My nginx config. I honestly don't remember the details of all parts of the config, but I do remember having to do something explicit about the websockets connections, which initially were not allowed by the proxy. I should update the documentation of the repo one day, when I will get some time :).
http {
upstream tty-server {
server localhost:8010;
keepalive 12; # number of connections to keep alive even if idle, if they are opened
}
server {
listen 443 ssl;
server_name go.tty-share.com;
access_log /var/log/nginx/tty-share.access.log proxy_log_format;
# https://stackoverflow.com/questions/19769072/nginx-times-out-exactly-after-60-seconds?rq=1
# https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout
proxy_send_timeout 1600;
proxy_read_timeout 1600;
########### tty-server application
# the /s/, /ws/ and /static/ locations - all used by the actual tty-server.
location / {
proxy_pass http://tty-server;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
}
ssl_certificate /etc/letsencrypt/live/go.tty-share.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/go.tty-share.com/privkey.pem;
}
}
stream {
# https://nginx.org/en/docs/stream/ngx_stream_core_module.html#server
# the tty-server tcp connection ssl proxy
server {
listen 7654 ssl so_keepalive=30m::10;
proxy_pass localhost:6543;
ssl_certificate /etc/letsencrypt/live/go.tty-share.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/go.tty-share.com/privkey.pem;
}
}
It basically makes the proxy to accept encrypted TCP connections (TLS) on that 7654 port, and forward those to the localhost:6543
, where my docker container runs. It terminates the TLS connection there, at the proxy, so the connection to the docker container will be plain TCP.
It simply runs this command, and nothing else:
tty-server --sender_address :6543 --web_address :8010 -url https://go.tty-share.com
Dockerfile:
FROM ubuntu:16.04
EXPOSE 6543 8010
CMD /data/tty-server --sender_address :6543 --web_address :8010 -url https://go.tty-share.com
and I run it with:
docker build --tag tty-server .
docker run -v /data/tty-server:/data/ -p 6543:6543 -p 8010:8010 --restart unless-stopped -d --name tty-server tty-server
Roughly, what it does, is:
- expect the command line client (tty-share) connections on the port 6543. no TLS (server doesn't support TLS yet, as I was initially relying on the proxies TLS support anyways)
- these connections are TLS terminated by the proxy, received on 7654 and forwarded on 6543
- use go.tty-share.com as the URL to give the user, via the tty-share cmd line (the url printed when the command starts)
- expect the http+websockets connections on 8010 port, these connections being forwarded by the proxy initial set of configs. Remember, the proxy has to allow websockets.