Reverse Proxy Configuration

For production deployments, place Bloqd behind a reverse proxy for SSL/TLS termination and better security.

Nginx

Basic Configuration

/etc/nginx/sites-available/bloqd

server {
    listen 80;
    server_name bloqd.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name bloqd.example.com;

    ssl_certificate /etc/letsencrypt/live/bloqd.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/bloqd.example.com/privkey.pem;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket timeout
        proxy_read_timeout 86400;
    }
}

Enable the site:

sudo ln -s /etc/nginx/sites-available/bloqd /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

With Let's Encrypt

sudo certbot --nginx -d bloqd.example.com

Caddy

Caddy automatically handles SSL certificates.

/etc/caddy/Caddyfile

bloqd.example.com {
    reverse_proxy localhost:3000
}

Reload Caddy:

sudo systemctl reload caddy

Traefik

Docker Labels

If using Docker Compose with Traefik:

docker-compose.yaml

services:
  bloqd:
    image: bloqd:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.bloqd.rule=Host(`bloqd.example.com`)"
      - "traefik.http.routers.bloqd.entrypoints=websecure"
      - "traefik.http.routers.bloqd.tls.certresolver=letsencrypt"
      - "traefik.http.services.bloqd.loadbalancer.server.port=3000"
    networks:
      - traefik

networks:
  traefik:
    external: true

Static Configuration

traefik.yaml

http:
  routers:
    bloqd:
      rule: "Host(`bloqd.example.com`)"
      service: bloqd
      tls:
        certResolver: letsencrypt

  services:
    bloqd:
      loadBalancer:
        servers:
          - url: "http://localhost:3000"

WebSocket Support

Bloqd uses WebSockets for real-time updates. Ensure your reverse proxy supports WebSocket upgrades.

Testing WebSocket

After configuration, test that WebSockets work:

1. Open the Bloqd dashboard
2. Open browser DevTools → Network → WS
3. You should see a WebSocket connection to /ws

If WebSockets don't connect:

• Check that Upgrade and Connection headers are passed through
• Verify proxy_read_timeout is set high enough (default: 60s)
• Check firewall rules allow WebSocket connections

Environment Variables

When behind a reverse proxy, set these in .env:

# The external URL users will access
API_BASE_URL=https://bloqd.example.com

# Trust proxy headers
TRUST_PROXY=true

Security Recommendations

Rate Limiting (Nginx)

limit_req_zone $binary_remote_addr zone=bloqd:10m rate=10r/s;

server {
    # ...
    location / {
        limit_req zone=bloqd burst=20 nodelay;
        proxy_pass http://127.0.0.1:3000;
        # ...
    }
}

IP Allowlist (Nginx)

Restrict dashboard access to specific IPs:

location / {
    allow 192.168.1.0/24;
    allow 10.0.0.0/8;
    deny all;

    proxy_pass http://127.0.0.1:3000;
    # ...
}

Basic Auth (Nginx)

Add an extra layer of authentication:

# Create password file
sudo htpasswd -c /etc/nginx/.htpasswd admin

location / {
    auth_basic "Bloqd Admin";
    auth_basic_user_file /etc/nginx/.htpasswd;

    proxy_pass http://127.0.0.1:3000;
    # ...
}

Next Steps

• Add Your First Server
• Configure Discord Notifications