Skip to content

Latest commit

 

History

History
170 lines (131 loc) · 7.7 KB

Nginx-Proxy.md

File metadata and controls

170 lines (131 loc) · 7.7 KB

Nginx Proxy

Instead of using xpra's builtin proxy server, the apache http server can be configured as a single point of entry, on a single port.
Just like xpra's proxy, the apache proxy can provide multiple sessions, potentially on multiple remote backend servers.

This works well with both the html5 client and the regular xpra client with ws:// and wss:// URLs.

SSL

In these examples, it may be useful to have SSL certificates ready to use.
Having mkcert installed can help to ensure that the certificates generated are trusted locally.
If your package manager did not create any certificates when you installed the xpra server, you can do so now:

sudo /usr/bin/xpra setup-ssl

This command will not overwrite any existing certificates.

Basic Configuration

show

Create the config

cat > /usr/share/nginx/xpra-basic.conf << EOF
events {
}

http {

	map $http_upgrade $connection_upgrade {
		default upgrade;
		''	  close;
	}

	server {
		listen 443 ssl;
		listen 80;

		root /usr/share/xpra/www;

		ssl_certificate /etc/xpra/ssl/ssl-cert.pem;
		ssl_certificate_key /etc/xpra/ssl/key.pem;

		location / {
			proxy_pass http://127.0.0.1:10000;

			proxy_http_version 1.1;
			proxy_buffering off;
			proxy_cache_bypass $http_upgrade;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "Upgrade";
			proxy_set_header Host $host;
		}
	}
}
EOF

Start nginx:

sudo nginx -c xpra-basic.conf

Xpra server

Start an xpra server on port 10000:

xpra start --bind-tcp=0.0.0.0:10000 --start=xterm

(beware: authentication is turned off for simplicity)

Then you can simply open your browser to connect to the session via the nginx proxy:

xdg-open http://localhost/

Or even via https if the certificates are configured correctly:

xdg-open https://localhost/

Multiple Servers

show

This example configuration maps different URLs to servers on different ports.

http {

	map $http_upgrade $connection_upgrade {
		default upgrade;
		''	  close;
	}

	server {
		listen 443 ssl;
		listen 80;

		root /usr/share/xpra/www;

		ssl_certificate /etc/xpra/ssl/ssl-cert.pem;
		ssl_certificate_key /etc/xpra/ssl/key.pem;

		proxy_redirect off;
		proxy_http_version 1.1;
		proxy_buffering off;
		proxy_cache_bypass $http_upgrade;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "Upgrade";
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

		location /xpra1 {
			rewrite /xpra1/(.*) /$1 break;
			proxy_pass http://127.0.0.1:10000;
		}
		location /xpra2 {
			rewrite /xpra2/(.*) /$1 break;
			proxy_pass http://127.0.0.1:10001;
		}
	}
}

Advanced Options

show

Most of the options below can make the connection more robust and should be applied to the location matching the xpra server being proxied for.
However, increasing the timeouts should not be necessary as the xpra protocol already includes its own ping packets every few seconds, which should ensure that the connection is kept alive.

These options may even introduce new issues, by making it harder for nginx to detect broken connections.

Option Recommended value Purpose
proxy_connect_timeout unchanged a lower value can be used to fail faster when xpra servers are already started and initial connections should be fast
proxy_read_timeout 10d or more, increase this option to prevent unexpected disconnections
proxy_send_timeout 10d same as proxy_read_timeout
limit_except limit_except GET POST { deny all; } prevent unwanted http requests from reaching xpra's http server
proxy_socket_keepalive unchanged should not be needed, can be enabled
tcp_nodelay on keep the latency low, this should already be enabled automatically for WebSocket connections
tcp_nopush off may introduce unwanted latency
proxy_no_cache 1 prevent caching of the xpra-html5 client
proxy_cache_bypass 1 prevent caching of the xpra-html5 client

The following options should not need to be modified: