-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Setup Reverse Proxy
Reverse proxy configuration examples for apache, nginx and IIS (on Windows) to use Calibre-Web:
If your reverse proxy has some kind of authentication mechanism, you can configure Calibre-web to log users in based on headers received from the proxy. If using this feature, it's important that only the proxy is exposed to users, because if the Calibre-web instance is at all directly exposed to traffic, then a malicious user will be able to log in as any user that exists via simply setting a header.
In the admin configuration, check the box marked Allow Reverse Proxy Authentication
, and then fill in the text box that appears with the name of the header that will contain the username. If you pass a username that isn't present in the database, nothing will happen - the user must exist beforehand in order to login.
- nginx
- Nginx Proxy Manager
- Apache 2.4
- Internet Information Service IIS 10
- Lighttpd 1.4
- Traefik 2.0
- Traefik >= 2.4.1 with Authelia forward auth
nginx configuration for a local server listening on port 8080, mapping Calibre-Web to /calibre
:
http {
server {
client_max_body_size 20M;
location /calibre {
proxy_bind $server_addr;
proxy_pass http://127.0.0.1:8083;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Script-Name /calibre; # IMPORTANT: path has NO trailing slash
}
}
}
If you want to use nginx as proxy for subdomain just replace the /calibre
lines with /
, do not change anything else and it will work.
The X-Scheme
directive is used to preserve the protocol (http/https), it could be hard coded to http
or https
to force this type of protocol.
Note: If using SSL in your reverse proxy on a non-standard port (e.g.12345), the following proxy_redirect line may be required:
proxy_redirect http://$host/ https://$host:12345/;
Credits to @norangebit see issue 1891
In Nginx Proxy Manager create a new proxy host for calibre-web. You can enable force SSL, HSTS and Block Common Exploits without any problems. Go to advanced tab and enter the following parameters:
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
If you have an Authentication server like Authelia setup, you can skip authentication for kobo sync using the additional NGINX-config below. Make sure the location /kobo {
matches your situation.
location /kobo {
set $upstream_calibreweb $forward_scheme://$server:$port;
proxy_pass $upstream_calibreweb;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
}
Optional Kobo sync support
Calibre-web
- Go to admin setting in and enable Kobo sync.
- Set Server External Port to 80.
- If the port is set to 443, it is not possible to fetch covers.
- Go to your profile page, enable Kobo sync and copy the api endpoint.
Kobo
Open .kobo/Kobo eReader.conf file in a text editor end edit your api endpoint. Make sure you use HTTPS and not HTTP.
This is an example of a correct line: api_endpoint=https://books.<domain>/kobo/<token>
Apache 2.4 configuration for a local server listening on port 443, mapping Calibre-Web to /calibre-web
:
The following modules have to be activated: headers
, proxy
, proxy_http
, rewrite
.
Listen 443
<VirtualHost *:443>
SSLEngine on
SSLProxyEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile "C:\Apache24\conf\ssl\test.crt"
SSLCertificateKeyFile "C:\Apache24\conf\ssl\test.key"
<Location /calibre-web >
RequestHeader set X-SCRIPT-NAME /calibre-web
RequestHeader set X-SCHEME https
ProxyPass http://localhost:8083/
ProxyPassReverse http://localhost:8083/
ProxyPassReverseCookiePath / /calibre-web/
</Location>
</VirtualHost>
First you need to install:
The URL rewrite extension:
http://www.iis.net/downloads/microsoft/url-rewrite
and the application request routing:
https://www.iis.net/downloads/microsoft/application-request-routing
Enable the proxy stuff:
Go to your site and start URL-Rewriting:
Add the server variable:
(The local is comming on it's own) with UNDERSCORE and excact Name:
HTTP_X-SCRIPT_NAME
Then add Reverse Proxy Rules:
Add the ip address and port of your calibre-web instance: e.g. http://127.0.0.1:8083
Change the rule afterwards:
Enter the folder you want to have calibre-web in (/calibre-web
instead of ^
might also works). End the name without a slash, otherwise a call to /calibre-web
would go to nowhere. And Add the server variable to the request and give it the same name as the folder above with starting slash (/calibre-web
in my example, again without trailing slash)
The rewrite rule should look like this:
My web.config file looks like this:
The crossed out sections aren't needed, they are leftovers from my experiments.
Lighttpd 1.4 configuration for a reverse proxy to Calibre-Web to /calibre-web
:
The following modules have to be activated: mod_setenv
, mod_redirect
and mod_proxy
.
Example is for https connection, to have an normal http frontend, the X-SCHEME line has to be deleted.(?)
$HTTP["url"] =~ "^/calibre-web" {
setenv.add-request-header = (
"X-SCRIPT-NAME" => "/calibre-web",
"X-SCHEME" => "https"
)
proxy.server = ( "" => ( ( "host" => "127.0.0.1", "port" => "8083" ) ) )
}
traefik.toml:
[log]
level = "DEBUG"
filePath = "log-file.log"
[accessLog]
filePath = "log-access.log"
bufferingSize = 100
[providers]
[providers.file]
filename = "traefik-proxy.toml"
[entryPoints]
[entryPoints.web]
address = ":80"
traefik-proxy.toml:
[http]
[http.middlewares]
[http.middlewares.cwHeader.headers]
[http.middlewares.cwHeader.headers.customRequestHeaders]
X-Script-Name = "/cw"
[http.middlewares.cwStrip.stripPrefixRegex]
regex = ["/cw"]
[http.routers]
[http.routers.cw-router]
rule = "(Host(`127.0.0.1`) && PathPrefix(`/cw`))"
service = "calibre-web"
entryPoints = ["web"]
middlewares = ["cwStrip","cwHeader"]
[http.services]
[http.services.cw-router.loadbalancer]
[[http.services.cw-router.loadbalancer.servers]]
url = "http://127.0.0.1:8083"
This example is only working for 127.0.0.1 for other hostnames the routing rule has to be extended.
When you have a setup of Traefik >= 2.4.1 in combination with Authelia forward authorization, Authelia can provide all required information via a Middleware.
Setting up is as easy as:
- Adding authResponseHeaders=Remote-User to the forwardauth middleware
- Adding "Remote-User" as Reverse proxy header name in the Calibre configuration section
- 'traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://login.example.com/'
- 'traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true'
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User, Remote-Groups, Remote-Name, Remote-Email'
- 'traefik.http.middlewares.authelia-basic.forwardauth.address=http://authelia:9091/api/verify?auth=basic'