Files
rmm-openwrt/docs/reverse-proxy.md
2026-06-04 15:26:43 +03:00

2.0 KiB

Reverse Proxy

The web UI and HTTP API work through a standard HTTP reverse proxy. The application uses same-origin requests and an HttpOnly signed session cookie.

For NPMplus, use the dedicated npmplus.md guide. The included Caddy overlay is only an optional standalone alternative.

What The Proxy Handles

  • Web UI.
  • Operator login/logout.
  • Operator HTTP API.
  • Agent enrollment, heartbeat, command polling, and command results.

What The Proxy Does Not Handle

An ordinary HTTP reverse proxy does not proxy SSH:

  • 2222/tcp must remain reachable by managed routers, or be handled by a TCP proxy.
  • 22000-22099/tcp must remain reachable by trusted operators, or be handled by a TCP proxy/VPN.

Included Caddy Configuration

Set a public DNS name in .env:

RMM_DOMAIN=rmm.example.com
RMM_COOKIE_SECURE=true
RMM_HTTP_BIND_IP=127.0.0.1

Start the base stack with the proxy overlay:

docker compose -f compose.yaml -f compose.proxy.yaml up -d --build

Caddy automatically obtains and renews a TLS certificate when:

  • the domain resolves to the server;
  • ports 80 and 443 are reachable from the internet.

Open:

https://rmm.example.com

Existing Reverse Proxy

Proxy HTTP traffic to:

http://rmm-server:8080

When the browser uses HTTPS, set:

RMM_COOKIE_SECURE=true

Preserve the original Host header and forward client/protocol headers. Example Nginx location:

location / {
    proxy_pass http://127.0.0.1:18080;
    proxy_http_version 1.1;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
}

No WebSocket settings are currently required.

  • Public or VPN operator access: 443/tcp.
  • Router tunnel access: 2222/tcp.
  • Trusted operator/VPN access only: 22000-22099/tcp.
  • Do not expose the direct application port 18080 publicly when using a reverse proxy.