Reverse Proxy Examples


Reverse Proxy Examples

Crafty Controller makes use of WSS. As such you may experience issues using reverse proxies without the proper configurations. These examples make clear what needs to be done for your reverse proxy to support WSS.


Config based on
Edits for 4.0 compatibility by pretzelDewey -
upstream crafty {
    server "<DOMAIN>";

server {
    listen 80;
    server_name <DOMAIN>;
    if ($host !~* ^<SUBDOMAIN>\.<EXAMPLE>\.com$ ) {
        return 444;
    rewrite ^(.*) https://$host$1 permanent;

server {
    listen 443 ssl;
    server_name <DOMAIN>;
    if ($host !~* ^<SUBDOMAIN>\.<EXAMPLE>\.com$ ) {
        return 444;
    ssl_certificate <CERIFICATE_LOCATION>;
    ssl_certificate_key <KEYFILE_LOCATION>;
    location / {
        #This is important for websockets
        proxy_http_version 1.1;
        proxy_redirect off;

        #These are important for websockets. They are required for crafty to function properly.
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        #End important websocket parts

        proxy_pass https://localhost:8443;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;


Base config made by Justman10000 and Zedifus (
Adapted for WSS by pretzelDewey
For this config you need to add the following mods:
<VirtualHost _default_:80>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    RewriteEngine on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

<VirtualHost _default_:443>

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    ProxyPreserveHost On
    SSLProxyEngine On
	    SSLProxyVerify none 
	    SSLProxyCheckPeerCN off
	    SSLProxyCheckPeerName off
	    SSLProxyCheckPeerExpire off

#This is important for web sockets which are required by crafty to run!

    RewriteEngine on
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule .* "wss://{REQUEST_URI}" [P]

#End important for WSS

    SSLCertificateFile /var/opt/minecraft/crafty4/app/config/web/certs/commander.cert.pem

    SSLCertificateKeyFile /var/opt/minecraft/crafty4/app/config/web/certs/commander.key.pem

    ProxyPass /
    ProxyPassReverse /
    ProxyRequests off

Nginx Proxy Manager (NPM)

Make sure to turn on 'Websocket Support' or Crafty will not run properly.

Traefik (Docker)

Contributed by: noahlistgarten#7462 (Discord)

In the traefik config file, set insecureSkipVerify to true:
CLI: --serversTransport.insecureSkipVerify=true

On the Crafty container, the labels needed are:
    - "traefik.enable=true" # use traefik on this container
    - "traefik.http.routers.crafty.rule=Host(`<YOURCRAFTYDOMAIN.TLD>`)" # set the host URL for traefik
    - "" # port that Crafty operates on is 8443
    - "traefik.http.routers.crafty.tls=true" # tells traefik you want to use SSL/TLS to connect to your Crafty instance
    #- "traefik.http.routers.listgartenphotography.tls.certresolver=<YOURTRAEFIKCERTRESOLVER> # OPTIONAL: If you want traefik to handle TLS certificates instead of Crafty, you should uncomment the beginning of this line and put the name of your traefik certificate resolver here
    - "" # tell traefik to connect to Crafty via https instead of http
    - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto = https" # enable websockets for Crafty

Trouble with WSS Still?

Warning - Some AD blockers will block WSS connections. Try whitelisting the domain or disabling your ad blocker and see if that resolves the problem.