Hello misc@,
I'm currently trying to migrate my nginx setup to relayd, though, I
cannot get some things to work properly, and I wonder if that is due to
me not understanding how to configure it correctly or due to relayd not
supporting my usecase.
To be precise: I want to run multiple apps behind a reverse proxy. One
of them is ntfy. With nginx, the config looks like this:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
location / {
proxy_pass http://127.0.0.1:8888;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_connect_timeout 3m;
proxy_send_timeout 3m;
proxy_read_timeout 3m;
client_max_body_size 0;
}
(This is equivalent to the example configuration in the ntfy docs [1])
relayd takes care of Host, Upgrade and Connection with the http
websockets option, and X-Forwarded-For is easily added as a header:
table <ntfy> { 127.0.0.1 }
http protocol revproxy {
tls keypair ...
tcp { nodelay, sack, socket buffer 65536, backlog 100 }
http websockets
return error
match request header set "X-Forwarded-For" value "$REMOTE_ADDR"
...
pass request quick header "Host" value "ntfy.example" \
forward to <ntfy>
}
relay https {
listen on 0.0.0.0 port 443 tls
protocol revproxy
forward to <ntfy> port 8888
}
But how do I modify the proxy_{connect,send,read}_timeout variables?
Following relayd.conf(5), I suppose the closest thing to be:
relay https {
...
session timeout 180
}
But what if I want to leave the session timeout untouched for other
subdomains (applications) that I am proxying with the same protocol / relay?
table <disco> { 127.0.0.1 }
http protocol revproxy {
...
pass request quick header "Host" value "disco.example" \
forward to <disco>
}
relay https {
listen on 0.0.0.0 port 443 tls
protocol revproxy
forward to <ntfy> port 8888 session timeout 180
forward to <disco> port 9999
}
Specifying session timeout per forward is unfortunately not an option.
And finally, client_max_body_size? ntfy requires this: "Stream request
body to backend" is the annotation in their docs.
Talking about disco, a syncthing discovery server [2] is another item on
my selfhosting bucket list - and I have even less of an idea on how to
make that work:
server {
...
ssl_verify_client optional_no_ca;
location / {
proxy_pass http://127.0.0.1:9999;
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Client-Port $remote_port;
proxy_set_header X-Forwarded-For \
$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \
$http_x_forwarded_proto;
proxy_set_header X-SSL-Cert $ssl_client_cert;
}
}
That is, can relayd even do this client cert logic?
Not to mention... do I really have to copy paste each relay block as
soon as I want relayd to be listening on multiple addresses? In nginx,
one can simply say
listen 443 ssl;
listen [::]:443 ssl;
... while the equivalent in relayd appears to be ...
relay https4 {
listen on 0.0.0.0 port 443 tls
protocol revproxy
forward to <ntfy> port 8888
forward to <disco> port 9999
}
relay https6 {
listen on :: port 443 tls
protocol revproxy
forward to <ntfy> port 8888
forward to <disco> port 9999
}
... this obviously does not scale at all.
- Christoph
[1] https://docs.ntfy.sh/config/#nginxapache2caddy
[2] https://docs.syncthing.net/users/stdiscosrv.html#nginx
