Access Tamari from behind a reverse proxy
The following sample configs force SSL, causes Flask url_for to build urls using subdomain instead of localhost, and prevents http resources from being blocked by browsers. An SSL certificate for your domain is required.
Nginx Sample Config
/etc/nginx/conf.d/default.conf
server {
listen 80;
server_name tamari.example.com;
return 301 https://tamari.example.com$request_uri;
}
server {
listen 443 ssl;
server_name tamari.example.com;
ssl on;
client_max_body_size 400M;
location / {
proxy_pass http://127.0.0.1:4888;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
proxy_redirect http://$http_host/ https://$http_host/;
}
ssl_certificate /etc/ssl/certs/tamari.example.com/fullchain.pem;
ssl_certificate_key /etc/ssl/certs/tamari.example.com/privkey.pem;
}
Traefik Sample Config
/etc/traefik/traefik_dynamic.yml
http:
routers:
tamari-http:
entryPoints:
- web
rule: "Host(`tamari.example.com`)"
middlewares:
- redirect-to-https
tamari-https:
entryPoints:
- websecure
rule: "Host(`tamari.example.com`)"
service: tamari-service
tls: {}
middlewares:
- security-headers
- fix-host
- limit-body-size
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: true
security-headers:
headers:
customRequestHeaders:
X-Forwarded-For: "{client.ip}"
X-Real-IP: "{client.ip}"
X-Forwarded-Proto: "https"
Host: "{host}"
customResponseHeaders:
Content-Security-Policy: "upgrade-insecure-requests"
fix-host:
headers:
customRequestHeaders:
Host: "tamari.example.com"
limit-body-size:
buffering:
maxRequestBodyBytes: 400000000 # 400MB
services:
tamari-service:
loadBalancer:
servers:
- url: "http://127.0.0.1:4888"
passHostHeader: true
tls:
certificates:
- certFile: "/etc/ssl/certs/tamari.example.com/fullchain.pem"
keyFile: "/etc/ssl/certs/tamari.example.com/privkey.pem"
/etc/traefik/traefik.yml
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
file:
filename: "/etc/traefik/traefik_dynamic.yml"
watch: true
log:
level: INFO
accessLog: {}