Allow Routerfleet to work behind a reverse proxy

[enduring78]

I have most of my stuff on a separate network and have set up a Nginx reverse proxy so I can still access the web UI of some stuff.

However, this does not work with Routerfleet because (I think) it already uses a reverse proxy. Adding a option to directly expose the UI would be nice so I can run my own proxy.

[eduardogsilva]

Hi @enduring78 ,

Just point your reverse proxy to https://server_address (don't forget to use https and not http). If you have any csrf issues, it means that you have a configuration issue in your SERVER_ADDRESS variable (or in your reverse proxy).

[enduring78]

Hi @eduardogsilva,

Thank you for the reply! I edited the variable you mentioned and now it works! I previously set it to the IP address of the machine to still be able to access it without proxy, but I guess I have to choose between the two.

[davehope]

@eduardogsilva Would you be open to reconsidering this?

I use Traefik as a reverse proxy, so all TLS is terminated in one place - making cert management easier. Unfortunately, Traefik doesn't make it all that straightforward to safely trust the cert provided by an upstream device (insecureSkipVerify can't be applied via a label like all other options needed to make this work).

I worked around this by just mounting another nginx conf file into the nginx container so that I had another port listening, that I could then target with my reverse proxy. Perhaps you could do something similar, but not expose it by default so that people can then more easily use their own existing reverse-proxy setup?

[eduardogsilva]

I need to keep the nginx in front of django. Nginx is used to serve the static files. As an alternative solution, I can create a .env variable to disable http -> https redirect and enable serving files from http.

I believe that this will fit for most scenarios, and also will help you. Does it sounds good?

[enduring78]

Hi @eduardogsilva,

Yes, that would be awesome since I can point my Nginx proxy at the HTTP port and make sure nothing else can access it at that port with my firewall.

[davehope]

An environment variable to disable the http redirect and instead serve the static and proxy_pass would definitely work! Thanks.

[eduardogsilva]

Hello there!

Just to give you a ping... it's done! https://github.com/eduardogsilva/routerfleet/discussions/20

You need to update the docker compose file to proper use the new variable! ;)

[davehope]

Thanks @eduardogsilva Your change worked perfectly for me!

  routerfleet-nginx:
    container_name: routerfleet-nginx
    restart: unless-stopped
    image: eduardosilva/routerfleet-nginx:latest
    environment:
      - HTTPS_REDIRECT_POLICY=never
    networks:
      - backend
...
    deploy:
      labels:
      - traefik.enable=true
      - traefik.http.routers.rf.entrypoints=websecure
      - traefik.http.routers.rf.rule=Host(`rf.iwhatever.com`)
      - traefik.http.services.rf.loadbalancer.server.port=80

[eduardogsilva]

Hello @davehope Glad to hear it worked. You could set this variable on your .env file. So in the next time that you upgrade your docker-compose.yml, you won't need to edit again.

Cheers!