Skip to content

Configuring a reverse proxy server

Adam Hooper edited this page Jun 23, 2017 · 5 revisions

Do you want to run your own public Overview server? Overview listens on port 9000, and it doesn't handle SSL. You should use a reverse proxy or load balancer to terminate SSL for Overview.

Configure your load balancer or reverse proxy the same way you would with any web server. Be sure:

  • Overview should receive X-Forwarded-For, so it logs the correct IP addresses.
  • Your load balancer or reverse proxy must not buffer requests. Overview supports multi-gigabyte file uploads, and it supports resuming of small uploads, and buffers break those features.

Here's how to configure some popular servers.

Using haproxy

Overview uses haproxy on production. The default settings are just fine. You should ensure forwardfor is on so that we log clients' IP addresses correctly, but that isn't a critical feature. For instance:

global
  ...

defaults
  ...
  option forwardfor

frontend overview_frontend
  mode http
  default_backend overview_backend
  ...

backend overview_backend
  mode http
  server overview 127.0.0.1:9000
  ...

nginx

Nginx does things by default that can't be good: it serves static files and buffers requests. We don't recommend it for Overview.

To handle large file uploads, you must disable proxy_buffering. Otherwise, when the user uploads a 100MB file, nginx will deny the request and the client will retry the upload forever.

For instance:

location / {
  proxy_pass http://localhost:9000;

  # ensure nginx doesn't break uploads
  proxy_buffering off;

  # ensure Overview logs correct IP addresses
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}

Port forwarding with iptables (Linux)

If you're only using HTTP (you shouldn't -- use HTTPS so you don't send cleartext documents and passwords over the network), you might want your reverse proxy to do nothing more than redirect incoming requests on port 80 to the Overview server on port 9000.

On Linux, you can use iptables for this. First, make sure Overview is running on port 9000: curl localhost:9000. Next, make sure it isn't running on port 80: curl localhost:80 should say the connection has been refused. Then let's work on making curl localhost:80 work:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000

Presto: curl localhost:80 should work.

If Overview is running in Docker, you might want a Docker-specific rule. In this example, if your Docker bridge IP is 172.17.0.2, run echo 1 > /proc/sys/net/ipv4/ip_forward and then try this iptables rule:

sudo iptables -A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:9000

This setup will last until your next reboot. Hopefully you'll install an HTTPS reverse proxy before that.

Overview can redirect

Reverse proxies are often useful for redirecting users who browse to an HTTP URL to an HTTPS one. Amazon Elastic Load Balancer doesn't have that feature, though. So Overview can do it, too.

Set the OV_URL environment variable to your canonical URL: ours, of course, is https://www.overviewdocs.com. When somebody browses to https://overviewdocs.com or http://www.overviewdocs.com -- basically, any URL that isn't https://www.overviewdocs.com -- Overview will respond with a redirect.

Clone this wiki locally