-
-
Notifications
You must be signed in to change notification settings - Fork 170
External Webserver use: Reverse proxy
Reverse-proxy is a function in some webservers where the connection is passed through to a second webserver. This can be used to host multiple HTTP services on a single machine, or routing http traffic to https since HTTP uses port 80 and HTTPS port 443.
Main use-case for use with Plan is easier https set-up and removal of :PORT
from the end of the address.
⚠️ Limited support notice⚠️
If things on this tutorial don't work for you, consult documentation of your webserver. Very limited support will be provided for configuration issues of reverse-proxies.
Table of contents
- Nginx
- Apache
- Cloudflare
- Password bruteforce -guard and whitelist support (X-Forwarded-For)
- Debugging checklist
- Link to nginx documentation
- For subdirectory setup (eg.
address.com/plan/
) see this comment
Following example routes traffic from http to https and utilizes a reverse-proxy (proxy_pass
) to direct traffic to the Plan webserver.
HTTP version:
server {
listen 80;
server_name plan.example.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:8804;
}
}
or HTTPS version:
server {
listen 80;
server_name plan.example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
server_name plan.example.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://127.0.0.1:8804;
}
}
❗ On Pterodactyl proxy_pass
needs to be network local address (eg. http://172.18.0.1:8804
), and the port needs to be allocated to 172.18.0.1
Note that this example has installed a certificate with certbot. It is rather painless to install certificate on nginx after the HTTP example one has been set up.
After installing HTTPS on the nginx, you can set up proxy settings for Plan
Credit to Benji, GoedendagMC and Kopo for Apache section.
<VirtualHost *:80>
ServerName plan.example.com
RewriteEngine On
# Traffic routed to https if it is available
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [END,NE,R]
ProxyPreserveHost On
# Prevents certbot certificate http-challenge from being proxied
ProxyPass /.well-known/ !
ProxyPass / http://0.0.0.0:8804/
ProxyPassReverse / http://0.0.0.0:8804/
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName plan.example.com
DocumentRoot "/var/www/html"
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/plan.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/plan.example.com/privkey.pem
ProxyPreserveHost On
ProxyPass / http://0.0.0.0:8804/
ProxyPassReverse / http://0.0.0.0:8804/
</VirtualHost>
</IfModule>
0.0.0.0:8804
with your server's ip and Plan port (or localhost if running on same machine)
- Enable the needed modules with
a2enmod proxy proxy_http
- Restart the apache webserver
sudo ln -s /etc/apache2/sites-available/plan.example.com.vhost /etc/apache2/sites-enabled/plan.example.com.vhost
sudo a2enmod rewrite proxy proxy_http
systemctl restart apache2
sudo apt update
sudo apt install -y certbot
sudo apt install -y python3-certbot-apache
certbot certonly --apache -d plan.example.com
After installing HTTPS on the Apache, you can set up proxy settings for Plan
Credit to Person0z for this section, and [MACH2Simulations](https://github.com/plan-player-analytics/Plan/issues/3439) for additions
This tutorial assumes you have set up your domain with an A-record and not a multi-level subdomain, eg plan.server.com instead of plan.sub.server.com You may end up with an error of "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" if you use multi-level subdomain, which requires buying a custom certificate. That is not covered by this tutorial.
- Create a tunnel on Cloudflare Zero Trust.
- Get your tunnel token and set it into your VM.
- Map to http://localhost:8804.
- Done.
-
Go to Cloudflare Zero Trust.
-
Access
>Tunnels
>Create Tunnel
-
Type a
Tunnel name
such asPlan
and save tunnel. -
Click the token to copy it.
-
Terminal
> Copy the code that Cloudflare gave you, or the install app, and paste it into terminal and activate it! -
Check if it installed successfully from the terminal output.
-
Go back to
Cloudflare Zero Trust
, if you see your connector, then clickNext
-
Choose your favorite domain name and map to
http://localhost:8804
-
Click
Save
and go to your domain namehttps://<your domain name>
and done!
To keep stuff that relies on IP of the requester functional behind reverse-proxy. This may not be supported by Cloudflare.
- Make sure reverse-proxy is passing request IP in
X-Forwarded-For
header - Make sure Plan can't be accessed without connecting through reverse proxy
- Enable X-Forwarded-For support under Webserver settings in Plan config
- Check that Plan webserver has enabled (on the server console)
- Check that you can access the Plan webserver on the local machine (something like
curl http://127.0.0.1:8804
), if you can't it's likely that your server is in a container (like docker) and the port is not exposed. - Check that you can access the nginx/apache webserver by going to
http://<server_ip>
on the browser. If you're redirected or shown a page you can access. - Check that
Webserver.Alternative_IP
settings in Plan point to the address you put as the reverse-proxyserver_name
or location. (For exampleplan.example.com
orexample.com/plan
) - Check that your DNS A-record is routed properly with
ping example.domain.com
(Look that the output has server ip somewhere)- If you are using something like Cloudflare, I can't help you, ask them or their documentation.
- Check that you nginx configuration does not have some
*
server_name or location that redirects all traffic elsewhere (In these cases you're redirected to wrong place lot of the time)