Reverse Proxy
« tiếng Việt »
updated: 2023-04-24
There are many ways to skin a cat and reverse proxy is optional. But for most cases it is recommended that you use one if you already have a website up. Below is a common set-up…
Let say you are serving a https://chat.example.net on
port 443 and you want to serve a WebCC service at
https://chat.example.net/webcc on the same machine that «
Apache » the webserver is running, your configuration might look
something like this:
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName chat.example.net
DocumentRoot /some/where/chat.example.net
Include /your/certificate/options.config
SSLCertificateFile /your/certificate/chat.example.net/fullchain.pem
SSLCertificateKeyFile /your/certificate/chat.example.net/key.pem
<IfModule mod_proxy.c>
ProxyPass /webcc "ws://localhost:7681/webcc"
ProxyPassReverse /webcc "ws://localhost:7681/webcc"
Header always set Content-Security-Policy "default-src 'self' ; style-src 'unsafe-inline' 'self' *.example.net ; script-src 'unsafe-inline' 'self' *.example.net ; object-src 'none' ; img-src 'self' *.example.net ; frame-src 'self' *.example.net ; font-src 'self' *.example.net ; frame-ancestors 'self' https://example.net ; base-uri 'self' ; form-action 'self' ;"
</IfModule>
</VirtualHost>
</IfModule>
With the above, you will need to set ttyd to listen on
port 7681. The connection will utilize the websocket module
so you need to enable to it in Apache:
a2enmod wstunnel
The very long line of Content-Security-Policy is
necessary to prevent various attacks. Notably the
frame-ancestor won’t let other website to use your
resource. Meaning it will only allow https://example.net to
embed https://chat.example.net/webcc into an
<iframe>.
I strongly recommend that you to look up other documentation to protect your own services.
«« Init Systems
