From d5b6cad131ddd641a084ec4edd2f8f2200af5981 Mon Sep 17 00:00:00 2001 From: Antoine Martin Date: Mon, 9 Dec 2024 21:56:59 +0700 Subject: [PATCH] #4435 multiple server proxying and advanced options --- docs/Usage/Nginx-Proxy.md | 87 +++++++++++++++++++++++++++++++++++++++ docs/Usage/README.md | 5 ++- 2 files changed, 90 insertions(+), 2 deletions(-) diff --git a/docs/Usage/Nginx-Proxy.md b/docs/Usage/Nginx-Proxy.md index 0f38657706..baeba52ffd 100644 --- a/docs/Usage/Nginx-Proxy.md +++ b/docs/Usage/Nginx-Proxy.md @@ -80,3 +80,90 @@ Or even via https if the certificates are configured correctly: xdg-open http://localhost/ ``` + + +--- + + +## Multiple Servers + +
+ show + +This example configuration maps different URLs to servers on different ports. + +``` +http { + + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + server { + listen 443 ssl; + listen 80; + + root /usr/share/xpra/www; + + ssl_certificate /etc/xpra/ssl/ssl-cert.pem; + ssl_certificate_key /etc/xpra/ssl/key.pem; + + proxy_redirect off; + proxy_http_version 1.1; + proxy_buffering off; + proxy_cache_bypass $http_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + + location /xpra1 { + rewrite /xpra1/(.*) /$1 break; + proxy_pass http://127.0.0.1:10000; + } + location /xpra2 { + rewrite /xpra2/(.*) /$1 break; + proxy_pass http://127.0.0.1:10001; + } + } +} +``` +
+ + +## Advanced Options + +
+ show + +Most of the options below can make the connection more robust +and should be applied to the `location` matching the xpra server being proxied for. \ +However, increasing the timeouts should not be necessary as the xpra protocol +already includes its own ping packets every few seconds, +which should ensure that the connection is kept alive. + +These options may even introduce new issues, +by making it harder for nginx to detect broken connections. + +| Option | Recommended value | Purpose | +|--------------------------------------------------------------------------------------------------------------|----------------------------------------|-----------------------------------------------------------------------------------------------------------------------| +| [`proxy_connect_timeout`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_connect_timeout) | unchanged | a lower value can be used to fail faster when xpra servers are already started and initial connections should be fast | +| [`proxy_read_timeout`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_read_timeout) | 10d | or more, increase this option to prevent unexpected disconnections | +| [`proxy_send_timeout`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_send_timeout) | 10d | same as `proxy_read_timeout` | +| [`limit_except`](https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_except) | `limit_except GET POST { deny all; }` | prevent unwanted http requests from reaching xpra's http server | +| [`proxy_socket_keepalive`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_socket_keepalive) | unchanged | should not be needed, can be enabled | +| [`tcp_nodelay`](https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nodelay) | on | keep the latency low, this should already be enabled automatically for WebSocket connections | +| [`tcp_nopush`](https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush) | off | may introduce unwanted latency | +| [`proxy_no_cache`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_no_cache) | `1` | prevent caching of the xpra-html5 client | +| [`proxy_cache_bypass`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_cache_bypass) | `1` | prevent caching of the xpra-html5 client | + +The following options should not need to be modified: +* [`client_max_body_size`](https://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size) - [does not affect WebSocket connections](https://serverfault.com/questions/1034906/) and all the xpra clients use chunked transfers anyway - as for the xpra-html5 client itself, it is orders of magnitude smaller than the default limit +* [`proxy_intercept_errors`](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_intercept_errors) - once a WebSocket connection is established, http error codes are not used +* [`keepalive_timeout`](https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout) - see `proxy_socket_keepalive` above +* [`send_timeout`](https://nginx.org/en/docs/http/ngx_http_core_module.html#send_timeout) - see `proxy_send_timeout` above + + +
\ No newline at end of file diff --git a/docs/Usage/README.md b/docs/Usage/README.md index 48abc11a82..cff9946bee 100644 --- a/docs/Usage/README.md +++ b/docs/Usage/README.md @@ -113,7 +113,8 @@ The local printers should be virtualized on the server. * [Encodings](Encodings.md) - advanced picture encoding configuration, ie: [NVENC](NVENC.md) * [Logging](Logging.md) - debugging * [Security](Security.md) - hardening, options and using xpra for better security -* [Proxy Server](Proxy-Server.md) - using the proxy server as a single entry point -* [Apache Proxy Server](Apache-Proxy.md) - using the apache http server as a proxy +* [Proxy Server](Proxy-Server.md) - using a proxy server as a single entry point + * [Apache Proxy Server](Apache-Proxy.md) - using apache + * [Nginx Proxy Server](Apache-Proxy.md) - using nginx * [WSL](WSL.md) - Windows Subsystem for Linux * [Xdummy](Xdummy.md) - the alternative virtual framebuffer