Reverse proxy / load balancing
Collaboration Server On-Premises can be served by a reverse proxy or a load balancer of your choice. It is required for securing communication to the server by the TLS protocol and for handling the environment at scale. Also, it is a good practice to use a reverse proxy to handle the traffic to the application server. Besides distributing load between the multiple instances of an application, it can be used to secure the connection with WAF or prevent DDOS attacks.
The WebSocket protocol handles most of the communication between users and Collaboration Server On-Premises. The chosen reverse proxy or load balancer must support the WebSocket protocol.
The X-Forwarded-Proto and Host headers need to be passed from the reverse proxy to the Collaboration Server On-Premises. These headers are required to handle the generation of uploaded image URLs and to ensure that the Management Panel works correctly.
If your reverse proxy does not support these headers, you can override the external endpoint with the APPLICATION_EXTERNAL_ENDPOINT variable to fix wrong URLs.
server {
listen 80;
server_name your.domain.name;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8000;
}
}
upstream ckeditor-cs {
server ckeditor-cs-1.example.com:8000 weight=1;
server ckeditor-cs-2.example.com:8000 weight=1;
server ckeditor-cs-3.example.com:8000 weight=1;
}
server {
listen 80;
server_name your.domain.name;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://ckeditor-cs;
}
}
server {
server_name your.domain.name;
listen 80;
return 301 https://$host$request_uri;
}
server {
server_name your.domain.name;
listen 443;
ssl on;
ssl_certificate /etc/ssl/your_cert.crt;
ssl_certificate_key /etc/ssl/your_cert_key.key;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8000;
}
}
global
daemon
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
http-request set-header X-Forwarded-Proto http
default_backend servers
backend servers
server server1 127.0.0.1:8000 check
global
daemon
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
http-request set-header X-Forwarded-Proto http
default_backend servers
backend servers
option httpchk
server server1 ckeditor-cs-1.example.com:8000 check
server server2 ckeditor-cs-2.example.com:8000 check
server server3 ckeditor-cs-3.example.com:8000 check
global
daemon
tune.ssl.default-dh-param 2048
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
bind *:443 ssl crt /etc/ssl/your_certificate.pem
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
redirect scheme https if !{ ssl_fc }
default_backend servers
backend servers
server server1 127.0.0.1:8000
Caddy handles automatic TLS certificates and certificates renewal. Also, it requires no additional configuration for WebSocket connections and passes all required headers automatically.
$ caddy reverse-proxy --from your.domain.name --to 127.0.0.1:8000
your.domain.com {
reverse_proxy 127.0.0.1:8000
}
your.domain.com {
reverse_proxy ckeditor-cs-1.example.com:8000 ckeditor-cs-3.example.com:8000 ckeditor-cs-3.example.com:8000
}