woodpecker/docs/docs/30-administration/70-proxy.md

# Proxy

## Apache

This guide provides a brief overview for installing Woodpecker server behind the Apache2 web-server. This is an example configuration:

```nohighlight
ProxyPreserveHost On

RequestHeader set X-Forwarded-Proto "https"

ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
```

You must have the below Apache modules installed.

```nohighlight
a2enmod proxy
a2enmod proxy_http
```

You must configure Apache to set `X-Forwarded-Proto` when using https.

```diff
ProxyPreserveHost On

+RequestHeader set X-Forwarded-Proto "https"

ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/
```

## Nginx

This guide provides a basic overview for installing Woodpecker server behind the Nginx web-server. For more advanced configuration options please consult the official Nginx [documentation](https://www.nginx.com/resources/admin-guide/).

Example configuration:

```nginx
server {
    listen 80;
    server_name woodpecker.example.com;

    location / {
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;

        proxy_pass http://127.0.0.1:8000;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_buffering off;

        chunked_transfer_encoding off;
    }
}
```

You must configure the proxy to set `X-Forwarded` proxy headers:

```diff
server {
    listen 80;
    server_name woodpecker.example.com;

    location / {
+       proxy_set_header X-Forwarded-For $remote_addr;
+       proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:8000;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_buffering off;

        chunked_transfer_encoding off;
    }
}
```

## Caddy

This guide provides a brief overview for installing Woodpecker server behind the [Caddy web-server](https://caddyserver.com/). This is an example caddyfile proxy configuration:

```caddy
# expose WebUI and API
woodpecker.example.com {
  reverse_proxy woodpecker-server:8000
}

# expose gRPC
woodpeckeragent.example.com {
  reverse_proxy h2c://woodpecker-server:9000
}
```

:::note
Above configuration shows how to create reverse-proxies for web and agent communication. If your agent uses SSL do not forget to enable [WOODPECKER_GRPC_SECURE](./15-agent-config.md#woodpecker_grpc_secure).
:::

## Ngrok

After installing [ngrok](https://ngrok.com/), open a new console and run:

```bash
ngrok http 8000
```

Set `WOODPECKER_HOST` (for example in `docker-compose.yml`) to the ngrok URL (usually xxx.ngrok.io) and start the server.


## Traefik

To install the Woodpecker server behind a [Traefik](https://traefik.io/) load balancer, you must expose both the `http` and the `gRPC` ports. Here is a comprehensive example, considering you are running Traefik with docker swarm and want to do TLS termination and automatic redirection from http to https.

```yml
version: '3.8'

services:
  server:
    image: woodpeckerci/woodpecker-server:latest
    environment:
      - WOODPECKER_OPEN=true
      - WOODPECKER_ADMIN=your_admin_user
      # other settings ...

    networks:
      - dmz # externally defined network, so that traefik can connect to the server
    volumes:
      - woodpecker-server-data:/var/lib/woodpecker/

    deploy:
      labels:
        - traefik.enable=true

        # web server
        - traefik.http.services.woodpecker-service.loadbalancer.server.port=8000

        - traefik.http.routers.woodpecker-secure.rule=Host(`cd.yourdomain.com`)
        - traefik.http.routers.woodpecker-secure.tls=true
        - traefik.http.routers.woodpecker-secure.tls.certresolver=letsencrypt
        - traefik.http.routers.woodpecker-secure.entrypoints=websecure
        - traefik.http.routers.woodpecker-secure.service=woodpecker-service

        - traefik.http.routers.woodpecker.rule=Host(`cd.yourdomain.com`)
        - traefik.http.routers.woodpecker.entrypoints=web
        - traefik.http.routers.woodpecker.service=woodpecker-service

        - traefik.http.middlewares.woodpecker-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.woodpecker-redirect.redirectscheme.permanent=true
        - traefik.http.routers.woodpecker.middlewares=woodpecker-redirect@docker

        #  gRPC service
        - traefik.http.services.woodpecker-grpc.loadbalancer.server.port=9000
        - traefik.http.services.woodpecker-grpc.loadbalancer.server.scheme=h2c

        - traefik.http.routers.woodpecker-grpc-secure.rule=Host(`woodpecker-grpc.yourdomain.com`)
        - traefik.http.routers.woodpecker-grpc-secure.tls=true
        - traefik.http.routers.woodpecker-grpc-secure.tls.certresolver=letsencrypt
        - traefik.http.routers.woodpecker-grpc-secure.entrypoints=websecure
        - traefik.http.routers.woodpecker-grpc-secure.service=woodpecker-grpc

        - traefik.http.routers.woodpecker-grpc.rule=Host(`woodpecker-grpc.yourdomain.com`)
        - traefik.http.routers.woodpecker-grpc.entrypoints=web
        - traefik.http.routers.woodpecker-grpc.service=woodpecker-grpc

        - traefik.http.middlewares.woodpecker-grpc-redirect.redirectscheme.scheme=https
        - traefik.http.middlewares.woodpecker-grpc-redirect.redirectscheme.permanent=true
        - traefik.http.routers.woodpecker-grpc.middlewares=woodpecker-grpc-redirect@docker


volumes:
  woodpecker-server-data:
    driver: local

networks:
  dmz:
    external: true
```

You should pass `WOODPECKER_GRPC_SECURE=true` and `WOODPECKER_GRPC_VERIFY=true` to your agent when using this configuration.
[Docs] Migrate docs framework to Docusaurus (#282) - Replace mkdocs with docosaurus (improved menu structure, ...) - Structure docs into `Usage` and `Server Setup / Administration` - Update favicon - Create new pipeline-syntax page with all options and links to more detailed docs if available - Add ci to publish to `woodpecker-ci.github.io` - Deploy docs preview to surge for review - Update start-page Co-authored-by: 6543 <6543@obermui.de> 2021-09-11 15:10:32 +00:00			`# Proxy`

Administration articles moved 2019-11-13 18:50:54 +00:00			`## Apache`
Add hints for reverse proxying of grpc server (#1091) * Update 70-proxy.md * Update docs/docs/30-administration/70-proxy.md * fix suggestion Co-authored-by: Anbraten <anton@ju60.de> 2022-08-12 07:34:49 +00:00
Fix typos in docs (#1273) Did used [cspell](https://www.npmjs.com/package/cspell) to find typos and fixed it. Also add cspell to gitpod. Signed-off-by: Yarden Shoham <hrsi88@gmail.com> 2022-10-15 18:25:55 +00:00			`This guide provides a brief overview for installing Woodpecker server behind the Apache2 web-server. This is an example configuration:`
Readme 2019-07-05 13:30:25 +00:00
			```nohighlight
			`ProxyPreserveHost On`

			`RequestHeader set X-Forwarded-Proto "https"`

			`ProxyPass / http://127.0.0.1:8000/`
			`ProxyPassReverse / http://127.0.0.1:8000/`
			```

			`You must have the below Apache modules installed.`

			```nohighlight
			`a2enmod proxy`
			`a2enmod proxy_http`
			```

			You must configure Apache to set `X-Forwarded-Proto` when using https.

			```diff
			`ProxyPreserveHost On`

			`+RequestHeader set X-Forwarded-Proto "https"`

			`ProxyPass / http://127.0.0.1:8000/`
			`ProxyPassReverse / http://127.0.0.1:8000/`
			```

Administration articles moved 2019-11-13 18:50:54 +00:00			`## Nginx`
Readme 2019-07-05 13:30:25 +00:00
More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00			`This guide provides a basic overview for installing Woodpecker server behind the Nginx web-server. For more advanced configuration options please consult the official Nginx [documentation](https://www.nginx.com/resources/admin-guide/).`
Readme 2019-07-05 13:30:25 +00:00
			`Example configuration:`

			```nginx
			`server {`
			`listen 80;`
Administration articles moved 2019-11-13 18:50:54 +00:00			`server_name woodpecker.example.com;`
Readme 2019-07-05 13:30:25 +00:00
			`location / {`
			`proxy_set_header X-Forwarded-For $remote_addr;`
			`proxy_set_header X-Forwarded-Proto $scheme;`
			`proxy_set_header Host $http_host;`

			`proxy_pass http://127.0.0.1:8000;`
			`proxy_redirect off;`
			`proxy_http_version 1.1;`
			`proxy_buffering off;`

			`chunked_transfer_encoding off;`
			`}`
			`}`
			```

			You must configure the proxy to set `X-Forwarded` proxy headers:

			```diff
			`server {`
			`listen 80;`
Administration articles moved 2019-11-13 18:50:54 +00:00			`server_name woodpecker.example.com;`
Readme 2019-07-05 13:30:25 +00:00
			`location / {`
			`+ proxy_set_header X-Forwarded-For $remote_addr;`
			`+ proxy_set_header X-Forwarded-Proto $scheme;`

			`proxy_pass http://127.0.0.1:8000;`
			`proxy_redirect off;`
			`proxy_http_version 1.1;`
			`proxy_buffering off;`

			`chunked_transfer_encoding off;`
			`}`
			`}`
			```

Administration articles moved 2019-11-13 18:50:54 +00:00			`## Caddy`
Readme 2019-07-05 13:30:25 +00:00
Fix typos in docs (#1273) Did used [cspell](https://www.npmjs.com/package/cspell) to find typos and fixed it. Also add cspell to gitpod. Signed-off-by: Yarden Shoham <hrsi88@gmail.com> 2022-10-15 18:25:55 +00:00			`This guide provides a brief overview for installing Woodpecker server behind the [Caddy web-server](https://caddyserver.com/). This is an example caddyfile proxy configuration:`
Readme 2019-07-05 13:30:25 +00:00
Update Administration Setup Docs (#1293) Add clarification of port difference for gRPC and HTTP Co-authored-by: 6543 <6543@obermui.de> 2022-10-20 01:33:18 +00:00			```caddy
			`# expose WebUI and API`
Update proxy documentation (#573) 2021-12-08 12:03:17 +00:00			`woodpecker.example.com {`
			`reverse_proxy woodpecker-server:8000`
Readme 2019-07-05 13:30:25 +00:00			`}`
Add hints for reverse proxying of grpc server (#1091) * Update 70-proxy.md * Update docs/docs/30-administration/70-proxy.md * fix suggestion Co-authored-by: Anbraten <anton@ju60.de> 2022-08-12 07:34:49 +00:00
Update Administration Setup Docs (#1293) Add clarification of port difference for gRPC and HTTP Co-authored-by: 6543 <6543@obermui.de> 2022-10-20 01:33:18 +00:00			`# expose gRPC`
Add hints for reverse proxying of grpc server (#1091) * Update 70-proxy.md * Update docs/docs/30-administration/70-proxy.md * fix suggestion Co-authored-by: Anbraten <anton@ju60.de> 2022-08-12 07:34:49 +00:00			`woodpeckeragent.example.com {`
			`reverse_proxy h2c://woodpecker-server:9000`
			`}`
Readme 2019-07-05 13:30:25 +00:00			```

Add hints for reverse proxying of grpc server (#1091) * Update 70-proxy.md * Update docs/docs/30-administration/70-proxy.md * fix suggestion Co-authored-by: Anbraten <anton@ju60.de> 2022-08-12 07:34:49 +00:00			`:::note`
Use versioned docs (#1145) 2022-08-31 23:52:52 +00:00			`Above configuration shows how to create reverse-proxies for web and agent communication. If your agent uses SSL do not forget to enable [WOODPECKER_GRPC_SECURE](./15-agent-config.md#woodpecker_grpc_secure).`
Add hints for reverse proxying of grpc server (#1091) * Update 70-proxy.md * Update docs/docs/30-administration/70-proxy.md * fix suggestion Co-authored-by: Anbraten <anton@ju60.de> 2022-08-12 07:34:49 +00:00			`:::`

Administration articles moved 2019-11-13 18:50:54 +00:00			`## Ngrok`
Add hints for reverse proxying of grpc server (#1091) * Update 70-proxy.md * Update docs/docs/30-administration/70-proxy.md * fix suggestion Co-authored-by: Anbraten <anton@ju60.de> 2022-08-12 07:34:49 +00:00
Readme 2019-07-05 13:30:25 +00:00			`After installing [ngrok](https://ngrok.com/), open a new console and run:`

Add hints for reverse proxying of grpc server (#1091) * Update 70-proxy.md * Update docs/docs/30-administration/70-proxy.md * fix suggestion Co-authored-by: Anbraten <anton@ju60.de> 2022-08-12 07:34:49 +00:00			```bash
Update proxy documentation (#573) 2021-12-08 12:03:17 +00:00			`ngrok http 8000`
Readme 2019-07-05 13:30:25 +00:00			```

More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00			Set `WOODPECKER_HOST` (for example in `docker-compose.yml`) to the ngrok URL (usually xxx.ngrok.io) and start the server.
Add a traefik as proxy example (#1162) 2022-09-03 17:15:26 +00:00

			`## Traefik`

More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00			To install the Woodpecker server behind a [Traefik](https://traefik.io/) load balancer, you must expose both the `http` and the `gRPC` ports. Here is a comprehensive example, considering you are running Traefik with docker swarm and want to do TLS termination and automatic redirection from http to https.
Add a traefik as proxy example (#1162) 2022-09-03 17:15:26 +00:00
			```yml
			`version: '3.8'`

			`services:`
			`server:`
			`image: woodpeckerci/woodpecker-server:latest`
			`environment:`
			`- WOODPECKER_OPEN=true`
			`- WOODPECKER_ADMIN=your_admin_user`
			`# other settings ...`
More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00
Add a traefik as proxy example (#1162) 2022-09-03 17:15:26 +00:00			`networks:`
			`- dmz # externally defined network, so that traefik can connect to the server`
			`volumes:`
			`- woodpecker-server-data:/var/lib/woodpecker/`

			`deploy:`
			`labels:`
			`- traefik.enable=true`
More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00
Add a traefik as proxy example (#1162) 2022-09-03 17:15:26 +00:00			`# web server`
			`- traefik.http.services.woodpecker-service.loadbalancer.server.port=8000`

			- traefik.http.routers.woodpecker-secure.rule=Host(`cd.yourdomain.com`)
			`- traefik.http.routers.woodpecker-secure.tls=true`
			`- traefik.http.routers.woodpecker-secure.tls.certresolver=letsencrypt`
			`- traefik.http.routers.woodpecker-secure.entrypoints=websecure`
			`- traefik.http.routers.woodpecker-secure.service=woodpecker-service`

			- traefik.http.routers.woodpecker.rule=Host(`cd.yourdomain.com`)
			`- traefik.http.routers.woodpecker.entrypoints=web`
			`- traefik.http.routers.woodpecker.service=woodpecker-service`

			`- traefik.http.middlewares.woodpecker-redirect.redirectscheme.scheme=https`
			`- traefik.http.middlewares.woodpecker-redirect.redirectscheme.permanent=true`
			`- traefik.http.routers.woodpecker.middlewares=woodpecker-redirect@docker`
More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00
			`# gRPC service`
Add a traefik as proxy example (#1162) 2022-09-03 17:15:26 +00:00			`- traefik.http.services.woodpecker-grpc.loadbalancer.server.port=9000`
			`- traefik.http.services.woodpecker-grpc.loadbalancer.server.scheme=h2c`

			- traefik.http.routers.woodpecker-grpc-secure.rule=Host(`woodpecker-grpc.yourdomain.com`)
			`- traefik.http.routers.woodpecker-grpc-secure.tls=true`
			`- traefik.http.routers.woodpecker-grpc-secure.tls.certresolver=letsencrypt`
			`- traefik.http.routers.woodpecker-grpc-secure.entrypoints=websecure`
			`- traefik.http.routers.woodpecker-grpc-secure.service=woodpecker-grpc`

			- traefik.http.routers.woodpecker-grpc.rule=Host(`woodpecker-grpc.yourdomain.com`)
			`- traefik.http.routers.woodpecker-grpc.entrypoints=web`
			`- traefik.http.routers.woodpecker-grpc.service=woodpecker-grpc`

			`- traefik.http.middlewares.woodpecker-grpc-redirect.redirectscheme.scheme=https`
			`- traefik.http.middlewares.woodpecker-grpc-redirect.redirectscheme.permanent=true`
			`- traefik.http.routers.woodpecker-grpc.middlewares=woodpecker-grpc-redirect@docker`
More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00

Add a traefik as proxy example (#1162) 2022-09-03 17:15:26 +00:00			`volumes:`
			`woodpecker-server-data:`
			`driver: local`

			`networks:`
More spelling & style fixes (#1275) 2022-10-15 19:25:07 +00:00			`dmz:`
Add a traefik as proxy example (#1162) 2022-09-03 17:15:26 +00:00			`external: true`
			```

			You should pass `WOODPECKER_GRPC_SECURE=true` and `WOODPECKER_GRPC_VERIFY=true` to your agent when using this configuration.