############# Reverse Proxy ############# Because we can only expose one port 80 and 443 on our one IP, we need a proxy to direct all the https traffic to their respective applications. We accomplish this using a reverse proxy. It is run by `caddy `_ as a webserver, which makes the whole thing laughably easy. The reverse proxy needs only one directive in the ``Caddyfile``: .. code-block:: reverse_proxy {host}:{port} Adding a new domain =================== Adding a new domain/service to the reverse proxy is just as simple as adding a new paragraph to the ``Caddyfile``. Open the ``Caddyfile`` (usually located at ``/root/Caddyfile``) and add the following template (or something similar): .. code-block:: {subdomain}.falken-niedersachsen.de { reverse-proxy https://{IP of the the VM the service is running on}:{port} # Optional: Add logging for this serivce. Be sure to log as few as possible and mention this in the privacy policy. log { output file /var/log/caddy/{subdomain}.log { roll_keep_for 2d } format json level WARN } handle_errors { respond "{http.error.status_code} {http.error.status_text}" } } .. note:: This should work out of the box for ``*.falken-niedersachsen.de``, because there is a wildcard entry in the DNS zone. For other domains you might need to create a new entry for the subdomain in the zone, pointing to the servers IP (or DynDNS name). Also, if you want to use https on the upstream, make sure to import any self-signed certificates the service might use. Apply the new config by running: .. code-block:: console root@reverse-proxy: ~] $ caddy reload .. warning:: Make sure the ``Caddyfile`` you apply contains **all** currently running reverse proxies, since loading it will overwrite the complete config of caddy. In case you are unsure, check via the API, which proxies are running: ``curl "https://localhost:2019"``. Caddy Setup =================== This is to document the setup of the reverse proxy container. First, install caddy via ``apt`` according to the `documentation `_: .. code-block:: console [root@reverse-proxy: ~] $ apt install -y debian-keyring debian-archive-keyring apt-transport-https curl [root@reverse-proxy: ~] $ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/cfg/gpg/gpg.155B6D79CA56EA34.key' | sudo apt-key add - [root@reverse-proxy: ~] $ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/cfg/setup/config.deb.txt?distro=debian&version=any-version' | tee -a /etc/apt/sources.list.d/caddy-stable.list [root@reverse-proxy: ~] $ apt update [root@reverse-proxy: ~] $ apt install caddy jq # jq is just a useful tool for analysing json in the console Since we configure caddy via the api only, switch the caddy service to the API only service: .. code-block:: console [root@reverse-proxy: ~] $ systemctl disable caddy [root@reverse-proxy: ~] $ systemctl enable caddy-api [root@reverse-proxy: ~] $ systemctl stop caddy [root@reverse-proxy: ~] $ systemctl start caddy-api Then, create the ``Caddyfile`` (where doesn't matter, currently we use ``/root/Caddyfile`` for convenience) and reload the config: .. code-block:: console [root@reverse-proxy: ~] $ caddy reload