Reverse proxy configuration examples


#1

If you want to run OctoPrint behind a reverse proxy such as Nginx, HAProxy or Apache's mod_proxy you can find some configuration examples here.

Nginx

For Nginx the basic forwarding configuration is something like this:

    worker_processes  1;
    
    events {
        worker_connections  1024;
    }
    
    http {
        include            mime.types;
        default_type       application/octet-stream;
        sendfile           on;
        keepalive_timeout  65;

        map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
        }
  
        upstream "octoprint" {
            server 127.0.0.1:5000;
        }
    
        upstream "mjpg-streamer" {
            server 127.0.0.1:8080;
        }
    
        server {
            listen       80;
            server_name  localhost;
            
            location / {
                proxy_pass http://octoprint/;
                proxy_set_header Host $http_host;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Scheme $scheme;
                proxy_http_version 1.1;

                client_max_body_size 0;    
            }

            location /webcam/ {
                proxy_pass http://mjpg-streamer/;
            }

            # redirect server error pages to the static page /50x.html
            error_page   500 502 503 504  /50x.html;
            location = /50x.html {
                root   html;
            }
        }
    }

:warning: Warning

Be extra sure to include proxy_http_version 1.1 or the web socket connection will fail.

If you want to serve OctoPrint on a different base URL than / (e.g. /octoprint/), you'll need to adjust its location definition slightly by changing the location path itself, the proxy_pass target and adding the X-Script-Name header:

    location /octoprint/ {
        proxy_pass http://octoprint/; # make sure to add trailing slash here!
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Script-Name /octoprint;
        proxy_http_version 1.1;

        client_max_body_size 0;    
    }

HAProxy

If you just want to run OctoPrint on the server root of the reverse proxy with mjpg-streamer running under /webcam, the following configuration is sufficient:

global
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        log 127.0.0.1 local0 debug

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option redispatch
        option http-server-close
        option forwardfor
        maxconn 2000
        timeout connect 5s
        timeout client  15min
        timeout server  15min

frontend public
        bind *:80
        use_backend webcam if { path_beg /webcam/ }
        default_backend octoprint

backend octoprint
        option forwardfor
        server octoprint1 127.0.0.1:5000

backend webcam
        reqrep ^([^\ :]*)\ /webcam/(.*)     \1\ /\2
        server webcam1  127.0.0.1:8080

If you want to make it run on a different base URL, you'll need to instruct HAProxy to send a X-Script-Name header with each forwarded request to make OctoPrint generate correct URLs on its pages:

backend octoprint
  reqrep ^([^\ :]*)\ /octoprint/(.*)  \1\ /\2
  reqadd X-Script-Name:\ /octoprint
  option forwardfor
  server octoprint1 127.0.0.1:5000

If you also want to run it SSL encrypted with HAProxy being the SSL terminator, you should also send a header of X-Scheme with each forwarded request to indicate https requests. You can configure this in the backend section like this:

backend octoprint
  ...
  reqadd X-Scheme:\ https if { ssl_fc }
  ...

Apache

:warning: Not recommended

Apache is somewhat heavy weighted compared to other options, and the configuration is also a bit messy. If possible it's highly recommended to rather use Nginx or haproxy.

For Apache (with mod_proxy, mod_proxy_http, mod_proxy_wstunnel and mod_headers enabled) the basic configuration is something among these lines:

<Location />
  ProxyPass http://<myOctoPrintHost>:5000/
  ProxyPassReverse http://<myOctoPrintHost>:5000/

  RewriteEngine on
  RewriteCond %{HTTP:UPGRADE} =websocket [NC]
  RewriteRule .* ws://<myOctoPrintHost>%{REQUEST_URI} [P,L]
</Location>

or with https:

<Location />
  RequestHeader set X-SCHEME https
  ProxyPass http://<myOctoPrintHost>:5000/
  ProxyPassReverse http://<myOctoPrintHost>:5000/

  RewriteEngine on
  RewriteCond %{HTTP:UPGRADE} =websocket [NC]
  RewriteRule .* ws://<myOctoPrintHost>%{REQUEST_URI} [P,L]
</Location>

If you want to use a different base URL, the configuration will be slightly different:

<Location /octoprint/>
  RequestHeader set X-SCRIPT-NAME /octoprint/
  ProxyPassReverse http://<myOctoPrintHost>:5000/

  RewriteEngine on
  RewriteCond %{HTTP:UPGRADE} =websocket [NC]
  RewriteRule /octoprint/(.*) ws://<myOctoPrintHost>/$1 [P,L]
  RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
  RewriteRule /octoprint/(.*) http://<myOctoPrintHost>/$1 [P,L]
</Location>

If you also want to use https:

<Location /octoprint/>
  RequestHeader set X-SCRIPT-NAME /octoprint/
  RequestHeader set X-SCHEME https
  ProxyPassReverse http://<myOctoPrintHost>:5000/

  RewriteEngine on
  RewriteCond %{HTTP:UPGRADE} =websocket [NC]
  RewriteRule /octoprint/(.*) ws://<myOctoPrintHost>/$1 [P,L]
  RewriteCond %{HTTP:UPGRADE} !=websocket [NC]
  RewriteRule /octoprint/(.*) http://<myOctoPrintHost>/$1 [P,L]
</Location>

Want reverse proxy but OctoPrint paths are absolute
A Guide To Safe Remote Access of OctoPrint
Octopi with Pi Control (Apache2)
Setting up OctoPrint on a Raspberry Pi running Raspbian
ownCloud on octopi? (achieved)
Change HaProxy for nginx