From bd05f85c26bc65228af6b3942bbd1b2f3955eb3e Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 22 Nov 2022 18:11:18 +0100 Subject: [PATCH] Simplify ssl documentation --- docs/rest-api.md | 187 +++-------------------------------------------- 1 file changed, 12 insertions(+), 175 deletions(-) diff --git a/docs/rest-api.md b/docs/rest-api.md index c7c41d571..62ad586dd 100644 --- a/docs/rest-api.md +++ b/docs/rest-api.md @@ -389,11 +389,12 @@ Now anytime those types of RPC messages are sent in the bot, you will receive th } ``` -#### Reverse Proxy and Websockets +#### Reverse Proxy setup -There are some quirks when using a reverse proxy with the message websocket endpoint. The message websocket endpoint keeps a long-running connection open between the Rest API and the client. It's built on top of HTTP and uses the HTTP Upgrade mechanism to change from HTTP to WebSockets during connection. There are some challenges that a reverse proxy faces when supporting WebSockets, such as WebSockets are a hop-by-hop protocol, so when a proxy intercepts an Upgrade request from the client it needs to send it's own Upgrade request to the server, including appropriate headers. Also, since these connections are long lived, the proxy needs to allow these connections to remain open. +When using [Nginx](https://nginx.org/en/docs/), the following configuration is required for WebSockets to work (Note this configuration is incomplete, it's missing some information and can not be used as is): + +Please make sure to replace `` (and the subsequent port) with the IP and Port matching your configuration/setup. -When using Nginx, the following configuration is required for WebSockets to work (Note this configuration isn't complete, it's missing some information and can not be used as is): ``` http { map $http_upgrade $connection_upgrade { @@ -401,13 +402,14 @@ http { '' close; } - ... + #... server { - ... + #... location / { proxy_http_version 1.1; + proxy_pass http://:8080; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; proxy_set_header Host $host; @@ -416,11 +418,15 @@ http { } ``` -To configure your reverse proxy, see it's documentation for proxying websockets. +To properly configure your reverse proxy (securely), please consult it's documentation for proxying websockets. - **Traefik**: Traefik supports websockets out of the box, see the [documentation](https://doc.traefik.io/traefik/) - **Caddy**: Caddy v2 supports websockets out of the box, see the [documentation](https://caddyserver.com/docs/v2-upgrade#proxy) +!!! Tip "SSL certificates" + You can use tools like certbot to setup ssl certificates to access your bot's UI through encrypted connection by using any fo the above reverse proxies. + While this will protect your data in transit, we do not recommend to run the freqtrade API outside of your private network (VPN, SSH tunnel). + ### OpenAPI interface To enable the builtin openAPI interface (Swagger UI), specify `"enable_openapi": true` in the api_server configuration. @@ -490,172 +496,3 @@ The correct configuration for this case is `http://localhost:8080` - the main pa !!! Note We strongly recommend to also set `jwt_secret_key` to something random and known only to yourself to avoid unauthorized access to your bot. - -