Setting up a Reverse Proxy

When exposing Liwan to the public internet, it is recommended to use a reverse proxy to handle SSL termination and other security-related tasks. This guide will show you how to set up a reverse proxy using Caddy.

There are many other reverse proxies available, such as Nginx (guide), Traefik (guide), and HAProxy (guide), which all vary in complexity and features.

Setting up Caddy

Firewall Configuration

Depending on your setup, you might want to configure your firewall to only allow incoming traffic on ports 80 and 443 from the internet, as liwan listens on all interfaces by default. A simple way to do this on many Linux distributions is using ufw, check the official documentation for more information.

1. Install Caddy
   First, install Caddy on your server. You can download the latest version from the official website. Depending on how you install Caddy, you may need to set up a service to run it in the background.

2. Configure Caddy
   A basic Caddy configuration file might look like this:

   /etc/caddy/Caddyfile

   liwan.example.com {
       reverse_proxy localhost:9042
       tls you@example.com
   }

   This configuration tells Caddy to listen for requests on liwan.example.com, reverse proxy them to Liwan running on port 9042, and use Let’s Encrypt to automatically obtain and renew SSL certificates.

3. Start Caddy
   Again, depending on your setup, you may need to start Caddy manually or set it up as a service. See the Keep Caddy Running section of the Caddy documentation for more information.

   Once Caddy is running, you should be able to access Liwan by visiting https://liwan.example.com.

Client IP Headers

Liwan uses the request IP for visitor identification and optional GeoIP lookups. When Liwan is behind a reverse proxy, the proxy should forward the original client IP.

Liwan checks these headers (in this order) before falling back to the socket source IP:

• cf-connecting-ip
• fly-client-ip
• true-client-ip
• x-real-ip
• cloudfront-viewer-address
• x-forwarded-for
• forwarded

For multi-hop header formats (x-forwarded-for and forwarded), Liwan currently uses the last entry in the list.

To avoid spoofed values, only trust headers set by your own edge proxy/load balancer. Your edge should strip incoming client-provided forwarding headers and set canonical values itself.

For Caddy, the default reverse_proxy setup already forwards X-Forwarded-For and related headers.