Using a Reverse Proxy
InterDiode can be used with a reverse proxy, even if it is not required. However, using a reverse proxy can provide additional features such as SSL termination, load balancing, and improved security. A common reverse proxy is nginx, but Apache or Caddy can also be used.
Several headers must be set by the reverse proxy to ensure that websockets are working and that InterDiode can correctly identify the client and the original request: Here is an example configuration of important HTTP headers for nginx:
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
Attention
Do not forget to configure TRUSTED_PROXY_IPS to ensure that InterDiode trusts the headers set by the reverse proxy and does not consider them as spoofed. It can be set to a single IP address, a CIDR range, or a comma-separated list of IP addresses and CIDR ranges.
TRUSTED_PROXY_IPS=127.0.0.1,::1,10.0.0.0/16,172.18.0.0/16
Note
InterDiode uses a websocket endpoint /ws/ for real-time updates, and the reverse proxy must be configured to support websockets by setting the appropriate headers (like Connection: upgrade and Upgrade: websocket) and by allowing the websocket protocol to pass through.
Authenticating Users
As explained in the authentication documentation, if the reverse proxy is also responsible for authenticating users, it can set additional headers to pass the authenticated user’s information to InterDiode.
Here is an example configuration of headers for nginx to pass the authenticated user’s information (using the headers provided by Authentik):
location /v1/login/ {
# include other proxy settings here...
proxy_set_header X-Remote-Email $authentik_email;
proxy_set_header X-Remote-Groups $authentik_groups;
proxy_set_header X-Remote-User $authentik_username;
proxy_set_header X-User-FirstName $http_x_user_firstname;
proxy_set_header X-User-LastName $http_x_user_lastname;
}
This is the matching configuration for InterDiode to extract the authenticated user’s information from the headers set by the reverse proxy:
ALLOW_USER_CREATION=true
HTTP_REMOTE_EMAIL_HEADER=X-Remote-Email
HTTP_REMOTE_FIRST_NAME_HEADER=X-User-FirstName
HTTP_REMOTE_GROUPS_HEADER=X-Remote-Groups
HTTP_REMOTE_LAST_NAME_HEADER=X-User-LastName
HTTP_REMOTE_USER_HEADER=X-Remote-User