client 50s
     41     timeout server 50s
     42     timeout tunnel 1h
     43     timeout client-fin 30s
     44     option tcp-check
     45     default-server maxconn 400 check inter 20s fastinter 1s
     46     server relay 127.0.0.1:8080
     47 ```
     48 
     49 ### HAProxy Notes
     50 
     51 You may experience WebSocket connection problems with Firefox if
     52 HTTP/2 is enabled, for older versions of HAProxy (2.3.x).  Either
     53 disable HTTP/2 (`h2`), or upgrade HAProxy.
     54 
     55 ## Bare-bones Nginx Configuration
     56 
     57 Assumptions:
     58 
     59 * `Nginx` version is `1.18.0` (other versions not tested).
     60 * Hostname for the relay is `relay.example.com`.
     61 * SSL certificate and key are located at `/etc/letsencrypt/live/relay.example.com/`.
     62 * Relay is running on port `8080`.
     63 
     64 ```
     65 http {
     66     server {
     67         listen 443 ssl;
     68         server_name relay.example.com;
     69         ssl_certificate /etc/letsencrypt/live/relay.example.com/fullchain.pem;
     70         ssl_certificate_key /etc/letsencrypt/live/relay.example.com/privkey.pem;
     71         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     72         ssl_ciphers HIGH:!aNULL:!MD5;
     73         keepalive_timeout 70;
     74 
     75         location / {
     76             proxy_pass http://localhost:8080;
     77             proxy_http_version 1.1;
     78             proxy_set_header Upgrade $http_upgrade;
     79             proxy_set_header Connection "Upgrade";
     80             proxy_set_header Host $host;
     81         }
     82     }
     83 }
     84 ```
     85 
     86 ### Nginx Notes
     87 
     88 The above configuration was tested on `nginx` `1.18.0` was tested on `Ubuntu 20.04`.
     89 
     90 For help installing `nginx` on `Ubuntu`, see [this guide](https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-20-04).
     91 
     92 For guidance on using `letsencrypt` to obtain a cert on `Ubuntu`, including an `nginx` plugin, see [this post](https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04).