hedgedoc/docs/content/setup/reverse-proxy.md

# Using a Reverse Proxy with HedgeDoc

If you want to use a reverse proxy to serve HedgeDoc, here are the essential configs that you'll have to do.

This documentation will cover HTTPS setup, with comments for HTTP setup.

## HedgeDoc config

[Full explanation of the configuration options](../configuration.md)

| `config.json` parameter | Environment variable | Value | Example |
|-------------------------|----------------------|-------|---------|
| `domain` | `CMD_DOMAIN` | The full domain where your instance will be available | `hedgedoc.example.com` |
| `host` | `CMD_HOST` | An ip or domain name that is only available to HedgeDoc and your reverse proxy | `localhost` |
| `port` | `CMD_PORT` | An available port number on that IP | `3000` |
| `path` | `CMD_PATH` | path to UNIX domain socket to listen on (if specified, `host` or `CMD_HOST` and `port` or `CMD_PORT` are ignored) | `/var/run/hedgedoc.sock` |
| `protocolUseSSL` | `CMD_PROTOCOL_USESSL` | `true` if you want to serve your instance over SSL (HTTPS), `false` if you want to use plain HTTP | `true` |
| `useSSL` |  | `false`, the communications between HedgeDoc and the proxy are unencrypted | `false` |
| `urlAddPort` | `CMD_URL_ADDPORT` | `false`, HedgeDoc should not append its port to the URLs it links | `false` |
| `hsts.enable` | `CMD_HSTS_ENABLE` | `true` if you host over SSL, `false` otherwise | `true` |

## Reverse Proxy config

### Generic

The reverse proxy must allow websocket `Upgrade` requests at path `/sockets.io/`.

It must pass through the scheme used by the client (http or https).

### Nginx

Here is an example configuration for Nginx.

```
map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}
server {
        server_name hedgedoc.example.com;

        location / {
                proxy_pass http://127.0.0.1:3000;
                proxy_set_header Host $host; 
                proxy_set_header X-Real-IP $remote_addr; 
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
                proxy_set_header X-Forwarded-Proto $scheme;
        }

        location /socket.io/ {
                proxy_pass http://127.0.0.1:3000;
                proxy_set_header Host $host; 
                proxy_set_header X-Real-IP $remote_addr; 
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        }

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    ssl_certificate fullchain.pem;
    ssl_certificate_key privkey.pem;
    include options-ssl-nginx.conf;
    ssl_dhparam ssl-dhparams.pem;
}
```

### Apache

You will need these modules enabled: `proxy`, `proxy_http` and `proxy_wstunnel`.  
Here is an example config snippet:

```
<VirtualHost *:443>
  ServerName hedgedoc.example.com

  RewriteEngine on
  RewriteCond %{REQUEST_URI} ^/socket.io             [NC]
  RewriteCond %{HTTP:Upgrade} =websocket [NC]
  RewriteRule /(.*)  ws://127.0.0.1:3000/$1          [P,L]

  ProxyPass / http://127.0.0.1:3000/
  ProxyPassReverse / http://127.0.0.1:3000/

  RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}
        
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

  SSLCertificateFile /etc/letsencrypt/live/hedgedoc.example.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/hedgedoc.example.com/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
```
Move docs into subdirectory to make mkdocs work in a subdirectory Signed-off-by: Tilman Vatteroth <tilman.vatteroth@tu-dortmund.de> (cherry picked from commit eaeb88401d07687eb3db8c273f7a4c0ed31ec153) Signed-off-by: David Mehren <git@herrmehren.de> 2021-01-04 07:07:44 -05:00			`# Using a Reverse Proxy with HedgeDoc`

			`If you want to use a reverse proxy to serve HedgeDoc, here are the essential configs that you'll have to do.`

			`This documentation will cover HTTPS setup, with comments for HTTP setup.`

			`## HedgeDoc config`

			`[Full explanation of the configuration options](../configuration.md)`

			\| `config.json` parameter \| Environment variable \| Value \| Example \|
			`\|-------------------------\|----------------------\|-------\|---------\|`
			\| `domain` \| `CMD_DOMAIN` \| The full domain where your instance will be available \| `hedgedoc.example.com` \|
			\| `host` \| `CMD_HOST` \| An ip or domain name that is only available to HedgeDoc and your reverse proxy \| `localhost` \|
			\| `port` \| `CMD_PORT` \| An available port number on that IP \| `3000` \|
			\| `path` \| `CMD_PATH` \| path to UNIX domain socket to listen on (if specified, `host` or `CMD_HOST` and `port` or `CMD_PORT` are ignored) \| `/var/run/hedgedoc.sock` \|
			\| `protocolUseSSL` \| `CMD_PROTOCOL_USESSL` \| `true` if you want to serve your instance over SSL (HTTPS), `false` if you want to use plain HTTP \| `true` \|
			\| `useSSL` \| \| `false`, the communications between HedgeDoc and the proxy are unencrypted \| `false` \|
			\| `urlAddPort` \| `CMD_URL_ADDPORT` \| `false`, HedgeDoc should not append its port to the URLs it links \| `false` \|
			\| `hsts.enable` \| `CMD_HSTS_ENABLE` \| `true` if you host over SSL, `false` otherwise \| `true` \|

			`## Reverse Proxy config`

			`### Generic`

			The reverse proxy must allow websocket `Upgrade` requests at path `/sockets.io/`.

			`It must pass through the scheme used by the client (http or https).`

			`### Nginx`

			`Here is an example configuration for Nginx.`

			```
			`map $http_upgrade $connection_upgrade {`
			`default upgrade;`
			`'' close;`
			`}`
			`server {`
			`server_name hedgedoc.example.com;`

			`location / {`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`}`

			`location /socket.io/ {`
			`proxy_pass http://127.0.0.1:3000;`
			`proxy_set_header Host $host;`
			`proxy_set_header X-Real-IP $remote_addr;`
			`proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Upgrade $http_upgrade;`
			`proxy_set_header Connection $connection_upgrade;`
			`}`

			`listen [::]:443 ssl http2;`
			`listen 443 ssl http2;`
			`ssl_certificate fullchain.pem;`
			`ssl_certificate_key privkey.pem;`
			`include options-ssl-nginx.conf;`
			`ssl_dhparam ssl-dhparams.pem;`
			`}`
			```

			`### Apache`

			You will need these modules enabled: `proxy`, `proxy_http` and `proxy_wstunnel`.
			`Here is an example config snippet:`

			```
			`<VirtualHost *:443>`
			`ServerName hedgedoc.example.com`

			`RewriteEngine on`
			`RewriteCond %{REQUEST_URI} ^/socket.io [NC]`
			`RewriteCond %{HTTP:Upgrade} =websocket [NC]`
			`RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]`

			`ProxyPass / http://127.0.0.1:3000/`
			`ProxyPassReverse / http://127.0.0.1:3000/`

			`RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME}`

			`ErrorLog ${APACHE_LOG_DIR}/error.log`
			`CustomLog ${APACHE_LOG_DIR}/access.log combined`

			`SSLCertificateFile /etc/letsencrypt/live/hedgedoc.example.com/fullchain.pem`
			`SSLCertificateKeyFile /etc/letsencrypt/live/hedgedoc.example.com/privkey.pem`
			`Include /etc/letsencrypt/options-ssl-apache.conf`
			`</VirtualHost>`
			```