Whether there's a nasty firewall in your way or you don't want to have to rotate certificates in more than one place, there are many good reasons to proxy your relay behind your web server. It's easy to do this because the relay only listens to the /weechat endpoint, so everything else goes to your web server as normal. This way, you can use it on port 443 without issues. Neat, huh?
Alternatively, you can specify a custom endpoint by setting WeeChat relay hostname to: <your host>:443/<your websocket> and also setting the matching endpoint location in the proxy. This allows multiple proxies on the same webserver to point to different instances of weechat on different relay ports.
Things to remember
Ensure that the relay is accessible only via TLS (SSL). You don't want to accidentally connect to it over unencrypted http. (Access to the WeeChat relay means you can do /exec, so anyone with the relay password can gain access to your server!). Make sure you always use encryption to connect to your relay!
Note for CentOS/RHEL: The default SELinux policy will prevent nginx from communicating with the Weechat relay. To fix this, execute setsebool -P httpd_can_network_connect 1.
nginx
An example configuration could look like this, with your usual web server configuration where the ellipsis ([...]) is:
# Set up brute force protection
limit_req_zone $binary_remote_addr zone=weechat:10m rate=5r/m;
server {
[...] # Your config goes here!
location = /weechat {
proxy_pass http://localhost:8000/weechat; # Change the port to your relay's
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade; # These two lines ensure that the
proxy_set_header Connection "Upgrade"; # a WebSocket is used
proxy_read_timeout 604800; # Prevent idle disconnects
proxy_set_header X-Real-IP $remote_addr; # Let WeeChat see the client's IP
limit_req zone=weechat burst=1 nodelay; # Brute force prevention
}
}
Apache (up to version 2.4.46)
Make sure the modules proxy and proxy_wstunnel are loaded. Then add the following to your SSL enabled server configuration:
ProxyPass "/weechat" "ws://localhost:8000/weechat"
ProxyPassReverse "/weechat" "ws://localhost:8000/weechat"
Apache (version 2.4.47 and later)
Make sure the modules proxy and proxy_http are loaded. Then add the following to your SSL enabled server configuration:
ProxyRequests off
ProxyPass "/weechat" "http://localhost:8000/weechat" upgrade=websocket
Caddy
Caddy 1
Configuring Caddy as a SSL proxy could not be easier. Add this your Caddyfile:
sub.domain.name { # change to point to your (sub-)domain
proxy /weechat localhost:9001 { # change to your relay port
websocket
}
}
As always, Caddy will take care of the certificate automagically!
Caddy 2
sub.domain.name {
reverse_proxy /weechat localhost:9001
}
HAProxy
HAProxy can be used to terminate SSL for Glowing Bear, so you don't need to load a certificate into WeeChat. Glowing Bear will connect to an SSL frontend in HAProxy. The backend connects unencrypted to 127.0.0.1 (assuming that's where WeeChat is running). With CertBot, you can automatically renew the certificate and then reload HAProxy.
frontend irc.domain.com
bind *:80
bind *:443 ssl crt /path/to/your/full/cert.pem
redirect scheme https code 302 if !{ ssl_fc }
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
use_backend irc.domain.com if { hdr(host) -i irc.domain.com }
backend irc.domain.com
option forwardfor header X-Real-IP
server irc 127.0.0.1:9001