Reverse proxy / load balancing
Collaboration Server On-Premises can be served by a reverse proxy or a load balancer of your choice. It is required for securing communication to the server by the TLS protocol and for handling the environment at scale. Also, it is a good practice to use a reverse proxy to handle the traffic to the application server. Besides distributing load between the multiple instances of an application, it can be used to secure the connection with WAF or prevent DDOS attacks.
# Requirements
The WebSocket protocol handles most of the communication between users and Collaboration Server On-Premises. The chosen reverse proxy or load balancer must support the WebSocket protocol.
The X-Forwarded-Proto and Host headers need to be passed from the reverse proxy to the Collaboration Server On-Premises. These headers are required to handle the generation of uploaded image URLs and to ensure that the Management Panel works correctly.
If your reverse proxy does not support these headers, you can override the external endpoint with the APPLICATION_EXTERNAL_ENDPOINT variable to fix wrong URLs.
# NGINX
# Basic configuration
server {
listen 80;
server_name your.domain.name;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8000;
}
}
# Handling multiple instances
upstream ckeditor-cs {
server ckeditor-cs-1.example.com:8000 weight=1;
server ckeditor-cs-2.example.com:8000 weight=1;
server ckeditor-cs-3.example.com:8000 weight=1;
}
server {
listen 80;
server_name your.domain.name;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://ckeditor-cs;
}
}
# Encrypting connection with TLS
server {
server_name your.domain.name;
listen 80;
return 301 https://$host$request_uri;
}
server {
server_name your.domain.name;
listen 443;
ssl on;
ssl_certificate /etc/ssl/your_cert.crt;
ssl_certificate_key /etc/ssl/your_cert_key.key;
location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:8000;
}
}
# HAProxy
# Basic configuration
global
daemon
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
http-request set-header X-Forwarded-Proto http
default_backend servers
backend servers
server server1 127.0.0.1:8000 check
# Handling multiple instances
global
daemon
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
http-request set-header X-Forwarded-Proto http
default_backend servers
backend servers
option httpchk
server server1 ckeditor-cs-1.example.com:8000 check
server server2 ckeditor-cs-2.example.com:8000 check
server server3 ckeditor-cs-3.example.com:8000 check
# Encrypting connection with TLS
global
daemon
tune.ssl.default-dh-param 2048
defaults
mode http
timeout connect 5s
timeout client 120s
timeout server 120s
frontend http-in
bind *:80
bind *:443 ssl crt /etc/ssl/your_certificate.pem
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
redirect scheme https if !{ ssl_fc }
default_backend servers
backend servers
server server1 127.0.0.1:8000
# Caddy
Caddy handles automatic TLS certificates and certificates renewal. Also, it requires no additional configuration for WebSocket connections and passes all required headers automatically.
# One liner
$ caddy reverse-proxy --from your.domain.name --to 127.0.0.1:8000
# Basic configuration
your.domain.com {
reverse_proxy 127.0.0.1:8000
}
# Handling multiple instances
your.domain.com {
reverse_proxy ckeditor-cs-1.example.com:8000 ckeditor-cs-3.example.com:8000 ckeditor-cs-3.example.com:8000
}