Reverse Proxy Examples

Crafty Controller makes use of WSS. As such you may experience issues using reverse proxies without the proper configurations. These examples make clear what needs to be done for your reverse proxy to support WSS.

Nginx

Config based on https://gitlab.com/lewishill211/crafty-controller-https
Edits for 4.0 compatibility by pretzelDewey - https://gitlab.com/amcmanu3

upstream crafty {
    server "<DOMAIN>";
}

server {
    listen 80;
    server_name <DOMAIN>;
    if ($host !~* ^<SUBDOMAIN>\.<EXAMPLE>\.com$ ) {
        return 444;
    }
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443 ssl;
    server_name <DOMAIN>;
    if ($host !~* ^<SUBDOMAIN>\.<EXAMPLE>\.com$ ) {
        return 444;
    }
    ssl_certificate <CERIFICATE_LOCATION>;
    ssl_certificate_key <KEYFILE_LOCATION>;
    location / {
        #This is important for websockets
        proxy_http_version 1.1;
        proxy_redirect off;

        #These are important for websockets. They are required for crafty to function properly.
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        #End important websocket parts

        proxy_pass https://localhost:8443;
       
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

Apache2

Base config made by Justman10000 and Zedifus (https://gitlab.com/Zedifus)
Adapted for WSS by pretzelDewey https://gitlab.com/amcmanu3
For this config you need to add the following mods:
 mod_ssl
 mod_rewrite
 mod_http_upgrade
 mod_wss

<VirtualHost _default_:80>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>

<VirtualHost _default_:443>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyPreserveHost On
    SSLProxyEngine On
	    SSLProxyVerify none 
	    SSLProxyCheckPeerCN off
	    SSLProxyCheckPeerName off
	    SSLProxyCheckPeerExpire off

#This is important for web sockets which are required by crafty to run!

    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule .* "wss://127.0.0.1:8443%{REQUEST_URI}" [P]

#End important for WSS

    SSLCertificateFile /var/opt/minecraft/crafty4/app/config/web/certs/commander.cert.pem

    SSLCertificateKeyFile /var/opt/minecraft/crafty4/app/config/web/certs/commander.key.pem

    ProxyPass / https://127.0.0.1:8443/
    ProxyPassReverse / https://127.0.0.1:8443/
    ProxyRequests off
</VirtualHost>

Nginx Proxy Manager (NPM)

• Click Hosts
• Click Proxy Hosts
• Click Add Proxy Host

• Enter your domain name
• Change the scheme to 'https'
• Input Forward IP/port in accordance with your particular workflow. Crafty's default port is 8443

Make sure to turn on 'Websocket Support' or Crafty will not run properly.

Traefik (Docker)

Contributed by: noahlistgarten#7462 (Discord)

In the traefik config file, set insecureSkipVerify to true:
CLI: --serversTransport.insecureSkipVerify=true
(https://doc.traefik.io/traefik/routing/overview/#insecureskipverify)

On the Crafty container, the labels needed are:
    - "traefik.enable=true" # use traefik on this container
    - "traefik.http.routers.crafty.rule=Host(`<YOURCRAFTYDOMAIN.TLD>`)" # set the host URL for traefik
    - "traefik.http.services.crafty.loadbalancer.server.port=8443" # port that Crafty operates on is 8443
    - "traefik.http.routers.crafty.tls=true" # tells traefik you want to use SSL/TLS to connect to your Crafty instance
    #- "traefik.http.routers.listgartenphotography.tls.certresolver=<YOURTRAEFIKCERTRESOLVER> # OPTIONAL: If you want traefik to handle TLS certificates instead of Crafty, you should uncomment the beginning of this line and put the name of your traefik certificate resolver here
    - "traefik.http.services.crafty.loadbalancer.server.scheme=https" # tell traefik to connect to Crafty via https instead of http
    - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto = https" # enable websockets for Crafty

Caddy

Contributed by: charliehoward

In Caddyfile enter the follow config -

example.example.com {
    reverse_proxy x.x.x.x:8443 {
        transport http {
                tls
                tls_insecure_skip_verify
        }
    }
}

Replace the x.x.x.x with the IP of the device running the instance, and confirm that you are on port 8443.

Trouble with WSS Still?

Warning - Some AD blockers will block WSS connections. Try whitelisting the domain or disabling your ad blocker and see if that resolves the problem.