Configure Cells with a reverse-proxy

Reverse proxies are one of the most common way to secure web servers. You can make them hide the IP of your App server, serve as the main gateway to your private (virtual) network, or as TLS Termination point and expose your public certificates, etc.

A simple HTTPS reverse-proxy is fairly easy to set up for basic usage (Web UX, REST API's, Mobile Applications). You just need to make sure that the URL is known to Cells so that it can allow incoming traffic from this address.

v5 breaking change — the external URL is now compulsory when running behind a reverse proxy. In v4, Cells could partially derive the external URL from incoming request headers. In v5 this implicit detection has been removed: the reverse-proxy URL must be set explicitly on each site (via ./cells configure sites, the service.reverseproxyurl Helm value, or the corresponding bootstrap.yaml site entry) before Cells will accept requests forwarded by your proxy. Upgrading from v4? Set the External URL on every site as part of your pre-flight checks.

Run the following command,

./cells configure sites

Select an active site or add a new site and set the reverse-proxy URL in the External URL field.

Warning: if you intend to use CellsSync client together with your server instance, you cannot use TLS Offloading on your reverse proxy. The communication between the sync client and the server is done via gRPC on HTTP/2 and this will not work if you drop from HTTPS to HTTP between your reverse proxy and your Cells instance. Furthermore, note that your proxy has to support this protocol.

Tutorials

In our knowledge base we have a growing number of comprehensive guides to setup various proxies with Cells:

• Running Cells behind Apache2 proxy
• Reverse proxy with Caddy
• Reverse proxy with Nginx
• Docker and Traefik

More details

• See our detailed article in the Knowledge Base.