Skip to content

Reverse Proxy Setup

Florian Quirin edited this page Nov 1, 2022 · 15 revisions

What is a reverse proxy and why/when do I need one?

A reverse proxy is lightweight server that acts as a central contact point for clients and distributes connection requests to any number of associated servers that are usually not accessible by a client. In addition it usually offers security features like rate-limiting, basic authentication or handling of SSL certificates and can work as a web-server.
SEPIA for example requires a reverse proxy if you want to access it safely from a public domain (e.g. example.com/sepia).

SEPIA reverse proxy

SEPIA has its own reverse proxy that was included in previous SEPIA-Home installations (<= v2.5.1). It can still be used for testing, prototyping or local networks, but it hasn't been updated for a while and its better to simply use one of the more advanced proxies mentioned below.

Nginx example setup for SEPIA

SEPIA includes sample scripts for Nginx in the SEPIA-Home folder ([SEPIA-Home]/nginx) and a deploy script at [SEPIA-Home]/setup-nginx.sh.
You can create your own file as well, for example /etc/nginx/sites-enabled/sepia.conf (Linux default folder) and add the following content:

# SEPIA WebSockets
map $http_upgrade $connection_upgrade {
	default upgrade;
	''      close;
}

# SEPIA HTTPS
server {
	# port to listen to 
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	# domain to listen to 
	server_name [my-example-com];
	
	index index.html index.htm;
	
	# SEPIA-Home servers:
	location /sepia/assist/ {
		proxy_pass http://[my-sepia-ip]:20721/;
	}
	location /sepia/teach/ {
		proxy_pass http://[my-sepia-ip]:20722/;
	}
	location /sepia/chat/ {
		proxy_pass http://[my-sepia-ip]:20723/;
	}
	location /sepia/chat/messages/ {
		proxy_pass http://[my-sepia-ip]:20723/messages/;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		proxy_read_timeout 14400;
	}

	# SEPIA STT-Server:
	location /sepia/stt/ {
		proxy_pass http://[my-sepia-stt-ip]:20741/;
	}
	location /sepia/stt/socket {
		proxy_pass http://[my-sepia-stt-ip]:20741/socket;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		proxy_read_timeout 30s;
	}

	# DIY clients (useful if you need SSL. Add as many as you like):
	location /sepia/devices/o1/ {
		proxy_pass http://[my-DIY-client-ip]:9090/;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
		proxy_read_timeout 14400;
	}
	
	# Mary-TTS (or compatible) server:
	location /sepia/marytts/ {
		add_header Access-Control-Allow-Origin "$http_origin" always;
		add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept" always;
		add_header Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS, DELETE" always;
		proxy_pass http://[my-mary-tts-ip]:59125/;
		# NOTE: If you want to access a Mary-TTS compatible API directly you can use this
	}

	# ADD your SSL configuration here ...
}

Replace [my-example-com] (e.g. 'sepia.example.com'), [my-sepia-ip] (e.g. '192.168.0.10' or 'localhost'), etc. with your own values and restart Nginx with sudo nginx -s reload.

Apache HTTP server example setup for SEPIA

Many thanks to 'klausw' from the FHEM forum and Praevision.
Create a new file at /etc/apache2/sites-available/sepia.conf (Linux default folder) and add the following content:

Define LOCATION sepia
Define HOST localhost
Define DOMAIN sepia.example.com

# Make sure forward-proxy is disabled
ProxyRequests Off

# Define reverse-proxy locations
ProxyPass /${LOCATION}/assist/ http://${HOST}:20721/
ProxyPass /${LOCATION}/teach/ http://${HOST}:20722/

# Upgrade WebSocket connection
<Location /${LOCATION}/chat/>
  ProxyPass http://${HOST}:20723/

  RewriteEngine On
  RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
  RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
  RewriteRule /messages/(.*) ws://${HOST}:20723/messages/$1 [P]
</Location>

# SSL (optional)
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/${DOMAIN}/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/${DOMAIN}/privkey.pem

Adjust the line Define HOST localhost according to the IP address of your SEPIA server(s) if the Apache proxy is not running on the same machine. DOMAIN and path to certificates are just examples, make sure to fill in your data or remove the entries to skip SSL. Finally load the new settings and restart your Apache web-server:

sudo a2enmod proxy proxy_http
sudo a2enmod proxy_wstunnel
sudo a2ensite sepia.conf
sudo systemctl reload apache2

Windows 10 (via command-prompt)

Many thanks to 'whistler' from the FHEM forum

Start command-prompt (cmd) as administrator and type in the following commands with the proper IP addresses:

set SepiaServerIP=192.168.1.x
set SepiaSTTIP=192.168.1.x
netsh interface portproxy add v4tov4 listenport=20726 connectaddress=%SepiaServerIP%  connectport=20726 listenaddress=127.0.0.1
netsh interface portproxy add v4tov4 listenport=20721 connectaddress=%SepiaServerIP%  connectport=20721 listenaddress=127.0.0.1
netsh interface portproxy add v4tov4 listenport=20722 connectaddress=%SepiaServerIP%  connectport=20722 listenaddress=127.0.0.1
netsh interface portproxy add v4tov4 listenport=20723 connectaddress=%SepiaServerIP%  connectport=20723 listenaddress=127.0.0.1
netsh interface portproxy add v4tov4 listenport=20741 connectaddress=%SepiaSTTIP% connectport=20741 listenaddress=127.0.0.1