Reverse proxy (no Cloudflare)

Use this setup if you’re not using Cloudflare and want to manage SSL certificates yourself.

Architecture

Internet → Nginx (HTTPS port 443) → {
    auth.example.com    → goiabada-authserver:9090 (HTTP)
    admin.example.com   → goiabada-adminconsole:9091 (HTTP)
}

Nginx handles HTTPS termination with Let’s Encrypt certificates. Goiabada runs on HTTP internally.

Prerequisites

• Two domain names (subdomains) for auth and admin console
• Nginx installed
• Docker and docker-compose installed

Setup

1. Configure DNS records

At your DNS provider, add A records for both domains pointing to your server’s IP address:

Type: A    Name: auth    Content: <your-server-ip>
Type: A    Name: admin   Content: <your-server-ip>

Tip

DNS propagation can take up to 48 hours, but usually completes within minutes. You can verify with dig auth.example.com or nslookup auth.example.com.

2. Start Goiabada containers

Use the setup wizard to generate your docker-compose.yml:

1. Select “2. Production with reverse proxy” when prompted
2. Enter your domain names (e.g., https://auth.example.com and https://admin.example.com)
3. The wizard automatically sets TRUST_PROXY_HEADERS=true and SET_COOKIE_SECURE=true

Then start the containers:

docker compose up -d

Verify containers are running:

# Check containers are running
docker ps | grep goiabada

# Test auth server health (should return: healthy)
curl http://localhost:9090/health && echo

# Test admin console health (should return: healthy)
curl http://localhost:9091/health && echo

3. Get SSL certificates

1. Install certbot (Ubuntu/Debian):

   sudo apt-get update
   sudo apt-get install certbot
   sudo mkdir -p /var/www/certbot

2. Create a temporary Nginx config for certificate acquisition:

   sudo nano /etc/nginx/sites-available/goiabada

3. Add temporary HTTP config:

   Caution

   Replace auth.example.com and admin.example.com with your actual domain names throughout this configuration.

   server {
       listen 80;
       server_name auth.example.com;
   
       location /.well-known/acme-challenge/ {
           root /var/www/certbot;
       }
   
       location / {
           proxy_pass http://127.0.0.1:9090;
       }
   }
   
   server {
       listen 80;
       server_name admin.example.com;
   
       location /.well-known/acme-challenge/ {
           root /var/www/certbot;
       }
   
       location / {
           proxy_pass http://127.0.0.1:9091;
       }
   }

4. Enable and reload:

   sudo ln -s /etc/nginx/sites-available/goiabada /etc/nginx/sites-enabled/
   sudo nginx -t && sudo nginx -s reload

5. Get certificates:

   sudo certbot certonly --webroot -w /var/www/certbot -d auth.example.com
   sudo certbot certonly --webroot -w /var/www/certbot -d admin.example.com

4. Configure Nginx

Create /etc/nginx/sites-available/goiabada:

# Auth Server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name auth.example.com;

    ssl_certificate /etc/letsencrypt/live/auth.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/auth.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;

    location / {
        proxy_pass http://127.0.0.1:9090;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Important: larger buffers needed for chunked cookie sessions
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
}

# Admin Console
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name admin.example.com;

    ssl_certificate /etc/letsencrypt/live/admin.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/admin.example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;

    location / {
        proxy_pass http://127.0.0.1:9091;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Important: larger buffers needed for chunked cookie sessions
        proxy_buffer_size 128k;
        proxy_buffers 4 256k;
        proxy_busy_buffers_size 256k;
    }

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }
}

# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name auth.example.com admin.example.com;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

Enable and reload:

sudo ln -s /etc/nginx/sites-available/goiabada /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

5. Configure firewall

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
# Do NOT expose 9090 or 9091 to the internet

6. Set up certificate auto-renewal

Let’s Encrypt certificates expire after 90 days. Set up auto-renewal:

# Test renewal
sudo certbot renew --dry-run

# Auto-renewal is typically configured automatically via cron or systemd timer
sudo systemctl status certbot.timer

Access your deployment

• Auth server: https://auth.example.com
• Admin console: https://admin.example.com