diff --git a/docs/install/remnawave-node.md b/docs/install/remnawave-node.md
index 2188da3..eb432c2 100644
--- a/docs/install/remnawave-node.md
+++ b/docs/install/remnawave-node.md
@@ -110,6 +110,7 @@ Usage in xray config:
]
}
```
+
### Log from Node
You can access logs from the node by mounting them to your host's file system.
@@ -164,7 +165,6 @@ Create a logrotate configuration file:
nano /etc/logrotate.d/remnanode
```
-
Paste the following logrotate configuration for RemnaNode:
```bash
@@ -183,3 +183,60 @@ Run logrotate manually to test:
```bash
logrotate -vf /etc/logrotate.d/remnanode
```
+
+### XRay SSL cert for Node
+
+If you’re using certificates for your XRay configuration, you need to mount them into the panel.
+
+:::info
+Mount the folder via Docker volumes, and in the config refer to the internal path.
+Inside the container there’s a dedicated (empty) folder for certs:
+/var/lib/remnawave/configs/xray/ssl/
+:::
+
+Add the following to the `docker-compose.yml` file:
+
+```yaml
+remnawave:
+ image: remnawave/backend:latest
+ container_name: 'remnawave'
+ hostname: remnawave
+ restart: always
+ ports:
+ - '127.0.0.1:3000:3000'
+ env_file:
+ - .env
+ networks:
+ - remnawave-network
+ // highlight-next-line-green
+ volumes:
+ // highlight-next-line-green
+ - '/opt/remnawave/nginx:/var/lib/remnawave/configs/xray/ssl'
+ depends_on:
+ remnawave-db:
+ condition: service_healthy
+ remnawave-redis:
+ condition: service_healthy
+```
+
+:::info
+When the panel pushes the config to the node, it will automatically read the mounted files and send the certs to the node.
+:::
+
+Usage in XRay config:
+
+```json
+ "certificates": [
+ {
+ "keyFile": "/var/lib/remnawave/configs/xray/ssl/privkey.key",
+ "certificateFile": "/var/lib/remnawave/configs/xray/ssl/fullchain.pem"
+ // Other fields
+ }
+ ]
+```
+
+:::caution
+Pay attention to the **.key** and **.pem** extensions.
+:::
+
+> > > > > > > origin/main
diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md
new file mode 100644
index 0000000..26d135d
--- /dev/null
+++ b/docs/install/reverse-proxies/angie.md
@@ -0,0 +1,177 @@
+---
+sidebar_position: 5
+title: Angie
+description: Reverse proxy with automatic SSL certificates
+---
+
+import PointDomainToIp from '/docs/partials/\_point_domain_to_ip.md';
+import OpenLoginPage from '/docs/partials/\_open_login_page.md';
+
+## Overview
+
+In this guide we will be using Angie as a reverse proxy to access the Remnawave panel.
+We will point a domain name to our server and configure Angie.
+
+
+
+### Create a folder for Angie
+
+```bash
+mkdir -p /opt/remnawave/angie && cd /opt/remnawave/angie
+```
+
+## Angie configuration
+
+### Simple configuration
+
+Create a file called `angie.conf` in the `/opt/remnawave/angie` directory.
+
+```bash
+cd /opt/remnawave/angie && nano angie.conf
+```
+
+Paste the following configuration.
+
+:::warning
+
+Please, replace `REPLACE_WITH_YOUR_DOMAIN` with your domain name.
+
+Review the configuration below, look for red highlighted lines.
+
+:::
+
+```angie title="angie.conf"
+upstream remnawave {
+ server remnawave:3000;
+}
+
+# Connection header for WebSocket reverse proxy
+map $http_upgrade $connection_upgrade {
+ default upgrade;
+ "" close;
+}
+
+resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220;
+
+acme_client acme_le https://acme-v02.api.letsencrypt.org/directory;
+
+server {
+ // highlight-next-line-red
+ server_name REPLACE_WITH_YOUR_DOMAIN;
+
+ listen 443 ssl reuseport;
+ listen [::]:443 ssl reuseport;
+ http2 on;
+
+ acme acme_le;
+
+ # SSL Configuration (Mozilla Intermediate)
+ ssl_protocols TLSv1.2 TLSv1.3;
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:SSL:1m;
+ ssl_session_tickets off;
+ ssl_certificate $acme_cert_acme_le;
+ ssl_certificate_key $acme_cert_key_acme_le;
+
+ location / {
+ proxy_http_version 1.1;
+ proxy_pass http://remnawave;
+ proxy_set_header Host $host;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection $connection_upgrade;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+
+ # Gzip Compression
+ gzip on;
+ gzip_vary on;
+ gzip_proxied any;
+ gzip_comp_level 6;
+ gzip_buffers 16 8k;
+ gzip_http_version 1.1;
+ gzip_min_length 256;
+ gzip_types
+ application/atom+xml
+ application/geo+json
+ application/javascript
+ application/x-javascript
+ application/json
+ application/ld+json
+ application/manifest+json
+ application/rdf+xml
+ application/rss+xml
+ application/xhtml+xml
+ application/xml
+ font/eot
+ font/otf
+ font/ttf
+ image/svg+xml
+ text/css
+ text/javascript
+ text/plain
+ text/xml;
+}
+
+server {
+ listen 443 ssl default_server;
+ listen [::]:443 ssl default_server;
+ server_name _;
+
+ ssl_reject_handshake on;
+}
+
+server {
+ listen 80;
+ return 444; # https://angie.software/angie/docs/configuration/acme/#http
+}
+```
+
+### Create docker-compose.yml
+
+Create a `docker-compose.yml` file in the `/opt/remnawave/angie` directory.
+
+```bash
+cd /opt/remnawave/angie && nano docker-compose.yml
+```
+
+Paste the following configuration.
+
+```yaml title="docker-compose.yml"
+services:
+ remnawave-angie:
+ image: docker.angie.software/angie:1.9.0
+ container_name: remnawave-angie
+ hostname: remnawave-angie
+ restart: always
+ ports:
+ - '0.0.0.0:443:443'
+ - '0.0.0.0:80:80'
+ networks:
+ - remnawave-network
+ volumes:
+ - angie-ssl-data:/var/lib/angie/acme/
+ - ./angie.conf:/etc/angie/http.d/default.conf:ro
+
+networks:
+ remnawave-network:
+ name: remnawave-network
+ driver: bridge
+ external: true
+
+volumes:
+ angie-ssl-data:
+ driver: local
+ external: false
+ name: angie-ssl-data
+```
+
+### Start the container
+
+```bash
+docker compose up -d && docker compose logs -f -t
+```
+
+
diff --git a/docs/install/reverse-proxies/nginx.md b/docs/install/reverse-proxies/nginx.md
index 5384b7e..8704a28 100644
--- a/docs/install/reverse-proxies/nginx.md
+++ b/docs/install/reverse-proxies/nginx.md
@@ -73,12 +73,6 @@ This shows that the certificate is issued. `Acme.sh` will take care of automatic
### Simple configuration
-We are going to need a `dhparam.pem` file.
-
-```bash
-curl https://ssl-config.mozilla.org/ffdhe2048.txt > /opt/remnawave/nginx/dhparam.pem
-```
-
Create a file called `nginx.conf` in the `/opt/remnawave/nginx` directory.
```bash
@@ -123,34 +117,23 @@ server {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-Host $host;
- proxy_set_header X-Forwarded-Port $server_port;
-
- proxy_send_timeout 60s;
- proxy_read_timeout 60s;
}
# SSL Configuration (Mozilla Intermediate Guidelines)
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ecdh_curve X25519:prime256v1:secp384r1;
+ ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
- ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
- ssl_session_cache shared:MozSSL:10m; # ~40,000 sessions
- ssl_dhparam "/etc/nginx/ssl/dhparam.pem";
+ ssl_session_cache shared:MozSSL:1m;
+ ssl_session_tickets off;
ssl_certificate "/etc/nginx/ssl/fullchain.pem";
ssl_certificate_key "/etc/nginx/ssl/privkey.key";
-
- # OCSP Stapling
- ssl_stapling on;
- ssl_stapling_verify on;
ssl_trusted_certificate "/etc/nginx/ssl/fullchain.pem";
- resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220;
- # HTTP Strict Transport Security (HSTS)
- proxy_hide_header Strict-Transport-Security;
- add_header Strict-Transport-Security "max-age=15552000" always;
+ ssl_stapling on;
+ ssl_stapling_verify on;
+ resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
+ resolver_timeout 2s;
# Gzip Compression
gzip on;
@@ -210,7 +193,6 @@ services:
hostname: remnawave-nginx
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf:ro
- - ./dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro
- ./fullchain.pem:/etc/nginx/ssl/fullchain.pem:ro
- ./privkey.key:/etc/nginx/ssl/privkey.key:ro
restart: always