Configuring a reverse proxy for LOOL

Getting a Let's Encrypt SSL certificate
The Docker container works with a self-signed SSL certificate. To make your instance available from outside, however, your reverse proxy needs a proper SSL certificate, e.g. from Let's Encrypt. To assist with that process, various clients are available. In the following quick sample, we'll use acme.sh, which is a bash script handling certificate creation. To install acme.sh on Debian 10, you can run the following commands (although installation as root is discouraged!):

To actually create the certificates, the following commands can be used:

You can add as many  statements as needed, to have a certificate that covers several hostnames.

Much more convenient than using the  is the stateless mode. In any case, don't forget to add a cron job for automated certificate renewal.

nginx
On Debian 10, the  package is sufficient to act as reverse proxy. If you strengthened your SSL parameter configuration with the help of https://bettercrypto.org or https://github.com/RaymiiOrg/cipherli.st and you have the server-wide  directive set, the highest value supported seems to be.

A sample nginx configuration that seems to be working is as follows:

For the virtual site definition, the following template needs to be filled with the actual proxying (see the articles at and ) to your LOOL instance:

You also might want to setup a  file to prevent search engines from indexing your site:

User-Agent: * Disallow: /

haproxy
No special configuration is needed to run LOOL behind HAProxy. Something like this should perfectly fit:

frontend https_in bind *:443 ssl crt /etc/letsencrypt/live/lool.domain.tld/haproxy.pem option httplog option forwardfor

acl host_lool hdr(host) -i lool.domain.tld use_backend lool if host_lool

backend lool server lool1 127.0.0.1:9980 check ssl verify none