Discovery server behind an Apache reverse proxy


(Micha) #1

Hi Scott

Thanks a lot for your discussion here: Using reverse-proxied nginx and subdomain with self-hosted, Dockerized discovery server

Therefore I was able to setup my own discovery server / Apache reverse proxy installation. Unfortunately, I am not able to create my own topic within ‘howto’ category. Maybe my account is too fresh :wink:

I have a SSL wildcard certificate (*.domain.tld). My Apache webserver has enabled the modules ‘ssl’, ‘headers’, ‘proxy’ and ‘proxy_http’. The following lines are required within the Apache config:

<VirtualHost x.x.x.x:443>
    ServerName discovery.domain.tld
    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/cert.crt
    SSLCertificateKeyFile /etc/apache2/ssl/cert.key
    SSLCertificateChainFile /etc/apache2/ssl/intermediate.crt

    SSLProxyEngine On
    SSLVerifyClient optional_no_ca
    ProxyPass / http://internal.domain.tld:8443/
    ProxyPassReverse / http://internal.domain.tld:8443/
    RequestHeader set X-SSL-Cert "%{SSL_CLIENT_CERT}s"
</VirtualHost>

The two important steps are the same as in your solution. You have to request the client to present a certificate and you have to forward that certificate within the header to the discovery server.

Hint: It is not necessary to have a wildcard certificate. Without that you have to work with a deeper link structure: ssl.domain.tld/discovery and you have to change the two lines with ‘ProxyPass’ and ‘ProxyPassReverse’ accordingly.

At first I downloaded the current Linux binary for discovery server. That’s missing the ‘-http’ option. I had to download the current source from GitHub and compile it by my own.

Cheers Micha


[Docker] Syncthing and Syncthing Discovery behind Nginx reverse proxy with Let's Encrypt
[Docker] Syncthing and Syncthing Discovery behind Nginx reverse proxy with Let's Encrypt
(Antony Male) #2

(Moved to a new topic in Howto)


(Audrius Butkevicius) #3

I would appreciate if you’d make a pull request to the docs explaining how to do this. Especially the SSL handoff to the discovery server, as thats the trickiest bit here.


(Micha) #5

Sure! Here https://docs.syncthing.net/users/reverseproxy.html or there https://docs.syncthing.net/users/discosrv.html ???


(Audrius Butkevicius) #6

Add a new section/page under discosrv