-
Notifications
You must be signed in to change notification settings - Fork 37
Configuring a reverse proxy server
Do you want to run your own public Overview server? Overview listens on port 9000, and it doesn't handle SSL. You should use a reverse proxy or load balancer to terminate SSL for Overview.
Configure your load balancer or reverse proxy the same way you would with any web server. Be sure:
- Overview should receive
X-Forwarded-For
, so it logs the correct IP addresses. - Your load balancer or reverse proxy must not buffer requests. Overview supports multi-gigabyte file uploads, and it supports resuming of small uploads, and buffers break those features.
Here's how to configure some popular servers.
Overview uses haproxy on production. The default settings are just fine. You should ensure forwardfor
is on so that we log clients' IP addresses correctly, but that isn't a critical feature. For instance:
global
...
defaults
...
option forwardfor
frontend overview_frontend
mode http
default_backend overview_backend
...
backend overview_backend
mode http
server overview 127.0.0.1:9000
...
Nginx does things by default that can't be good: it serves static files and buffers requests. We don't recommend it for Overview.
To handle large file uploads, you must disable proxy_buffering
. Otherwise, when the user uploads a 100MB file, nginx will deny the request and the client will retry the upload forever.
For instance:
location / {
proxy_pass http://localhost:9000;
# ensure nginx doesn't break uploads
proxy_buffering off;
# ensure Overview logs correct IP addresses
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
If you're only using HTTP (you shouldn't -- use HTTPS so you don't send cleartext documents and passwords over the network), you might want your reverse proxy to do nothing more than redirect incoming requests on port 80 to the Overview server on port 9000.
On Linux, you can use iptables
for this. First, make sure Overview is running on port 9000: curl localhost:9000
. Next, make sure it isn't running on port 80: curl localhost:80
should say the connection has been refused. Then let's work on making curl localhost:80
work:
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 9000
Presto: curl localhost:80
should work.
If Overview is running in Docker, you might want a Docker-specific rule. In this example, if your Docker bridge IP is 172.17.0.2
, run echo 1 > /proc/sys/net/ipv4/ip_forward
and then try this iptables rule:
sudo iptables -A DOCKER ! -i docker0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 172.17.0.2:9000
This setup will last until your next reboot. Hopefully you'll install an HTTPS reverse proxy before that.
Reverse proxies are often useful for redirecting users who browse to an HTTP URL to an HTTPS one. Amazon Elastic Load Balancer doesn't have that feature, though. So Overview can do it, too.
Set the OV_URL
environment variable to your canonical URL: ours, of course, is https://www.overviewdocs.com
. When somebody browses to https://overviewdocs.com
or http://www.overviewdocs.com
-- basically, any URL that isn't https://www.overviewdocs.com
-- Overview will respond with a redirect.