ric/uptime-kuma
1
0
Fork 0
mirror of https://github.com/louislam/uptime-kuma.git synced 2025-02-17 09:05:56 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

Update Reverse-Proxy.md (#91)

Frank Elsinga 2024-10-09 08:04:36 +02:00 committed by GitHub
parent 354573c0d5
commit 0fd4cf0550
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 287 additions and 286 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

271
Reverse-Proxy.md

@ -4,27 +4,17 @@ Unlike other web apps, Uptime Kuma is based on WebSocket. You need two more head
Uptime Kuma **does not support a subdirectory** such as `http://example.com/uptimekuma`. Please prepare a domain or sub-domain to do that. Uptime Kuma **does not support a subdirectory** such as `http://example.com/uptimekuma`. Please prepare a domain or sub-domain to do that.
- [Nginx](#nginx) > [!TIP]
- [Apache](#apache) > It is recommended to use SSL (HTTPS) with your web-server to avoid MiTM attacks when on a public network. If using caddy these certificates will be auto-generated and updated.
- [Caddy](#caddy) >
- [Caddy with Docker-Compose](#caddy-with-docker-compose) > If using Apache or NGINX, it is recommended to use CertBot to manage SSL for free, it uses Lets Encrypt to get its certificates and keeps them renewed. You can also use your own certificates and place them as shown above. If using CertBot use the "Without SSL" settings and then run certbot on it and it will automatically configure auto-HTTPS redirection.
- [Https-Portal](#https-portal)
- [Nginx Proxy Manager](#nginx-proxy-manager)
- [Synology Builtin Reverse Proxy](#synology-builtin-reverse-proxy)
- [Traefik](#Traefik)
- [Cloudflare](#cloudflare)
- [Cloudflare Tunnels](#cloudflare-tunnels)
- [OpenLiteSpeed](#openlitespeed)
- [HAProxy](#haproxy)
- Others
- [SSL/HTTPS](#sslhttps)
# Nginx - <details><summary>Nginx</summary>
With SSL: With SSL:
```nginx ```nginx
server { server {
listen 443 ssl http2; listen 443 ssl http2;
# Remove '#' in the next line to enable IPv6 # Remove '#' in the next line to enable IPv6
# listen [::]:443 ssl http2; # listen [::]:443 ssl http2;
@ -42,12 +32,12 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
} }
} }
``` ```
Without SSL: Without SSL:
```nginx ```nginx
server { server {
listen 80; listen 80;
# Remove '#' in the next line to enable IPv6 # Remove '#' in the next line to enable IPv6
# listen [::]:80; # listen [::]:80;
@ -59,12 +49,12 @@ server {
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
proxy_set_header Host $host; proxy_set_header Host $host;
} }
} }
``` ```
With SSL (Certbot): With SSL (Certbot):
```nginx ```nginx
server { server {
# If you don't have one yet, you can set up a subdomain with your domain registrar (e.g. Namecheap) # If you don't have one yet, you can set up a subdomain with your domain registrar (e.g. Namecheap)
# Just create a new host record with type='A Record', host='<subdomain>', value='<ip_address>'. # Just create a new host record with type='A Record', host='<subdomain>', value='<ip_address>'.
@ -79,18 +69,27 @@ server {
proxy_set_header Upgrade $http_upgrade; proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; proxy_set_header Connection "upgrade";
} }
} }
# Once that's completed, you can run # Once that's completed, you can run
# sudo apt install python3-certbot-nginx # sudo apt install python3-certbot-nginx
# sudo certbot --nginx -d your_domain -d your_subdomain.your_domain -d www.your_domain # sudo certbot --nginx -d your_domain -d your_subdomain.your_domain -d www.your_domain
# And Certbot will auto-populate this nginx .conf file for you, while also renewing your certificates automatically in the future. # And Certbot will auto-populate this nginx .conf file for you, while also renewing your certificates automatically in the future.
``` ```
# Apache
With SSL: </details>
```apache - <details><summary>Nginx Proxy Manager</summary>
<VirtualHost *:443>
Please enable "WebSockets Supports"
</details>
- <details><summary>Apache</summary>
With SSL:
```apache
<VirtualHost *:443>
ServerName sub.domain.com ServerName sub.domain.com
SSLEngine On SSLEngine On
SSLCertificateFile /path/to/ssl/cert/crt SSLCertificateFile /path/to/ssl/cert/crt
@ -104,12 +103,12 @@ With SSL:
RewriteRule /(.*) ws://localhost:3001/$1 [P,L] RewriteRule /(.*) ws://localhost:3001/$1 [P,L]
RewriteCond %{HTTP:Upgrade} !=websocket RewriteCond %{HTTP:Upgrade} !=websocket
RewriteRule /(.*) http://localhost:3001/$1 [P,L] RewriteRule /(.*) http://localhost:3001/$1 [P,L]
</VirtualHost> </VirtualHost>
``` ```
Without SSL: Without SSL:
```apache ```apache
<VirtualHost *:80> <VirtualHost *:80>
ServerName sub.domain.com ServerName sub.domain.com
ProxyPreserveHost on ProxyPreserveHost on
ProxyPass / http://localhost:3001/ ProxyPass / http://localhost:3001/
@ -117,27 +116,31 @@ Without SSL:
RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC] RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://localhost:3001/$1" [P,L] RewriteRule ^/?(.*) "ws://localhost:3001/$1" [P,L]
</VirtualHost> </VirtualHost>
``` ```
# Caddy
```nginx </details>
subdomain.domain.com { - <details><summary>Caddy</summary>
without docker
```nginx
subdomain.domain.com {
reverse_proxy 127.0.0.1:3001 reverse_proxy 127.0.0.1:3001
} }
``` ```
# Caddy with Docker-compose **with Docker-compose
If you run Uptime Kuma using Docker-Compose and don't already have a reverse proxy, this is a simple way to configure Caddy. You only need to replace 'status.example.org' with your domain. If you run Uptime Kuma using Docker-Compose and don't already have a reverse proxy, this is a simple way to configure Caddy. You only need to replace 'status.example.org' with your domain.
```yml ```yml
version: '3' version: '3'
networks: networks:
default: default:
name: 'proxy_network' name: 'proxy_network'
services: services:
uptime-kuma: uptime-kuma:
image: louislam/uptime-kuma:1 image: louislam/uptime-kuma:1
restart: unless-stopped restart: unless-stopped
@ -157,19 +160,20 @@ services:
restart: unless-stopped restart: unless-stopped
environment: environment:
- CADDY_INGRESS_NETWORKS=proxy_network - CADDY_INGRESS_NETWORKS=proxy_network
``` ```
# Https-Portal </details>
- <details><summary>Https-Portal</summary>
Enabling "WEBSOCKET=true", or the equivalent in your docker environment variables will do the trick. Enabling `WEBSOCKET=true`, or the equivalent in your docker environment variables will do the trick.
Link to https-portal Websocket under [Advanced Usage](https://github.com/SteveLTN/https-portal#configure-nginx-through-environment-variables). Link to https-portal Websocket under [Advanced Usage](https://github.com/SteveLTN/https-portal#configure-nginx-through-environment-variables).
Example docker-compose.yml file using Https-Portal: Example docker-compose.yml file using Https-Portal:
```yml ```yml
version: '3.3' version: '3.3'
services: services:
https-portal: https-portal:
image: steveltn/https-portal:1 image: steveltn/https-portal:1
ports: ports:
@ -194,117 +198,114 @@ services:
ports: ports:
- 3001:3001 - 3001:3001
volumes: volumes:
https-portal-data: https-portal-data:
``` ```
Only change "status.domain.com" to your domain Only change "status.domain.com" to your domain
# Nginx Proxy Manager
Please enable "WebSockets Supports"
# Synology Builtin Reverse Proxy </details>
- <details><summary>Synology Builtin Reverse Proxy</summary>
1. Bind IP to localhost when starting Kuma 1. Bind IP to localhost when starting Kuma
```bash ```bash
docker run -d --restart=always -p 127.0.0.1:3002:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1 docker run -d --restart=always -p 127.0.0.1:3002:3001 -v uptime-kuma:/app/data --name uptime-kuma louislam/uptime-kuma:1
``` ```
2. On your NAS, open *Control Panel* and then *Login Portal* 2. On your NAS, open *Control Panel* and then *Login Portal*
3. Click on *Advanced* 3. Click on *Advanced*
4. Open *Reverse Proxy* 4. Open *Reverse Proxy*
5. Create a new Entry with the following values: 5. Create a new Entry with the following values:
![Reverse Proxy](./img/Synology-reverse-proxy.png) ![Reverse Proxy](./img/Synology-reverse-proxy.png)
6. Click on the tab *Custom Header* 6. Click on the tab *Custom Header*
7. Click `Create` -> `Websockets`, this automatically fills in the required headers for websockets. 7. Click `Create` -> `Websockets`, this automatically fills in the required headers for websockets.
# Traefik # Traefik
```yml ```yml
labels: labels:
- "traefik.enable=true" - "traefik.enable=true"
- "traefik.http.routers.uptime-kuma.rule=Host(`YourOwnHostname`)" - "traefik.http.routers.uptime-kuma.rule=Host(`YourOwnHostname`)"
- "traefik.http.routers.uptime-kuma.entrypoints=https" - "traefik.http.routers.uptime-kuma.entrypoints=https"
- "traefik.http.routers.uptime-kuma.tls=true" - "traefik.http.routers.uptime-kuma.tls=true"
- "traefik.http.routers.uptime-kuma.tls.certresolver=myresolver" - "traefik.http.routers.uptime-kuma.tls.certresolver=myresolver"
- "traefik.http.services.uptime-kuma.loadBalancer.server.port=3001" - "traefik.http.services.uptime-kuma.loadBalancer.server.port=3001"
``` ```
Add the above to your `docker-compose.yml` file and replace "YourOwnHostname" with the hostname you want to use. When setup correctly, Traefik can automatically get a Lets Encrypt certificate for your service. Add the above to your `docker-compose.yml` file and replace "YourOwnHostname" with the hostname you want to use. When setup correctly, Traefik can automatically get a Lets Encrypt certificate for your service.
# Cloudflare
You must enable "WebSockets" in Cloudflare Dashboard: </details>
- <details><summary>Cloudflare</summary>
Cloudflare Dashboard -> Network -> Enable WebSockets You must enable "WebSockets" in Cloudflare Dashboard:
Read more: Cloudflare Dashboard -> Network -> Enable WebSockets
https://github.com/louislam/uptime-kuma/issues/138#issuecomment-890485229
# Cloudflare Tunnels Read more:
https://github.com/louislam/uptime-kuma/issues/138#issuecomment-890485229
It is the easiest way in my opinion. </details>
- <details><summary>Cloudflare Tunnels</summary>
Read more: https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy-with-Cloudflare-Tunnel It is the easiest way in my opinion.
# OpenLiteSpeed Read more: https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy-with-Cloudflare-Tunnel
Create a new virtual host through the graphical admin like you normally would. </details>
- <details><summary>OpenLiteSpeed</summary>
**Basic tab** Create a new virtual host through the graphical admin like you normally would.
- Name: `uptime-kuma`
- Virtual Host Root: `/path/to/uptime-kuma`
- Enable Scripts/ExtApps: `Yes`
**External app tab** **Basic tab**
- Add a `web server` app type - Name: `uptime-kuma`
- Name: `uptime-kuma` - Virtual Host Root: `/path/to/uptime-kuma`
- Address: `http://localhost:3001` - Enable Scripts/ExtApps: `Yes`
**Context tab** **External app tab**
- Add a `web server` app type
- Name: `uptime-kuma`
- Address: `http://localhost:3001`
- Add a `proxy` context **Context tab**
- URI: `/`
- Web Server: `[VHost Level]: uptime-kuma` - Add a `proxy` context
- Header Operations: - URI: `/`
- Web Server: `[VHost Level]: uptime-kuma`
- Header Operations:
``` ```
Upgrade websocket Upgrade websocket
Connection upgrade Connection upgrade
``` ```
- Access Allowed: `*` - Access Allowed: `*`
**Web Socket Proxy tab** **Web Socket Proxy tab**
- Add a `Web Socket Proxy Setup` - Add a `Web Socket Proxy Setup`
- URI: `/` - URI: `/`
- Address: `127.0.0.1:3001` - Address: `127.0.0.1:3001`
**SSL tab (if needeed)** **SSL tab (if needeed)**
- Private Key File: `/path/to/ssl/key/privkey.pem` - Private Key File: `/path/to/ssl/key/privkey.pem`
- Certificate File: `/path/to/ssl/cert/fullchain.pem` - Certificate File: `/path/to/ssl/cert/fullchain.pem`
- Chained Certificate: `yes` - Chained Certificate: `yes`
Perform a graceful restart and launch uptime-kuma. Perform a graceful restart and launch uptime-kuma.
# HAProxy </details>
- <details><summary>HAProxy</summary>
No special configuration is required when using HAProxy as a reverse No special configuration is required when using HAProxy as a reverse
proxy although you may wish to add the `timeout tunnel` option to either proxy although you may wish to add the `timeout tunnel` option to either
the `defaults`, `listen`, or `backend` sections. If using the `timeout the `defaults`, `listen`, or `backend` sections. If using the `timeout
tunnel` option, it is also recommended to set `timeout client-fin` to tunnel` option, it is also recommended to set `timeout client-fin` to
handle instances where the client stops responding. handle instances where the client stops responding.
Read more: Read more:
http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4.2-timeout%20tunnel http://cbonte.github.io/haproxy-dconv/2.4/configuration.html#4.2-timeout%20tunnel
# Others
## SSL/HTTPS </details>
It is recommended to use SSL (HTTPS) with your web-server to avoid MiTM attacks when on a public network. If using caddy these certificates will be auto-generated and updated.
If using Apache or NGINX, it is recommended to use CertBot to manage SSL for free, it uses Lets Encrypt to get its certificates and keeps them renewed. You can also use your own certificates and place them as shown above. If using CertBot use the "Without SSL" settings and then run certbot on it and it will automatically configure auto-HTTPS redirection.