Proxying WeeChat relay with a web server

Grant Wu edited this page Oct 12, 2017 · 13 revisions

Whether there's a nasty firewall in your way or you don't want to have to rotate certificates in more than one place, there are many good reasons to proxy your relay behind your web server. It's easy to do this because the relay only listens to the /weechat endpoint, so everything else goes to your web server as normal. This way, you can use it on port 443 without issues. Neat, huh?

Things to remember

Ensure that the relay is accessible only via TLS (SSL). You don't want to accidentally connect to it over unencrypted http. (Access to the WeeChat relay means you can do /exec, so anyone with the relay password can gain access to your server!). Make sure you always use encryption to connect to your relay!

nginx

An example configuration could look like this, with your usual web server configuration where the ellipsis ([...]) is:

# Set up brute force protection
limit_req_zone $binary_remote_addr zone=weechat:10m rate=5r/m;
server {
    [...] # Your config goes here!
    location /weechat {
        proxy_pass http://localhost:8000/weechat; # Change the port to your relay's
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;   # These two lines ensure that the
        proxy_set_header Connection "Upgrade";    # a WebSocket is used
        proxy_read_timeout 604800;                # Prevent idle disconnects
        proxy_set_header X-Real-IP $remote_addr;  # Let WeeChat see the client's IP
        limit_req zone=weechat burst=1 nodelay;   # Brute force prevention
    }
}

Apache

Make sure the modules proxy and proxy_wstunnel are loaded. Then add the following to your SSL enabled server configuration:

ProxyPass "/weechat" "ws://localhost:8000/weechat"
ProxyPassReverse "/weechat" "ws://localhost:8000/weechat"

Caddy

Configuring Caddy as a SSL proxy could not be easier. Add this your Caddyfile:

sub.domain.name { # change to point to your (sub-)domain
    proxy /weechat localhost:9001 { # change to your relay port
        websocket
        timeouts 0 # deactivates timeouts. Might be a better solution for this.
    }
}

As always, Caddy will take care of the certificate automagically!

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.