Documentation

Access Tamari from behind a reverse proxy

The following sample configs force SSL, causes Flask url_for to build urls using subdomain instead of localhost, and prevents http resources from being blocked by browsers. An SSL certificate for your domain is required.

Nginx Sample Config

/etc/nginx/conf.d/default.conf

server {
	listen 80;
	server_name tamari.example.com;
	return 301 https://tamari.example.com$request_uri;
}
server {
	listen 443 ssl;
	server_name tamari.example.com;
	ssl on;
	client_max_body_size 400M;
	
	location / {
		proxy_pass		http://127.0.0.1:4888;
		proxy_set_header Host $http_host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-Proto $scheme;
		add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
		proxy_redirect http://$http_host/ https://$http_host/;
	}
	ssl_certificate /etc/ssl/certs/tamari.example.com/fullchain.pem;
	ssl_certificate_key /etc/ssl/certs/tamari.example.com/privkey.pem;
}

Traefik Sample Config

/etc/traefik/traefik_dynamic.yml

http:
  routers:
    tamari-http:
      entryPoints:
        - web
      rule: "Host(`tamari.example.com`)"
      middlewares:
        - redirect-to-https

    tamari-https:
      entryPoints:
        - websecure
      rule: "Host(`tamari.example.com`)"
      service: tamari-service
      tls: {}
      middlewares:
        - security-headers
        - fix-host
        - limit-body-size

  middlewares:
    redirect-to-https:
      redirectScheme:
        scheme: https
        permanent: true

    security-headers:
      headers:
        customRequestHeaders:
          X-Forwarded-For: "{client.ip}"
          X-Real-IP: "{client.ip}"
          X-Forwarded-Proto: "https"
          Host: "{host}"
        customResponseHeaders:
          Content-Security-Policy: "upgrade-insecure-requests"

    fix-host:
      headers:
        customRequestHeaders:
          Host: "tamari.example.com"

    limit-body-size:
      buffering:
        maxRequestBodyBytes: 400000000  # 400MB

  services:
    tamari-service:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:4888"
        passHostHeader: true

tls:
  certificates:
    - certFile: "/etc/ssl/certs/tamari.example.com/fullchain.pem"
      keyFile: "/etc/ssl/certs/tamari.example.com/privkey.pem"

/etc/traefik/traefik.yml

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  file:
    filename: "/etc/traefik/traefik_dynamic.yml"
    watch: true

log:
  level: INFO

accessLog: {}