Reverse Proxy

Why Use a Reverse Proxy?

Running VPS Deployer behind a reverse proxy gives you:

• HTTPS via Let’s Encrypt
• Custom domain instead of IP:port
• Request filtering and rate limiting
• Access logging

Nginx Configuration

VPS Deployer generates a reference nginx.config file in your working directory. Here’s a production-ready example:

server {
    listen 80;
    server_name deploy.example.com;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /webhook/ {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Caddy Configuration

VPS Deployer also generates a reference Caddyfile. Caddy handles HTTPS automatically:

deploy.example.com {
    reverse_proxy 127.0.0.1:3000
}

That’s it — Caddy automatically provisions and renews TLS certificates from Let’s Encrypt.

Important Headers

The following headers must be forwarded for VPS Deployer to work correctly:

Header	Purpose
Host	Original hostname
X-Real-IP	Client’s real IP address
X-Forwarded-For	Proxy chain
X-Forwarded-Proto	Original protocol (http/https)

VPS Deployer sets app.set('trust proxy', true) to trust these headers for session cookie behavior.

Webhook Endpoint

Make sure /webhook/* is accessible from the internet. GitHub needs to reach this endpoint to deliver push events.

If you’re using authentication at the reverse proxy level (e.g., HTTP basic auth), exclude the webhook path:

location /webhook/ {
    # No auth required for webhooks
    proxy_pass http://127.0.0.1:3000;
}

location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://127.0.0.1:3000;
}