Deployment
Reverse Proxy Setup
Configure Nginx or Caddy as a reverse proxy for BAP with SSL/TLS.
Reverse Proxy Setup
This guide covers setting up a reverse proxy for BAP with Nginx or Caddy.
Why Use a Reverse Proxy?
- SSL/TLS termination
- Load balancing (future)
- Static file serving
- Request caching
- Security headers
Option 1: Nginx
Installation
# Ubuntu/Debian
sudo apt update
sudo apt install nginx certbot python3-certbot-nginx
# Verify
nginx -vConfiguration
Create /etc/nginx/sites-available/bap:
server {
listen 80;
server_name yourdomain.com;
# Redirect to HTTPS
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name yourdomain.com;
# SSL Certificate
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
# SSL Settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Security Headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# Frontend
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
# Timeouts
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
}
# API
location /api {
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Increase timeouts for file uploads
proxy_connect_timeout 300s;
proxy_send_timeout 300s;
proxy_read_timeout 300s;
}
# WebSocket support (future)
location /ws {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
}
}Enable Site
sudo ln -s /etc/nginx/sites-available/bap /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginxSSL Certificate
# Get certificate
sudo certbot --nginx -d yourdomain.com
# Auto-renewal
sudo certbot renew --dry-runOption 2: Caddy
Installation
# Install Caddy
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddyConfiguration
Create /etc/caddy/Caddyfile:
yourdomain.com {
# Frontend
reverse_proxy localhost:3000
# API with longer timeouts for uploads
reverse_proxy /api/* localhost:8080 {
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
# API health endpoint
reverse_proxy /api/health localhost:8080
# TLS
tls {
protocols tls1.2 tls1.3
}
}Enable Configuration
sudo caddy validate --config /etc/caddy/Caddyfile
sudo systemctl reload caddyAutomatic HTTPS
Caddy automatically provisions Let's Encrypt certificates.
Environment Updates
After setting up a reverse proxy, update environment:
# .env file
CORS_ORIGINS=https://yourdomain.com
FRONTEND_URL=https://yourdomain.com
NEXT_PUBLIC_API_URL=https://yourdomain.com/api
API_BASE_URL=https://yourdomain.comRestart services:
docker-compose down
docker-compose up -dSecurity Headers
Both Nginx and Caddy can add security headers.
Recommended Headers
| Header | Value | Purpose |
|---|---|---|
| X-Frame-Options | DENY | Clickjacking protection |
| X-Content-Type-Options | nosniff | MIME sniffing protection |
| X-XSS-Protection | 1; mode=block | XSS filter |
| Referrer-Policy | strict-origin | Privacy |
| Content-Security-Policy | varies | CSP |
Nginx (manual headers)
Add to server block:
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;Performance Optimization
Nginx Caching
# Static assets caching
location /_next/static {
proxy_pass http://localhost:3000;
expires 1y;
add_header Cache-Control "public, immutable";
}Gzip Compression
gzip on;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml;
gzip_min_length 1000;Troubleshooting
502 Bad Gateway
- Check services are running:
docker-compose ps - Check ports:
ss -tlnp | grep 3000 - Check logs:
docker-compose logs web
Too Many Redirects
- Ensure FRONTEND_URL matches domain
- Check CORS_ORIGINS includes domain
SSL Errors
- Verify certificate:
openssl s_client -connect yourdomain.com:443 - Check certificate files exist
Firewall
sudo ufw allow 80/tcp # HTTP
sudo ufw allow 443/tcp # HTTPS
sudo ufw allow 22/tcp # SSH
sudo ufw enableNext Steps
- Production Checklist — Security hardening
- Upgrading — Version updates
- Docker Compose — Initial setup