gtsocial-umbx

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

index.md (2346B)

      1 # Reverse proxy
      2 
      3 GoToSocial can be exposed directly to the internet. However, many folks prefer to have a reverse proxy handle connections from the outside instead. This can also give greater control over TLS configurations and enables some more advanced scenario's like asset caching.
      4 
      5 ## General procedure
      6 
      7 In order to use a reverse-proxy, you'll typically want to do a few things:
      8 
      9 * Configure some way to get TLS certificates for the host domain
     10 * Bind GoToSocial to a local IP instead of a public IP and a non-priviledged port. Adjust the `bind-address` and `port` configuration options
     11 * Disable Lets Encrypt in GoToSocial if you were using it. Set `letsencrypt-enabled` to `false`
     12 * Configure the reverse proxy to handle TLS and proxy requests to GoToSocial
     13 
     14 !!! warning
     15     Do not change the value of the `host` configuration option. This needs to remain the actual domain name the instance is running on as seen by other instances on the internet. Instead, change the `bind-address` and update the `port` and `trusted-proxies`.
     16 
     17 ### Container
     18 
     19 When you deploy GoToSocial using our [example Docker Compose guide](../installation/container.md), it will bind to port `443` by default as it assumes you want to directly expose it to the internet. In order to run it behind a reverse proxy, you need to change that.
     20 
     21 In the compose file:
     22 
     23 * Comment out the `- "443:8080"` line in the `ports` definition
     24 * If you had enabled Lets Encrypt support:
     25     * Comment out the `- "80:80"` line in the `ports` definition
     26     * Set `GTS_LETSENCRYPT_ENABLED` back to `"false"` or comment it out
     27 * Uncomment the `- "127.0.0.1:8080:8080"` line instead
     28 
     29 This now causes Docker to only forward connections on `127.0.0.1` on port `8080` to the container, effectively isolating it from the outside world. You can now tell your reverse-proxy to send requests there instead.
     30 
     31 ## Guides
     32 
     33 We have guides available for the following servers:
     34 
     35 * [nginx](nginx.md)
     36 * [Apache httpd](apache-httpd.md)
     37 * [Caddy 2](caddy.md)
     38 
     39 ## WebSockets
     40 
     41 When using a reverse-proxy, special care must be taken to allow WebSockets to work too. This is necessary as many client applications use WebSockets to stream your timeline. WebSockets is not used as part of federation.
     42 
     43 Make sure you read the [WebSocket](websocket.md) documentation and configure your reverse proxy accordingly.