Reverse Proxy gRPC Port (Supports Cloudflare CDN)

Using Nginx or Caddy to reverse proxy gRPC

• Nginx Configuration

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name data.example.com; # Your domain that the Agent uses to connect to the Dashboard

    ssl_certificate          /data/letsencrypt/fullchain.pem; # Path to your domain certificate
    ssl_certificate_key      /data/letsencrypt/key.pem;       # Path to your domain private key
    ssl_stapling on;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m; # This might conflict with other configuration files; comment it out if there are conflicts
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

    underscores_in_headers on;

    keepalive_time 24h;
    keepalive_requests 100000;
    keepalive_timeout 120s;

    location / {
        grpc_read_timeout 300s;
        grpc_send_timeout 300s;
        grpc_socket_keepalive on;
        grpc_pass grpc://grpcservers;
    }
}

upstream grpcservers {
    server localhost:5555;
    keepalive 512;
}

• Caddy Configuration

data.example.com:443 { # Your domain that the Agent uses to connect to the Dashboard
    reverse_proxy {
        to localhost:5555
        transport http {
            versions h2c 2
        }
    }
}

Dashboard Configuration

• First, log in to the Dashboard and go to the settings page. In the Non-CDN Dashboard server domain/IP field, enter the domain configured in Nginx or Caddy in the previous step, for example, data.example.com, and save it.
• Then, on the Dashboard server, open the /opt/nezha/dashboard/data/config.yaml file. Modify proxygrpcport to the port that Nginx or Caddy is listening to, for example, 443. Since we enabled SSL/TLS in Nginx or Caddy, set tls to true. After making these changes, restart the Dashboard.

Agent Configuration

• Log in to the Dashboard management backend, copy the one-click installation command, and execute it on the corresponding server to reinstall the agent.

Enabling Cloudflare CDN (Optional)

According to Cloudflare gRPC requirements: gRPC services must listen on port 443 and must support TLS and HTTP/2. So, to enable CDN, you must use port 443 when configuring Nginx or Caddy to reverse proxy gRPC and configure the certificate (Caddy will automatically apply and configure the certificate).

• Log in to Cloudflare, select the domain you are using. Go to the Network tab and turn on the gRPC switch. Then, go to the DNS tab, find the DNS record for the domain configured in Nginx or Caddy to reverse proxy gRPC, and enable the CDN by clicking the orange cloud.

After enabling gRPC, it might not be available immediately, and you may need to wait for a while. You can use curl and nezha-agent -d to verify:

localhost:~/agent# curl -H "content-type: application/grpc+proto" -H "authorization: Bearer test" https://xxx.xxx.ovh -v 
* processing: https://xxx.xxx.ovh
*   Trying [2606:4700:3035::ac43:8bed]:443...
* Connected to xxx.xxx.ovh (2606:4700:3035::ac43:8bed) port 443
# ... SSL info
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: xxx.xxx.ovh]
* h2 [:path: /]
* h2 [user-agent: curl/8.2.1]
* h2 [accept: */*]
* Using Stream ID: 1
> GET / HTTP/2
> Host: xxx.xxx.ovh
> User-Agent: curl/8.4.0
> Accept: */*
> content-type: application/grpc+proto
> authorization: Bearer test
> 
< HTTP/2 405 
< date: Wed, 20 Dec 2023 08:56:27 GMT
< content-type: application/grpc+proto
< cf-ray: 8386ac12dabd5ddc-HKG
< cf-cache-status: DYNAMIC
< grpc-message: Received a HEADERS frame with :method "GET" which should be POST
< grpc-status: 13
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BTjgJvXWyRF11nUOYx9Lq7UDC1xOYBLtjvWrdjVJQIqu9YqnFJeZFran2KRs6zabQc%2BLV8AubNqYRYDb7hQAZe6bglmVz0wQjrb0tNovYf%2B59SAp%2BQfZnH%2BAFDydNT95ZCmTPnKgWetcwQiUfXU%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< vary: Accept-Encoding
< server: cloudflare
< alt-svc: h3=":443"; ma=86400
< 
* Connection #0 to host xxx.xxx.ovh left intact
localhost:~/agent# /opt/nezha/agent/nezha-agent -s nezha.xxx.xxx:443 -p YOUR_KEY --tls -d
NEZHA@2023-12-20 05:14:00>> 检查更新： 0.15.14
NEZHA@2023-12-20 05:14:01>> 上报系统信息失败： rpc error: code = Unknown desc = EOF # You need to modify the GRPCHost and TLS options in the Dashboard /opt/nezha/dashboard/data/config.yaml
NEZHA@2023-12-20 05:14:01>> Error to close connection ...