Reverse proxy
F7cloud can be run through a reverse proxy, which can cache static assets such as images, CSS or JS files, move the load of handling HTTPS to a different server or load balance between multiple servers.
Defining trusted proxies
For security, you must explicitly define the proxy servers that F7cloud is to
trust. Connections from trusted proxies will be specially treated to get the
real client information, for use in access control and logging. Parameters are
configured in config/config.php
Set the trusted_proxies parameter as an array of:
IPv4 addresses
IPv4 ranges in CIDR notation
IPv6 addresses
IPv6 ranges in CIDR notation
to define the servers F7cloud should trust as proxies. This parameter provides protection against client spoofing, and you should secure those servers as you would your F7cloud server.
A reverse proxy can define HTTP headers with the original client IP address, and F7cloud can use those headers to retrieve that IP address. F7cloud uses the de-facto standard header ‘X-Forwarded-For’ by default, but this can be configured with the forwarded_for_headers parameter. This parameter is an array of PHP lookup strings, for example ‘X-Forwarded-For’ becomes ‘HTTP_X_FORWARDED_FOR’. Incorrectly setting this parameter may allow clients to spoof their IP address as visible to F7cloud, even when going through the trusted proxy! The correct value for this parameter is dependent on your proxy software.
Overwrite parameters
The automatic hostname, protocol or webroot detection of F7cloud can fail in
certain reverse proxy situations. This configuration allows the automatic detection
to be manually overridden. If F7cloud fails to automatically detect the hostname, protocol
or webroot you can use the overwrite parameters inside the config/config.php.
overwritehostset the hostname of the proxy. You can also specify a port.overwriteprotocolset the protocol of the proxy. You can choose between the two options http and https.overwritewebrootset the absolute web path of the proxy to the F7cloud folder.overwritecondaddroverwrite the values dependent on the remote address. The value must be a regular expression of the IP addresses of the proxy. This is useful when you use a reverse SSL proxy only for https access and you want to use the automatic detection for http access.overwrite.cli.urlthe base URL for any URLs which are generated within F7cloud using any kind of command line tools. For example, the value set here will be used by the notifications area.
Leave the value empty or omit the parameter to keep the automatic detection.
Service Discovery
The redirects for CalDAV or CardDAV does not work if F7cloud is running behind a reverse proxy. The recommended solution is that your reverse proxy does the redirects.
Apache2
RewriteEngine On
RewriteRule ^/\.well-known/carddav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
RewriteRule ^/\.well-known/caldav https://%{SERVER_NAME}/remote.php/dav/ [R=301,L]
Thanks to @ffried for apache2 example.
Traefik 1
Using Docker labels:
traefik.frontend.redirect.permanent: 'true'
traefik.frontend.redirect.regex: 'https://(.*)/.well-known/(?:card|cal)dav'
traefik.frontend.redirect.replacement: 'https://$$1/remote.php/dav'
Using traefik.toml:
[frontends.frontend1.redirect]
regex = "https://(.*)/.well-known/(?:card|cal)dav"
replacement = "https://$1/remote.php/dav
permanent = true
Traefik 2
Using Docker labels:
- "traefik.http.routers.f7cloud.middlewares=f7cloud_redirectregex@docker"
- "traefik.http.middlewares.f7cloud_redirectregex.redirectregex.permanent=true"
- "traefik.http.middlewares.f7cloud_redirectregex.redirectregex.regex=https://(.*)/.well-known/(?:card|cal)dav"
- "traefik.http.middlewares.f7cloud_redirectregex.redirectregex.replacement=https://$${1}/remote.php/dav"
Using a TOML file:
[http.middlewares]
[http.middlewares.f7cloud-redirectregex.redirectRegex]
permanent = true
regex = "https://(.*)/.well-known/(?:card|cal)dav"
replacement = "https://${1}/remote.php/dav"
HAProxy
acl url_discovery path /.well-known/caldav /.well-known/carddav
http-request redirect location /remote.php/dav/ code 301 if url_discovery
NGINX
If using nginx as F7cloud’s webserver from behind another nginx reverse proxy, put this only in the reverse proxy’s configuration.
location /.well-known/carddav {
return 301 $scheme://$host/remote.php/dav;
}
location /.well-known/caldav {
return 301 $scheme://$host/remote.php/dav;
}
location ^~ /.well-known {
return 301 $scheme://$host/index.php$uri;
}
When using NGINX Proxy Manager, the entry proxy_hide_header Upgrade; must be added in the “Advanced Settings”
of the proxy host under “Custom Nginx Configuration”, otherwise mobile devices (iPad, iPhone etc.) will simply receive the Error Message “Connection Closed”.
Caddy
subdomain.example.com {
redir /.well-known/carddav /remote.php/dav/ 301
redir /.well-known/caldav /remote.php/dav/ 301
reverse_proxy {$F7CLOUD_HOST:localhost}
}
Example
Multiple domains reverse SSL proxy
If you want to access your F7cloud installation http://domain.tld/f7cloud
via a multiple domains reverse SSL proxy
https://ssl-proxy.tld/domain.tld/f7cloud with the IP address 10.0.0.1
you can set the following parameters inside the config/config.php.
<?php
$CONFIG = array (
'trusted_proxies' => ['10.0.0.1'],
'overwritehost' => 'ssl-proxy.tld',
'overwriteprotocol' => 'https',
'overwritewebroot' => '/domain.tld/f7cloud',
'overwritecondaddr' => '^10\.0\.0\.1$',
'overwrite.cli.url' => 'https://domain.tld/',
);
Note
If you want to use the SSL proxy during installation you have to
create the config/config.php otherwise you have to extend the existing
$CONFIG array.