Reverse Proxy
Ricochet Server does not terminate TLS itself.
Place a reverse proxy in front of it to handle HTTPS and forward traffic to 127.0.0.1:6188.
Any reverse proxy that can forward HTTP traffic will work. Below are example configurations for common reverse proxies.
backend ricochet http-request del-header X-Forwarded-For http-request del-header X-Real-IP option forwardfor
mode http balance roundrobin server ricochet 127.0.0.1:6188 maxconn 100000 checkmap $http_upgrade $connection_upgrade { default upgrade; '' close;}
server { listen 443 ssl; server_name ricochet.example.com;
ssl_certificate /etc/ssl/certs/ricochet.pem; ssl_certificate_key /etc/ssl/private/ricochet.key;
location / { proxy_pass http://127.0.0.1:6188;
proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; }}ricochet.example.com { reverse_proxy 127.0.0.1:6188 { header_up X-Real-IP {remote_host} header_up X-Forwarded-For {remote_host} }}Caddy provisions and renews TLS certificates automatically.
services: traefik: image: traefik:v3 command: - --entrypoints.websecure.address=:443 - --providers.file.filename=/etc/traefik/dynamic.yaml - --certificatesresolvers.letsencrypt.acme.tlschallenge=true - --certificatesresolvers.letsencrypt.acme.email=admin@example.com - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json ports: - "443:443" volumes: - ./letsencrypt:/letsencrypt - ./dynamic.yaml:/etc/traefik/dynamic.yamlhttp: routers: ricochet: rule: "Host(`ricochet.example.com`)" entryPoints: - websecure tls: certResolver: letsencrypt service: ricochet
services: ricochet: loadBalancer: servers: - url: "http://127.0.0.1:6188"