0 External Webserver use: Reverse proxy
Aurora Lahtela edited this page 2024-03-10 14:50:45 +02:00

Plan Header

External Webserver use: Reverse-proxy

Reverse-proxy is a function in some webservers where the connection is passed through to a second webserver. This can be used to host multiple HTTP services on a single machine, or routing http traffic to https since HTTP uses port 80 and HTTPS port 443.

Main use-case for use with Plan is easier https set-up and removal of :PORT from the end of the address.

⚠️ Limited support notice ⚠️
If things on this tutorial don't work for you, consult documentation of your webserver. Very limited support will be provided for configuration issues of reverse-proxies.

Table of contents

  • Nginx
  • Apache
  • Cloudflare
  • Password bruteforce -guard and whitelist support (X-Forwarded-For)
  • Debugging checklist

Nginx reverse-proxy

Following example routes traffic from http to https and utilizes a reverse-proxy (proxy_pass) to direct traffic to the Plan webserver.

HTTP version:

server {
    listen 80;
    server_name plan.example.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://127.0.0.1:8804;
    }
}

or HTTPS version:

server {
    listen 80;
    server_name plan.example.com;
    return 301 https://$host$request_uri;
}
server {
    listen 443 ssl;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    server_name plan.example.com;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass http://127.0.0.1:8804;
    }
}

On Pterodactyl proxy_pass needs to be network local address (eg. http://172.18.0.1:8804), and the port needs to be allocated to 172.18.0.1 image

Note that this example has installed a certificate with certbot. It is rather painless to install certificate on nginx after the HTTP example one has been set up.

After installing HTTPS on the nginx, you can set up proxy settings for Plan

Apache reverse-proxy

Credit to Benji, GoedendagMC and Kopo for Apache section.

<VirtualHost *:80>
  ServerName plan.example.com
  RewriteEngine On
  # Traffic routed to https if it is available
  RewriteCond %{HTTPS} !=on
  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [END,NE,R]
  ProxyPreserveHost On
  # Prevents certbot certificate http-challenge from being proxied
  ProxyPass /.well-known/ !
  ProxyPass / http://0.0.0.0:8804/
  ProxyPassReverse / http://0.0.0.0:8804/
</VirtualHost>
<IfModule mod_ssl.c>
  <VirtualHost *:443>
    ServerName plan.example.com
    DocumentRoot "/var/www/html"
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/plan.example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/plan.example.com/privkey.pem
    ProxyPreserveHost On
    ProxyPass / http://0.0.0.0:8804/
    ProxyPassReverse / http://0.0.0.0:8804/
  </VirtualHost>
</IfModule>

⚠️ Make sure to replace 0.0.0.0:8804 with your server's ip and Plan port (or localhost if running on same machine)

Enable the config in apache

  • Enable the needed modules with a2enmod proxy proxy_http
  • Restart the apache webserver
sudo ln -s /etc/apache2/sites-available/plan.example.com.vhost /etc/apache2/sites-enabled/plan.example.com.vhost
sudo a2enmod rewrite proxy proxy_http
systemctl restart apache2

Set up https with apache

sudo apt update
sudo apt install -y certbot
sudo apt install -y python3-certbot-apache
certbot certonly --apache -d plan.example.com

After installing HTTPS on the Apache, you can set up proxy settings for Plan

Cloudflare Reverse-proxy

Credit to Person0z for this section, and [MACH2Simulations](https://github.com/plan-player-analytics/Plan/issues/3439) for additions

This tutorial assumes you have set up your domain with an A-record and not a multi-level subdomain, eg plan.server.com instead of plan.sub.server.com You may end up with an error of "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" if you use multi-level subdomain, which requires buying a custom certificate. That is not covered by this tutorial.

Steps:

  1. Create a tunnel on Cloudflare Zero Trust.
  2. Get your tunnel token and set it into your VM.
  3. Map to http://localhost:8804.
  4. Done.

Step by step

  1. Go to Cloudflare Zero Trust.

  2. Access > Tunnels > Create Tunnel

  3. Type a Tunnel name such as Plan and save tunnel.

  4. Click the token to copy it.

  5. Terminal > Copy the code that Cloudflare gave you, or the install app, and paste it into terminal and activate it!

  6. Check if it installed successfully from the terminal output.

  7. Go back to Cloudflare Zero Trust, if you see your connector, then click Next

  8. Choose your favorite domain name and map to http://localhost:8804

  9. Click Save and go to your domain name https://<your domain name> and done!

Password bruteforce -guard and whitelist support (X-Forwarded-For)

To keep stuff that relies on IP of the requester functional behind reverse-proxy. This may not be supported by Cloudflare.

  • Make sure reverse-proxy is passing request IP in X-Forwarded-For header
  • Make sure Plan can't be accessed without connecting through reverse proxy
  • Enable X-Forwarded-For support under Webserver settings in Plan config

Debugging step-list for determening connection issue source

  • Check that Plan webserver has enabled (on the server console)
  • Check that you can access the Plan webserver on the local machine (something like curl http://127.0.0.1:8804), if you can't it's likely that your server is in a container (like docker) and the port is not exposed.
  • Check that you can access the nginx/apache webserver by going to http://<server_ip> on the browser. If you're redirected or shown a page you can access.
  • Check that Webserver.Alternative_IP settings in Plan point to the address you put as the reverse-proxy server_name or location. (For example plan.example.com or example.com/plan)
  • Check that your DNS A-record is routed properly with ping example.domain.com (Look that the output has server ip somewhere)
    • If you are using something like Cloudflare, I can't help you, ask them or their documentation.
  • Check that you nginx configuration does not have some * server_name or location that redirects all traffic elsewhere (In these cases you're redirected to wrong place lot of the time)