guideReverse proxy / load balancing

Collaboration Server On-Premises can be served by a reverse proxy or a load balancer of your choice. It is required for securing communication to the server by the TLS protocol and for handling the environment at scale. Also, it is a good practice to use a reverse proxy to handle the traffic to the application server. Besides distributing load between the multiple instances of an application, it can be used to secure the connection with WAF or prevent DDOS attacks.

# Requirements

The WebSocket protocol handles most of the communication between users and Collaboration Server On-Premises. The chosen reverse proxy or load balancer must support the WebSocket protocol.

The X-Forwarded-Proto and Host headers need to be passed from the reverse proxy to the Collaboration Server On-Premises. These headers are required to handle the generation of uploaded image URLs and to ensure that the Management Panel works correctly.

If your reverse proxy does not support these headers, you can override the external endpoint with the APPLICATION_EXTERNAL_ENDPOINT variable to fix wrong URLs.

# NGINX

# Basic configuration

server {
    listen 80;
    server_name your.domain.name;

    location / {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;

        proxy_pass http://127.0.0.1:8000;
    }
}

# Handling multiple instances

upstream ckeditor-cs {
    server ckeditor-cs-1.example.com:8000 weight=1;
    server ckeditor-cs-2.example.com:8000 weight=1;
    server ckeditor-cs-3.example.com:8000 weight=1;
}

server {
    listen 80;
    server_name your.domain.name;

    location / {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;

        proxy_pass http://ckeditor-cs;
    }
}

# Encrypting connection with TLS

server {
    server_name your.domain.name;

    listen 80;

    return 301 https://$host$request_uri;
}

server {
    server_name your.domain.name;

    listen 443;
    ssl on;
    ssl_certificate /etc/ssl/your_cert.crt;
    ssl_certificate_key /etc/ssl/your_cert_key.key;

    location / {
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;

        proxy_pass http://127.0.0.1:8000;
    }
}

# HAProxy

# Basic configuration

global
    daemon

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    http-request set-header X-Forwarded-Proto http

    default_backend servers

backend servers
    server server1 127.0.0.1:8000 check

# Handling multiple instances

global
    daemon

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    http-request set-header X-Forwarded-Proto http

    default_backend servers

backend servers
    option httpchk

    server server1 ckeditor-cs-1.example.com:8000 check
    server server2 ckeditor-cs-2.example.com:8000 check
    server server3 ckeditor-cs-3.example.com:8000 check

# Encrypting connection with TLS

global
    daemon
    tune.ssl.default-dh-param 2048

defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/ssl/your_certificate.pem
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
    redirect scheme https if !{ ssl_fc }

    default_backend servers

backend servers
    server server1 127.0.0.1:8000

# Caddy

Caddy handles automatic TLS certificates and certificates renewal. Also, it requires no additional configuration for WebSocket connections and passes all required headers automatically.

# One liner

$ caddy reverse-proxy --from your.domain.name --to 127.0.0.1:8000

# Basic configuration

your.domain.com {
    reverse_proxy 127.0.0.1:8000
}

# Handling multiple instances

your.domain.com {
    reverse_proxy ckeditor-cs-1.example.com:8000 ckeditor-cs-3.example.com:8000 ckeditor-cs-3.example.com:8000
}