-
-
Notifications
You must be signed in to change notification settings - Fork 5.7k
Reverse Proxy
In order to to expose Uptime Kuma to the web securely, it is recommended to proxy it behind a traditional webserver such as nginx or Apache. Below are some example configurations that you could use.
Unlikely other web apps, Uptime Kuma is based on WebSocket. You need two more headers "Upgrade" and "Connection" in order to reverse proxy WebSocket.
Uptime Kuma do not supported the subdirectory reverse proxy such as http://example.com/uptimekuma. Please prepare a domain or sub-domain to do that.
With SSL:
server {
listen 443 ssl http2;
server_name sub.domain.com;
ssl_certificate /path/to/ssl/cert/crt;
ssl_certificate_key /path/to/ssl/key/key;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:3001/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}Without SSL:
server {
listen 80;
server_name sub.domain.com;
location / {
proxy_pass http://localhost:3001;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}With SSL:
<VirtualHost *:443>
ServerName sub.domain.com
SSLEngine On
SSLCertificateFile /path/to/ssl/cert/crt
SSLCertificateKeyFile /path/to/ssl/key/key
# Protocol 'h2' is only supported on Apache 2.4.17 or newer.
Protocols h2 http/1.1
ProxyPass / http://localhost:3001/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://localhost:3001/$1" [P,L]
</VirtualHost>Without SSL:
<VirtualHost *:80>
ServerName sub.domain.com
ProxyPass / http://localhost:3001/
RewriteEngine on
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} upgrade [NC]
RewriteRule ^/?(.*) "ws://localhost:3001/$1" [P,L]
</VirtualHost>subdomain.domain.com {
reverse_proxy 127.0.0.1:3001 :
}Please enable "WebSockets Supports"
https://mlohr.com/websockets-for-synology-dsm/
labels:
- "traefik.enable=true"
- "traefik.http.routers.uptime-kuma.rule=Host(`YourOwnHostname`)"
- "traefik.http.routers.uptime-kuma.entrypoints=https"
- "traefik.http.routers.uptime-kuma.tls=true"
- "traefik.http.routers.uptime-kuma.tls.certresolver=myresolver"
- "traefik.http.services.uptime-kuma.loadBalancer.server.port=3001"
Add the above, to your Docker-compose.yml file, and replace "YourOwnHostname" with the hostname you want to use, to use Traefik reverse Proxy. Note setup correct, Traefik can automaticly, get a Let's Encrypt certificate for your service.
You must enable "WebSockets" in Cloudflare Dashboard:
Cloudflare Dashboard -> Network -> Enable WebSockets
Read more: https://github.com/louislam/uptime-kuma/issues/138#issuecomment-890485229
It is recommended to use SSL(HTTPS) with your web-server to avoid MiTM attacks when on a public network. If using caddy these certificates will be auto-generated by caddy and will keep them updated.
If your using Apache or NGINX, it is recommended to use CertBot to manage SSL for free, it uses Let's Encrypt to get it's certificates and keeps them renewed. You can also use your own Certificates and place them as shown above. If using cerbot use the "Without SSL" settings and then run certbot on it and it will automatically configure auto-HTTPS redirection.