Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation: Examples of running SurrealDB behind a reverse proxy (nginx, apache, etc) #946

Open
2 tasks done
macjuul opened this issue Oct 16, 2024 · 0 comments
Open
2 tasks done

Documentation: Examples of running SurrealDB behind a reverse proxy (nginx, apache, etc) #946

macjuul opened this issue Oct 16, 2024 · 0 comments
Labels
documentation Improvements or additions to documentation

Comments

@macjuul
Copy link
Collaborator

macjuul commented Oct 16, 2024

Description

It would be nice to include documentation on running SurrealDB behind a reverse proxy such as Nginx or apache. It is important to forward specific paths, and include the necessary configuration to make web sockets work.

Additionally it would be good to place focus on best practises such as securing instances with SSL certificates.

Example for Nginx:

# Redirect HTTP requests to HTTPS
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    
    return 301 https://$host$request_uri;
}

server {
    server_name [YOUR SERVER];

    listen [::]:443 ssl ipv6only=off default_server;

    location /rpc {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location ~ ^/(status|health|version|import|export|signup|signin|key|sql|graphql|ml) {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    ssl_certificate [SSL CERTIFICATE PATH];
    ssl_certificate_key [SSL KEY PATH];
    ssl_trusted_certificate [SSL CHAIN PATH];
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    
    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
}

(this config is untested)

Is there an existing issue for this?

  • I have searched the existing issues

Code of Conduct

  • I agree to follow this project's Code of Conduct
@macjuul macjuul added the documentation Improvements or additions to documentation label Oct 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@macjuul