Skip to content

Reverse Proxy Examples (Nginx & Traefik)

This guide shows example configurations for running tldw_server behind a reverse proxy with TLS and WebSocket support.

Important endpoints needing WebSocket upgrade: - /api/v1/audio/stream/transcribe - /api/v1/mcp/*

General guidance - Terminate TLS at the proxy and forward HTTP to the app (default: http://app:8000). - Configure timeouts high enough for long-running streaming or inference requests. - Set tldw_production=true in the app environment, and restrict CORS (see ALLOWED_ORIGINS).

Nginx

Example server block:

server {
    listen 443 ssl;
    server_name your.domain.com;

    ssl_certificate     /etc/letsencrypt/live/your.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your.domain.com/privkey.pem;

    # Increase limits for uploads and long requests
    client_max_body_size 200m;
    proxy_read_timeout   3600;
    proxy_send_timeout   3600;
    proxy_connect_timeout 60s;

    # Common headers
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    # Propagate request IDs & tracing headers if provided by upstream clients
    proxy_set_header X-Request-ID $http_x_request_id;
    proxy_set_header traceparent $http_traceparent;
    proxy_set_header tracestate $http_tracestate;

    # WebSocket upgrade rules
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # API and WebUI
    location / {
        proxy_pass http://app:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

Docker Compose snippet (reverse proxy + app):

services:
  app:
    image: tldw-server:prod
    environment:
      - tldw_production=true
      - ALLOWED_ORIGINS=https://your.domain.com
    expose:
      - "8000"

  nginx:
    image: nginx:stable
    volumes:
      # Use the provided sample and adjust paths/domains
      - ./Samples/Nginx/nginx.conf:/etc/nginx/conf.d/default.conf:ro
      - /etc/letsencrypt:/etc/letsencrypt:ro
    ports:
      - "443:443"
    depends_on:
      - app

Traefik

Static configuration (Docker provider recommended). Dynamic config example:

http:
  routers:
    tldw:
      rule: Host(`your.domain.com`)
      entryPoints:
        - websecure
      service: tldw
      tls: {}

  services:
    tldw:
      loadBalancer:
        servers:
          - url: "http://app:8000"

  middlewares:
    long-timeouts:
      headers:
        customResponseHeaders:
          X-Accel-Buffering: "no"

Docker labels with Traefik (Compose):

services:
  app:
    image: tldw-server:prod
    environment:
      - tldw_production=true
      - ALLOWED_ORIGINS=https://your.domain.com
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.tldw.rule=Host(`your.domain.com`)"
      - "traefik.http.routers.tldw.entrypoints=websecure"
      - "traefik.http.routers.tldw.tls=true"
      - "traefik.http.services.tldw.loadbalancer.server.port=8000"
      # WebSocket upgrade handled automatically with Traefik on same router

Notes - Ensure Traefik is configured with the Docker provider and certificate resolver for TLS (e.g., LetsEncrypt). - Adjust timeouts using Traefik middleware if needed for long-lived streaming.

Sample dynamic config file - See Samples/Traefik/traefik-dynamic.yml for a ready-to-copy dynamic configuration. Mount it into Traefik, for example:

services:
  traefik:
    image: traefik:v3.0
    command:
      - --providers.docker=true
      - --providers.file.directory=/etc/traefik/dynamic
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true
      - --certificatesresolvers.letsencrypt.acme.email=admin@your.domain.com
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./Samples/Traefik:/etc/traefik/dynamic:ro
      - ./letsencrypt:/letsencrypt
    ports:
      - "80:80"
      - "443:443"

CORS

In production, restrict CORS to trusted origins. You can set via environment (comma-separated list or JSON array):

export ALLOWED_ORIGINS=https://your.domain.com,https://admin.your.domain.com
# or JSON array
export ALLOWED_ORIGINS='["https://your.domain.com", "https://admin.your.domain.com"]'

This overrides the default origins configured in tldw_Server_API/app/core/config.py.

Security reminders

  • Run the app as non-root (Dockerfile.prod already does this).
  • Don’t log secrets in production; the app masks the single-user API key when tldw_production=true.
  • Keep dependencies patched; consider container image scanning (e.g., Trivy).

Content Security Policy (CSP)

For the WebUI, use CSP to reduce XSS risk.

  • Strict CSP (no inline scripts):

    add_header Content-Security-Policy "default-src 'self'; img-src 'self' data:; object-src 'none'; base-uri 'self'" always;
    

  • If inline scripts are present, prefer nonces and inject them into HTML (advanced), or as a last resort allow inline scripts:

    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'" always;
    

Adjust CSP policies to your WebUI’s needs; if you add third-party fonts or images, update the sources accordingly.