mirror of
https://github.com/ergochat/ergo.git
synced 2024-11-22 20:09:41 +01:00
Explain reverse proxy setup for websockets (#2121)
* Explain reverse proxy setup for websockets * Update MANUAL.md Clarify that we only support `X-Forwarded-For` --------- Co-authored-by: Shivaram Lingamneni <slingamn@cs.stanford.edu>
This commit is contained in:
parent
4e574b99f3
commit
3839f8ae60
@ -623,6 +623,8 @@ Many clients do not have this support. However, you can designate port 6667 as a
|
|||||||
|
|
||||||
Ergo supports the use of reverse proxies (such as nginx, or a Kubernetes [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer)) that sit between it and the client. In these deployments, the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) is used to pass the end user's IP through to Ergo. These proxies can be used to terminate TLS externally to Ergo, e.g., if you need to support versions of the TLS protocol that are not implemented natively by Go, or if you want to consolidate your certificate management into a single nginx instance.
|
Ergo supports the use of reverse proxies (such as nginx, or a Kubernetes [LoadBalancer](https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer)) that sit between it and the client. In these deployments, the [PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) is used to pass the end user's IP through to Ergo. These proxies can be used to terminate TLS externally to Ergo, e.g., if you need to support versions of the TLS protocol that are not implemented natively by Go, or if you want to consolidate your certificate management into a single nginx instance.
|
||||||
|
|
||||||
|
### IRC Sockets
|
||||||
|
|
||||||
The first step is to add the reverse proxy's IP to `proxy-allowed-from` and `ip-limits.exempted`. (Use `localhost` to exempt all loopback IPs and Unix domain sockets.)
|
The first step is to add the reverse proxy's IP to `proxy-allowed-from` and `ip-limits.exempted`. (Use `localhost` to exempt all loopback IPs and Unix domain sockets.)
|
||||||
|
|
||||||
After that, there are two possibilities:
|
After that, there are two possibilities:
|
||||||
@ -638,6 +640,10 @@ After that, there are two possibilities:
|
|||||||
proxy: true
|
proxy: true
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Websockets through HTTP reverse proxies
|
||||||
|
|
||||||
|
Ergo will honor the `X-Forwarded-For` headers on incoming websocket connections, if the peer IP address appears in `proxy-allowed-from`. For these connections, set `proxy: false`, or omit the `proxy` option.
|
||||||
|
|
||||||
|
|
||||||
## Client certificates
|
## Client certificates
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user