Use NGINX proxying to serve the relay

[decentral1se]

We most likely want to setup proxying for the handling of certificates and avoiding to expose ports.

https://github.com/glowing-bear/glowing-bear/wiki/Proxying-WeeChat-relay-with-a-web-server#nginx

# Set up brute force protection
limit_req_zone $binary_remote_addr zone=weechat:10m rate=5r/m;
server {
    [...] # Your config goes here!
    location /weechat {
        proxy_pass http://localhost:8000/weechat; # Change the port to your relay's
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;   # These two lines ensure that the
        proxy_set_header Connection "Upgrade";    # a WebSocket is used
        proxy_read_timeout 604800;                # Prevent idle disconnects
        proxy_set_header X-Real-IP $remote_addr;  # Let WeeChat see the client's IP
        limit_req zone=weechat burst=1 nodelay;   # Brute force prevention
    }
}

[decentral1se]

OTOH, the setup is verrrry simple when just using the port relaying internally without the proxy.

However, the port that Weechat exposes for the relay needs to be publicy accessible.

That's probably not a good thing? I am not sure.

[decentral1se]

Aha, when we set /set relay.network.password YOURPASSWORD and also have a certificate configured and choose to use encryption when we connect, we get a secure connection. Someone who does not know "YOURPASSWORD" will not be able to connect to the relay. So as long as this password is sufficiently secure, this is OK for now. Proxying is most likely the better long-term solution.