From c8e7cc8b54b735c7a1bb4378d5ede54e4d598d8d Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Sun, 18 May 2025 23:50:56 +0300 Subject: [PATCH 01/12] feat: XRay ssl certs --- docs/install/remnawave-node.md | 55 ++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) diff --git a/docs/install/remnawave-node.md b/docs/install/remnawave-node.md index 4f4b39a..fb5e30d 100644 --- a/docs/install/remnawave-node.md +++ b/docs/install/remnawave-node.md @@ -158,3 +158,58 @@ Log rotation using logrotate: copytruncate } ``` + +### XRay SSL cert for Node + +If you’re using certificates for your XRay configuration, you need to mount them into the panel. + +:::info +Mount the folder via Docker volumes, and in the config refer to the internal path. +Inside the container there’s a dedicated (empty) folder for certs: +/var/lib/remnawave/configs/xray/ssl/ +::: + +Add the following to the `docker-compose.yml` file: + +```yaml +remnawave: + image: remnawave/backend:latest + container_name: 'remnawave' + hostname: remnawave + restart: always + ports: + - '127.0.0.1:3000:3000' + env_file: + - .env + networks: + - remnawave-network + // highlight-next-line-green + volumes: + // highlight-next-line-green + - '/opt/remnawave/nginx:/var/lib/remnawave/configs/xray/ssl' + depends_on: + remnawave-db: + condition: service_healthy + remnawave-redis: + condition: service_healthy +``` + +:::info +When the panel pushes the config to the node, it will automatically read the mounted files and send the certs to the node. +::: + +Usage in XRay config: + +```json + "certificates": [ + { + "keyFile": "/var/lib/remnawave/configs/xray/ssl/privkey.key", + "certificateFile": "/var/lib/remnawave/configs/xray/ssl/fullchain.pem" + // Other fields + } + ] +``` + +:::caution +Pay attention to the **.key** and **.pem** extensions. +::: From 2769926d1c6794907acd296dac97153d8c8819d0 Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 01:17:24 +0300 Subject: [PATCH 02/12] feat: angie reverse proxy --- docs/install/reverse-proxies/angie.md | 148 ++++++++++++++++++++++++++ 1 file changed, 148 insertions(+) create mode 100644 docs/install/reverse-proxies/angie.md diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md new file mode 100644 index 0000000..e4ca09a --- /dev/null +++ b/docs/install/reverse-proxies/angie.md @@ -0,0 +1,148 @@ +--- +sidebar_position: 5 +title: Angie +description: Reverse proxy with automatic SSL certificates +--- + +import PointDomainToIp from '/docs/partials/\_point_domain_to_ip.md'; +import OpenLoginPage from '/docs/partials/\_open_login_page.md'; + +## Overview + +In this guide we will be using Angie as a reverse proxy to access the Remnawave panel. +We will point a domain name to our server and configure Angie. + + + +### Create a folder for Angie + +```bash +mkdir -p /opt/remnawave/angie && cd /opt/remnawave/angie +``` + +## Angie configuration + +### Simple configuration + +Create a file called `angie.conf` in the `/opt/remnawave/angie` directory. + +```bash +cd /opt/remnawave/angie && nano angie.conf +``` + +Paste the following configuration. + +:::warning + +Please, replace `REPLACE_WITH_YOUR_DOMAIN` with your domain name. + +Review the configuration below, look for red highlighted lines. + +::: + +```angie title="angie.conf" +upstream remnawave { + server remnawave:3000; +} + +# Connection header for WebSocket reverse proxy +map $http_upgrade $connection_upgrade { + default upgrade; + "" close; +} + +acme_client acme_le https://acme-v02.api.letsencrypt.org/directory; + +server { + // highlight-next-line-red + server_name REPLACE_WITH_YOUR_DOMAIN; + + listen 443 ssl reuseport; + listen [::]:443 ssl reuseport; + http2 on; + + acme acme_le; + + # SSL Configuration (Mozilla Modern) + ssl_protocols TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:10m; + ssl_session_tickets off; + ssl_certificate $acme_cert_acme_le; + ssl_certificate_key $acme_cert_key_acme_le; + + add_header Strict-Transport-Security "max-age=15552000" always; + + location / { + proxy_http_version 1.1; + proxy_pass http://remnawave; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } +} + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name _; + + ssl_reject_handshake on; +} + +server { + listen 80; + return 444; # https://angie.software/angie/docs/configuration/acme/#http +} +``` + +### Create docker-compose.yml + +Create a `docker-compose.yml` file in the `/opt/remnawave/angie` directory. + +```bash +cd /opt/remnawave/angie && nano docker-compose.yml +``` + +Paste the following configuration. + +```yaml title="docker-compose.yml" +services: + remnawave-angie: + image: docker.angie.software/angie:1.9.0 + container_name: remnawave-angie + hostname: remnawave-angie + restart: always + ports: + - '0.0.0.0:443:443' + networks: + - remnawave-network + volumes: + - angie-ssl-data:/data + - ./angie.conf:/etc/angie/http.d/default.conf:ro + +networks: + remnawave-network: + name: remnawave-network + driver: bridge + external: true + +volumes: + angie-ssl-data: + driver: local + external: false + name: angie-ssl-data +``` + +### Start the container + +```bash +docker compose up -d && docker compose logs -f -t +``` + + From 031456860942023c6c613eb54c55a1fca9c8558e Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 01:25:04 +0300 Subject: [PATCH 03/12] fix: add resolver --- docs/install/reverse-proxies/angie.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md index e4ca09a..92694f9 100644 --- a/docs/install/reverse-proxies/angie.md +++ b/docs/install/reverse-proxies/angie.md @@ -51,6 +51,8 @@ map $http_upgrade $connection_upgrade { "" close; } +resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220; + acme_client acme_le https://acme-v02.api.letsencrypt.org/directory; server { From 8de6c45fd73c8ab501824c9808b50bd1193ebb0a Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 01:26:45 +0300 Subject: [PATCH 04/12] fix: ssl path --- docs/install/reverse-proxies/angie.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md index 92694f9..f275d40 100644 --- a/docs/install/reverse-proxies/angie.md +++ b/docs/install/reverse-proxies/angie.md @@ -125,7 +125,7 @@ services: networks: - remnawave-network volumes: - - angie-ssl-data:/data + - angie-ssl-data:/var/lib/angie/acme/ - ./angie.conf:/etc/angie/http.d/default.conf:ro networks: From e821f562bde500900e5c1e6f7dac2c0455723278 Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 01:37:47 +0300 Subject: [PATCH 05/12] fix: open 80 port for acme --- docs/install/reverse-proxies/angie.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md index f275d40..93fd695 100644 --- a/docs/install/reverse-proxies/angie.md +++ b/docs/install/reverse-proxies/angie.md @@ -122,6 +122,7 @@ services: restart: always ports: - '0.0.0.0:443:443' + - '0.0.0.0:80:80' networks: - remnawave-network volumes: From ba3df3ed93a3d037d4395e675c047ab4ccc8befd Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 02:35:18 +0300 Subject: [PATCH 06/12] fix: delete unused header --- docs/install/reverse-proxies/angie.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md index 93fd695..85076d1 100644 --- a/docs/install/reverse-proxies/angie.md +++ b/docs/install/reverse-proxies/angie.md @@ -75,8 +75,6 @@ server { ssl_certificate $acme_cert_acme_le; ssl_certificate_key $acme_cert_key_acme_le; - add_header Strict-Transport-Security "max-age=15552000" always; - location / { proxy_http_version 1.1; proxy_pass http://remnawave; From d96a6c36796efd903be6f2ff4de1b226cd162c0f Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 02:57:32 +0300 Subject: [PATCH 07/12] fix: add support TLSv1.2 --- docs/install/reverse-proxies/angie.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md index 85076d1..35e2fa3 100644 --- a/docs/install/reverse-proxies/angie.md +++ b/docs/install/reverse-proxies/angie.md @@ -65,10 +65,9 @@ server { acme acme_le; - # SSL Configuration (Mozilla Modern) - ssl_protocols TLSv1.3; - ssl_prefer_server_ciphers on; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384; + # SSL Configuration (Mozilla Intermediate) + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_timeout 1d; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; From 8c5d4e95cd5996b2f543af9a7cf8377c6b0e7f0c Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 03:00:10 +0300 Subject: [PATCH 08/12] fix: add support Gzip --- docs/install/reverse-proxies/angie.md | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md index 35e2fa3..4f02847 100644 --- a/docs/install/reverse-proxies/angie.md +++ b/docs/install/reverse-proxies/angie.md @@ -84,6 +84,35 @@ server { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } + + # Gzip Compression + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_min_length 256; + gzip_types + application/atom+xml + application/geo+json + application/javascript + application/x-javascript + application/json + application/ld+json + application/manifest+json + application/rdf+xml + application/rss+xml + application/xhtml+xml + application/xml + font/eot + font/otf + font/ttf + image/svg+xml + text/css + text/javascript + text/plain + text/xml; } server { From 6d5740636bc373b657efa338b0a7bd1977397fb6 Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 03:02:59 +0300 Subject: [PATCH 09/12] fix: update nginx configuration --- docs/install/reverse-proxies/nginx.md | 30 +++------------------------ 1 file changed, 3 insertions(+), 27 deletions(-) diff --git a/docs/install/reverse-proxies/nginx.md b/docs/install/reverse-proxies/nginx.md index 5384b7e..a02e355 100644 --- a/docs/install/reverse-proxies/nginx.md +++ b/docs/install/reverse-proxies/nginx.md @@ -73,12 +73,6 @@ This shows that the certificate is issued. `Acme.sh` will take care of automatic ### Simple configuration -We are going to need a `dhparam.pem` file. - -```bash -curl https://ssl-config.mozilla.org/ffdhe2048.txt > /opt/remnawave/nginx/dhparam.pem -``` - Create a file called `nginx.conf` in the `/opt/remnawave/nginx` directory. ```bash @@ -123,35 +117,18 @@ server { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Port $server_port; - - proxy_send_timeout 60s; - proxy_read_timeout 60s; } # SSL Configuration (Mozilla Intermediate Guidelines) - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ecdh_curve X25519:prime256v1:secp384r1; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; - ssl_prefer_server_ciphers off; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # ~40,000 sessions - ssl_dhparam "/etc/nginx/ssl/dhparam.pem"; + ssl_session_tickets off; ssl_certificate "/etc/nginx/ssl/fullchain.pem"; ssl_certificate_key "/etc/nginx/ssl/privkey.key"; - # OCSP Stapling - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate "/etc/nginx/ssl/fullchain.pem"; - resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220; - - # HTTP Strict Transport Security (HSTS) - proxy_hide_header Strict-Transport-Security; - add_header Strict-Transport-Security "max-age=15552000" always; - # Gzip Compression gzip on; gzip_vary on; @@ -210,7 +187,6 @@ services: hostname: remnawave-nginx volumes: - ./nginx.conf:/etc/nginx/conf.d/default.conf:ro - - ./dhparam.pem:/etc/nginx/ssl/dhparam.pem:ro - ./fullchain.pem:/etc/nginx/ssl/fullchain.pem:ro - ./privkey.key:/etc/nginx/ssl/privkey.key:ro restart: always From 010323ccbcea00549bcb7a322abce69b584275a8 Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 03:13:41 +0300 Subject: [PATCH 10/12] fix: decrease cache size --- docs/install/reverse-proxies/nginx.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/install/reverse-proxies/nginx.md b/docs/install/reverse-proxies/nginx.md index a02e355..655e44d 100644 --- a/docs/install/reverse-proxies/nginx.md +++ b/docs/install/reverse-proxies/nginx.md @@ -124,7 +124,7 @@ server { ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_session_timeout 1d; - ssl_session_cache shared:MozSSL:10m; # ~40,000 sessions + ssl_session_cache shared:MozSSL:1m; ssl_session_tickets off; ssl_certificate "/etc/nginx/ssl/fullchain.pem"; ssl_certificate_key "/etc/nginx/ssl/privkey.key"; From df67bb828e26ee5cf3df5cb0c7bec1575272ed34 Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 03:17:39 +0300 Subject: [PATCH 11/12] fix: return OCSP, cause zeroSSL) --- docs/install/reverse-proxies/nginx.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/install/reverse-proxies/nginx.md b/docs/install/reverse-proxies/nginx.md index 655e44d..8704a28 100644 --- a/docs/install/reverse-proxies/nginx.md +++ b/docs/install/reverse-proxies/nginx.md @@ -121,13 +121,19 @@ server { # SSL Configuration (Mozilla Intermediate Guidelines) ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:1m; ssl_session_tickets off; ssl_certificate "/etc/nginx/ssl/fullchain.pem"; ssl_certificate_key "/etc/nginx/ssl/privkey.key"; + ssl_trusted_certificate "/etc/nginx/ssl/fullchain.pem"; + + ssl_stapling on; + ssl_stapling_verify on; + resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s; + resolver_timeout 2s; # Gzip Compression gzip on; From 864964600a4b7d77d1104ed3cd237d716a09b88b Mon Sep 17 00:00:00 2001 From: Fraybyl Date: Mon, 19 May 2025 03:21:51 +0300 Subject: [PATCH 12/12] fix: fix SSL --- docs/install/reverse-proxies/angie.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/install/reverse-proxies/angie.md b/docs/install/reverse-proxies/angie.md index 4f02847..26d135d 100644 --- a/docs/install/reverse-proxies/angie.md +++ b/docs/install/reverse-proxies/angie.md @@ -67,9 +67,9 @@ server { # SSL Configuration (Mozilla Intermediate) ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_session_timeout 1d; - ssl_session_cache shared:SSL:10m; + ssl_session_cache shared:SSL:1m; ssl_session_tickets off; ssl_certificate $acme_cert_acme_le; ssl_certificate_key $acme_cert_key_acme_le;