Skip to main content

Nginx Reverse Proxy

Self-hosted reverse proxy with TLS and full control over CodePiper's network configuration.

Overview

For persistent remote access with TLS and a custom domain, without relying on a third-party tunnel service.

Best forSelf-hosted, full control, existing Nginx infrastructure
TLSLet’s Encrypt (certbot) or your own certificates
Persistent URLYes (your domain)
Auth layerNone built-in (add auth_basic, fail2ban, or a WAF)

Prerequisites

  • A domain name pointing to your server (e.g. codepiper.example.com)
  • Nginx installed
  • SSL certificate (Let’s Encrypt via certbot, or your own)

Configuration

upstream codepiper_http {
    server 127.0.0.1:3000;
}


upstream codepiper_ws {
    server 127.0.0.1:9999;
}


server {
    listen 443 ssl http2;
    server_name codepiper.example.com;


    ssl_certificate /etc/letsencrypt/live/codepiper.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/codepiper.example.com/privkey.pem;


    # HTTP API and dashboard
    location / {
        proxy_pass http://codepiper_http;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }


    # WebSocket
    location /ws {
        proxy_pass http://codepiper_ws;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 86400;
    }
}


server {
    listen 80;
    server_name codepiper.example.com;
    return 301 https://$host$request_uri;
}

TLS with Let’s Encrypt

Terminal window
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d codepiper.example.com

Certbot will automatically modify the Nginx config to include certificate paths and set up auto-renewal.

Daemon Environment

Terminal window
TRUST_PROXY_HEADERS=true \
FORCE_SECURE_COOKIES=true \
ALLOWED_ORIGINS=https://codepiper.example.com \
codepiper daemon --web

When to Use Something Else

Nginx gives you full control but requires managing certificates, server configuration, and firewall rules yourself. For automatic TLS without manual renewal, try Caddy. For zero-config solutions, try Tailscale or Cloudflare Tunnel.

See the Remote Access overview for a comparison of all methods.