Do I need a reverse proxy for a containerized deployment or not?

[Tronde]

Hi y'all,
As far as I understand the documentation suggestes here and here to use a reverse proxy while the README.md mentions you might not:

Advanced users can load their own TLS certificates using the configuration and Tuwunel can be deployed without a reverse proxy.

That's somewhat confusing to me, so I hope you can help to clear things up. :-)

I would like to deploy Tuwunel as a container as it provides good abstraction from the operating system beneath and good isolation from other processes, enabling me to run several instances easily from the same host. So lets say I deploy it like the example from the docs shows:

docker run -d -p 8448:6167 \
    -v db:/var/lib/tuwunel/ \
    -e TUWUNEL_SERVER_NAME="your.server.name" \
    -e TUWUNEL_ALLOW_REGISTRATION=false \
    --name tuwunel $LINK

On the host the service would be reachable on all available IP addresses and port 8448. Now I have the following questions:

• Where is the best place to place the tls certificate and key inside the container?
• Does the container serves the endpoints /.well-known/matrix/client and /.well-known/matrix/support?
• Do I miss or lose functionality when not using a reverse proxy?
• If someone runs the container deployment without reverse proxy, can you share you example here, please?

Looking forward to reading your replies.

Tronde

[jevolk]

Apologies for not responding sooner. This is not my cup of tea so I hope you can find more from the docs or from others but I will try my best.

Where is the best place to place the tls certificate and key inside the container?

My understanding (from docs and other admins, though I've never done this) is that you have a mount path for your TLS certificates. Then you configure the TUWUNEL_TLS__CERTS environment variable to the path.

Does the container serves the endpoints /.well-known/matrix/client and /.well-known/matrix/support?

This is optionally configured, see the example config which you can also mount or continue to configure as environment variables, using double __ underscore to address the sub-sections like well_known

Do I miss or lose functionality when not using a reverse proxy?

The valuable functionality a reverse proxy like Caddy has is the automated management of certificates. If you have not been provided commercial certificates you can simply run Caddy in another container or the host.