Skip to content

Setup Reverse Proxy

Ozzie Isaacs edited this page Dec 30, 2020 · 35 revisions

Reverse Proxy

Reverse proxy configuration examples for apache, nginx and IIS (on Windows) to use Calibre-Web:

Login via Header from Upstream Authentication Source

If your reverse proxy has some kind of authentication mechanism, you can configure Calibre-web to log users in based on headers received from the proxy. If using this feature, it's important that only the proxy is exposed to users, because if the Calibre-web instance is at all directly exposed to traffic, then a malicious user will be able to log in as any user that exists via simply setting a header.

In the admin configuration, check the box marked Allow Reverse Proxy Authentication, and then fill in the text box that appears with the name of the header that will contain the username. If you pass a username that isn't present in the database, nothing will happen - the user must exist beforehand in order to login.

nginx

nginx configuration for a local server listening on port 8080, mapping Calibre-Web to /calibre:

http {
    server {
            client_max_body_size 20M;
            location /calibre {
                proxy_bind              $server_addr;
                proxy_pass              http://127.0.0.1:8083;
                proxy_set_header        Host            $http_host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Scheme        $scheme;
                proxy_set_header        X-Script-Name   /calibre;  # IMPORTANT: path has NO trailing slash 
        }
    }
}

If you want to use nginx as proxy for subdomain just replace the /calibre lines with /, do not change anything else and it will work. The X-Scheme directive is used to preserve the protocol (http/https), it could be hard coded to http or https to force this type of protocol.
Note: If using SSL in your reverse proxy on a non-standard port (e.g.12345), the following proxy_redirect line may be required:

proxy_redirect http://$host/ https://$host:12345/;

Apache 2.4

Apache 2.4 configuration for a local server listening on port 443, mapping Calibre-Web to /calibre-web:

The following modules have to be activated: headers, proxy, proxy_http, rewrite.

Listen 443

<VirtualHost *:443>
    SSLEngine on
    SSLProxyEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
    SSLCertificateFile "C:\Apache24\conf\ssl\test.crt"
    SSLCertificateKeyFile "C:\Apache24\conf\ssl\test.key"

    <Location /calibre-web >
        RequestHeader set X-SCRIPT-NAME /calibre-web
        RequestHeader set X-SCHEME https
        ProxyPass http://localhost:8083/
        ProxyPassReverse http://localhost:8083/
        ProxyPassReverseCookiePath  /  /calibre-web/
    </Location>
</VirtualHost>

Internet Information Service (IIS) 10

First you need to install: The URL rewrite extension:
http://www.iis.net/downloads/microsoft/url-rewrite
and the application request routing:
https://www.iis.net/downloads/microsoft/application-request-routing
Enable the proxy stuff:
Enable Proxy step1

Enable Proxy step2

Enable Proxy step3

Go to your site and start URL-Rewriting:

url rewrite step1

url rewrite step1

Add the server variable:

server variable

(The local is comming on it's own) with UNDERSCORE and excact Name: HTTP_X-SCRIPT_NAME

Then add Reverse Proxy Rules:

proxy rules step1variable

proxy rules step2

Add the ip address and port of your calibre-web instance: e.g. http://127.0.0.1:8083

Change the rule afterwards:

proxy rules step2

Enter the folder you want to have calibre-web in (/calibre-web instead of ^ might also works). End the name without a slash, otherwise a call to /calibre-web would go to nowhere. And Add the server variable to the request and give it the same name as the folder above with starting slash (/calibre-web in my example, again without trailing slash)

proxy rules step2

The rewrite rule should look like this:

proxy rules step2

My web.config file looks like this:

proxy rules step2

The crossed out sections aren't needed, they are leftovers from my experiments.

Lighttpd 1.4

Lighttpd 1.4 configuration for a reverse proxy to Calibre-Web to /calibre-web:

The following modules have to be activated: mod_setenv, mod_redirect and mod_proxy. Example is for https connection, to have an normal http frontend, the X-SCHEME line has to be deleted.(?)

$HTTP["url"] =~ "^/calibre-web" {
    setenv.add-request-header = (
        "X-SCRIPT-NAME" => "/calibre-web",
        "X-SCHEME" => "https"
    )
    proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => "8083" ) ) )
}

Traefik 2.0.0

traefik.toml:

[log]
  level = "DEBUG"
  filePath = "log-file.log"

[accessLog]
  filePath =  "log-access.log"
  bufferingSize =  100

[providers]
  [providers.file]
    filename = "traefik-proxy.toml"

[entryPoints]
  [entryPoints.web]
    address = ":80"

traefik-proxy.toml:

[http]
    [http.middlewares]
      [http.middlewares.cwHeader.headers]
        [http.middlewares.cwHeader.headers.customRequestHeaders]
            X-Script-Name = "/cw"
      [http.middlewares.cwStrip.stripPrefixRegex]
            regex = ["/cw"]

    [http.routers]
       [http.routers.cw-router]
          rule = "(Host(`127.0.0.1`) && PathPrefix(`/cw`))"
          service = "calibre-web"
          entryPoints = ["web"]
          middlewares = ["cwStrip","cwHeader"]
    [http.services]
          [http.services.cw-router.loadbalancer]
            [[http.services.cw-router.loadbalancer.servers]]
              url = "http://127.0.0.1:8083"

This example is only working for 127.0.0.1 for other hostnames the routing rule has to be extended.