Skip to content

Commit

Permalink
#4435 multiple server proxying and advanced options
Browse files Browse the repository at this point in the history
  • Loading branch information
@totaam
totaam committed Dec 9, 2024
1 parent 555d0f1 commit d5b6cad
Show file tree
Hide file tree
Showing 2 changed files with 90 additions and 2 deletions.
87 changes: 87 additions & 0 deletions docs/Usage/Nginx-Proxy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,3 +80,90 @@ Or even via https if the certificates are configured correctly:
xdg-open http://localhost/
```
</details>


---


## Multiple Servers

<details>
<summary>show</summary>

This example configuration maps different URLs to servers on different ports.

```
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 443 ssl;
listen 80;
root /usr/share/xpra/www;
ssl_certificate /etc/xpra/ssl/ssl-cert.pem;
ssl_certificate_key /etc/xpra/ssl/key.pem;
proxy_redirect off;
proxy_http_version 1.1;
proxy_buffering off;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location /xpra1 {
rewrite /xpra1/(.*) /$1 break;
proxy_pass http://127.0.0.1:10000;
}
location /xpra2 {
rewrite /xpra2/(.*) /$1 break;
proxy_pass http://127.0.0.1:10001;
}
}
}
```
</details>


## Advanced Options

<details>
<summary>show</summary>

Most of the options below can make the connection more robust
and should be applied to the `location` matching the xpra server being proxied for. \
However, increasing the timeouts should not be necessary as the xpra protocol
already includes its own ping packets every few seconds,
which should ensure that the connection is kept alive.

These options may even introduce new issues,
by making it harder for nginx to detect broken connections.

| Option | Recommended value | Purpose |
|--------------------------------------------------------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| [`proxy_connect_timeout`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) | unchanged | a lower value can be used to fail faster when xpra servers are already started and initial connections should be fast |
| [`proxy_read_timeout`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) | 10d | or more, increase this option to prevent unexpected disconnections |
| [`proxy_send_timeout`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) | 10d | same as `proxy_read_timeout` |
| [`limit_except`](https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except) | `limit_except GET POST { deny all; }` | prevent unwanted http requests from reaching xpra's http server |
| [`proxy_socket_keepalive`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_socket_keepalive) | unchanged | should not be needed, can be enabled |
| [`tcp_nodelay`](https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nodelay) | on | keep the latency low, this should already be enabled automatically for WebSocket connections |
| [`tcp_nopush`](https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush) | off | may introduce unwanted latency |
| [`proxy_no_cache`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_no_cache) | `1` | prevent caching of the xpra-html5 client |
| [`proxy_cache_bypass`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_bypass) | `1` | prevent caching of the xpra-html5 client |

The following options should not need to be modified:
* [`client_max_body_size`](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) - [does not affect WebSocket connections](https://serverfault.com/questions/1034906/) and all the xpra clients use chunked transfers anyway - as for the xpra-html5 client itself, it is orders of magnitude smaller than the default limit
* [`proxy_intercept_errors`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) - once a WebSocket connection is established, http error codes are not used
* [`keepalive_timeout`](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) - see `proxy_socket_keepalive` above
* [`send_timeout`](https://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout) - see `proxy_send_timeout` above


</details>
5 changes: 3 additions & 2 deletions docs/Usage/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,8 @@ The local printers should be virtualized on the server.
* [Encodings](Encodings.md) - advanced picture encoding configuration, ie: [NVENC](NVENC.md)
* [Logging](Logging.md) - debugging
* [Security](Security.md) - hardening, options and using xpra for better security
* [Proxy Server](Proxy-Server.md) - using the proxy server as a single entry point
* [Apache Proxy Server](Apache-Proxy.md) - using the apache http server as a proxy
* [Proxy Server](Proxy-Server.md) - using a proxy server as a single entry point
* [Apache Proxy Server](Apache-Proxy.md) - using apache
* [Nginx Proxy Server](Apache-Proxy.md) - using nginx
* [WSL](WSL.md) - Windows Subsystem for Linux
* [Xdummy](Xdummy.md) - the alternative virtual framebuffer

0 comments on commit d5b6cad

Please sign in to comment.