From 3839f8ae6091abd4c8d833b76c4c7058f6daa79c Mon Sep 17 00:00:00 2001 From: Neale Pickett Date: Thu, 11 Jan 2024 21:20:26 -0700 Subject: [PATCH] Explain reverse proxy setup for websockets (#2121) * Explain reverse proxy setup for websockets * Update MANUAL.md Clarify that we only support `X-Forwarded-For` --------- Co-authored-by: Shivaram Lingamneni --- docs/MANUAL.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs/MANUAL.md b/docs/MANUAL.md index fc38cecf..7e112821 100644 --- a/docs/MANUAL.md +++ b/docs/MANUAL.md @@ -623,6 +623,8 @@ Many clients do not have this support. However, you can designate port 6667 as a Ergo supports the use of reverse proxies (such as nginx, or a Kubernetes [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer)) that sit between it and the client. In these deployments, the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) is used to pass the end user's IP through to Ergo. These proxies can be used to terminate TLS externally to Ergo, e.g., if you need to support versions of the TLS protocol that are not implemented natively by Go, or if you want to consolidate your certificate management into a single nginx instance. +### IRC Sockets + The first step is to add the reverse proxy's IP to `proxy-allowed-from` and `ip-limits.exempted`. (Use `localhost` to exempt all loopback IPs and Unix domain sockets.) After that, there are two possibilities: @@ -638,6 +640,10 @@ After that, there are two possibilities: proxy: true ``` +### Websockets through HTTP reverse proxies + +Ergo will honor the `X-Forwarded-For` headers on incoming websocket connections, if the peer IP address appears in `proxy-allowed-from`. For these connections, set `proxy: false`, or omit the `proxy` option. + ## Client certificates