Skip to content

Documentation: Examples of running SurrealDB behind a reverse proxy (nginx, apache, etc) #946

New issue
New issue
Open
Open
Documentation: Examples of running SurrealDB behind a reverse proxy (nginx, apache, etc)#946
Labels
documentationImprovements or additions to documentation
@macjuul

Description

@macjuul
macjuul
opened on Oct 16, 2024

Description

It would be nice to include documentation on running SurrealDB behind a reverse proxy such as Nginx or apache. It is important to forward specific paths, and include the necessary configuration to make web sockets work.

Additionally it would be good to place focus on best practises such as securing instances with SSL certificates.

Example for Nginx:

# Redirect HTTP requests to HTTPS
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    
    return 301 https://$host$request_uri;
}

server {
    server_name [YOUR SERVER];

    listen [::]:443 ssl ipv6only=off default_server;

    location /rpc {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location ~ ^/(status|health|version|import|export|signup|signin|key|sql|graphql|ml) {
        proxy_pass http://127.0.0.1:8000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    ssl_certificate [SSL CERTIFICATE PATH];
    ssl_certificate_key [SSL KEY PATH];
    ssl_trusted_certificate [SSL CHAIN PATH];
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    
    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
}

(this config is untested)

Is there an existing issue for this?

  • I have searched the existing issues

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions