summaryrefslogtreecommitdiff
path: root/docs/content/guides
diff options
context:
space:
mode:
Diffstat (limited to 'docs/content/guides')
-rw-r--r--docs/content/guides/reverse-proxy.md95
1 files changed, 95 insertions, 0 deletions
diff --git a/docs/content/guides/reverse-proxy.md b/docs/content/guides/reverse-proxy.md
new file mode 100644
index 00000000..b1e7f32f
--- /dev/null
+++ b/docs/content/guides/reverse-proxy.md
@@ -0,0 +1,95 @@
+# Using a Reverse Proxy with HedgeDoc
+
+If you want to use a reverse proxy to serve HedgeDoc, here are the essential
+configs that you'll have to do.
+
+This documentation will cover HTTPS setup, with comments for HTTP setup.
+
+## HedgeDoc config
+
+[Full explanation of the configuration options](../configuration.md)
+
+| `config.json` parameter | Environment variable | Value | Example |
+|-------------------------|----------------------|-------|---------|
+| `domain` | `CMD_DOMAIN` | The full domain where your instance will be available | `hedgedoc.example.com` |
+| `host` | `CMD_HOST` | An ip or domain name that is only available to HedgeDoc and your reverse proxy | `localhost` |
+| `port` | `CMD_PORT` | An available port number on that IP | `3000` |
+| `path` | `CMD_PATH` | path to UNIX domain socket to listen on (if specified, `host` or `CMD_HOST` and `port` or `CMD_PORT` are ignored) | `/var/run/hedgedoc.sock` |
+| `protocolUseSSL` | `CMD_PROTOCOL_USESSL` | `true` if you want to serve your instance over SSL (HTTPS), `false` if you want to use plain HTTP | `true` |
+| `useSSL` | | `false`, the communications between HedgeDoc and the proxy are unencrypted | `false` |
+| `urlAddPort` | `CMD_URL_ADDPORT` | `false`, HedgeDoc should not append its port to the URLs it links | `false` |
+| `hsts.enable` | `CMD_HSTS_ENABLE` | `true` if you host over SSL, `false` otherwise | `true` |
+
+
+## Reverse Proxy config
+
+### Generic
+
+The reverse proxy must allow websocket `Upgrade` requests at path `/sockets.io/`.
+
+It must pass through the scheme used by the client (http or https).
+
+### Nginx
+
+Here is an example configuration for Nginx.
+
+```
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ '' close;
+}
+server {
+ server_name hedgedoc.example.com;
+
+ location / {
+ proxy_pass http://127.0.0.1:3000;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ location /socket.io/ {
+ proxy_pass http://127.0.0.1:3000;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ }
+
+ listen [::]:443 ssl http2;
+ listen 443 ssl http2;
+ ssl_certificate fullchain.pem;
+ ssl_certificate_key privkey.pem;
+ include options-ssl-nginx.conf;
+ ssl_dhparam ssl-dhparams.pem;
+}
+```
+### Apache
+You will need these modules enabled: `proxy`, `proxy_http` and `proxy_wstunnel`.
+Here is an example config snippet:
+```
+<VirtualHost *:443>
+ ServerName hedgedoc.example.com
+
+ RewriteEngine on
+ RewriteCond %{REQUEST_URI} ^/socket.io [NC]
+ RewriteCond %{HTTP:Upgrade} =websocket [NC]
+ RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]
+
+ ProxyPass / http://127.0.0.1:3000/
+ ProxyPassReverse / http://127.0.0.1:3000/
+
+ RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ SSLCertificateFile /etc/letsencrypt/live/hedgedoc.example.com/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/hedgedoc.example.com/privkey.pem
+ Include /etc/letsencrypt/options-ssl-apache.conf
+</VirtualHost>
+```
+