MCP HubMCP Hub
Back to Skills

configure-reverse-proxy

pjt222
Updated Yesterday
5 views
17
2
17
View on GitHub
Documentationgeneral

About

This skill provides configuration patterns for setting up reverse proxies using Nginx, Traefik, and ShinyProxy. It handles WebSocket proxying, path/host-based routing, SSL termination, and Docker label auto-discovery. Use it when routing multiple services through a single entry point or adding TLS to services that lack native SSL support.

Quick Install

Claude Code

Recommended
Primary
npx skills add pjt222/agent-almanac -a claude-code
Plugin CommandAlternative
/plugin add https://github.com/pjt222/agent-almanac
Git CloneAlternative
git clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/configure-reverse-proxy

Copy and paste this command in Claude Code to install this skill

Documentation

Configure Reverse Proxy

Set up reverse proxy patterns for routing traffic to backend services using Nginx, Traefik, or ShinyProxy.

When Use

  • Routing multiple services behind single entry point
  • Proxying WebSocket connections (Shiny, Socket.IO, live reload)
  • Auto-discovering Docker services with Traefik labels
  • Path-based or host-based routing to different backends
  • Adding SSL termination to services that don't handle TLS

Inputs

  • Required: Backend services to proxy (host:port)
  • Required: Routing strategy (path-based, host-based, or both)
  • Optional: Proxy tool preference (Nginx, Traefik)
  • Optional: Domain name(s) for host-based routing
  • Optional: WebSocket endpoints to proxy

Steps

Step 1: Choose Proxy Tool

FeatureNginxTraefik
ConfigurationStatic filesDocker labels / dynamic
Auto-discoveryNo (manual)Yes (Docker provider)
Let's EncryptVia certbotBuilt-in ACME
DashboardNo (3rd party)Built-in
WebSocketManual configAutomatic
Best forStatic config, high trafficDynamic Docker environments

Step 2: Nginx — Path-Based Routing

server {
    listen 80;

    location /api/ {
        proxy_pass http://api:8000/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location /app/ {
        proxy_pass http://webapp:3000/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location / {
        root /usr/share/nginx/html;
        try_files $uri $uri/ /index.html;
    }
}

Note: Trailing / on proxy_pass strips location prefix. proxy_pass http://api:8000/; with location /api/ forwards /api/users as /users.

Step 3: Nginx — Host-Based Routing

server {
    listen 80;
    server_name api.example.com;

    location / {
        proxy_pass http://api:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    listen 80;
    server_name app.example.com;

    location / {
        proxy_pass http://webapp:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Step 4: Nginx — WebSocket Proxying

WebSockets require upgrade headers. Essential for Shiny, Socket.IO, live reload:

location /ws/ {
    proxy_pass http://app:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_read_timeout 86400;
}

For Shiny apps specifically:

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    location / {
        proxy_pass http://shiny:3838;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $host;
        proxy_read_timeout 86400;
        proxy_buffering off;
    }
}

Got: WebSocket connections establish, persist.

If fail: Check proxy_http_version 1.1 set. Verify Upgrade and Connection headers.

Step 5: Traefik — Docker Label Auto-Discovery

docker-compose.yml:

services:
  traefik:
    image: traefik:v3.2
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "[email protected]"
      - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt

  api:
    image: myapi:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`api.example.com`)"
      - "traefik.http.routers.api.entrypoints=websecure"
      - "traefik.http.routers.api.tls.certresolver=letsencrypt"
      - "traefik.http.services.api.loadbalancer.server.port=8000"

  webapp:
    image: myapp:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.webapp.rule=Host(`app.example.com`)"
      - "traefik.http.routers.webapp.entrypoints=websecure"
      - "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
      - "traefik.http.services.webapp.loadbalancer.server.port=3000"

volumes:
  letsencrypt:

Got: Traefik auto-discovers services via labels, provisions SSL certificates.

Step 6: Traefik — Path-Based Routing with Labels

services:
  api:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`example.com`) && PathPrefix(`/api`)"
      - "traefik.http.routers.api.middlewares=strip-api"
      - "traefik.http.middlewares.strip-api.stripprefix.prefixes=/api"
      - "traefik.http.services.api.loadbalancer.server.port=8000"

Step 7: Traefik — Rate Limiting and Headers

labels:
  - "traefik.http.middlewares.ratelimit.ratelimit.average=100"
  - "traefik.http.middlewares.ratelimit.ratelimit.burst=50"
  - "traefik.http.middlewares.security.headers.stsSeconds=63072000"
  - "traefik.http.middlewares.security.headers.contentTypeNosniff=true"
  - "traefik.http.middlewares.security.headers.frameDeny=true"
  - "traefik.http.routers.app.middlewares=ratelimit,security"

Step 8: Verify Proxy Configuration

# Nginx: test config
docker compose exec nginx nginx -t

# Check routing
curl -H "Host: api.example.com" http://localhost/health

# Check WebSocket (needs wscat: npm install -g wscat)
wscat -c ws://localhost/ws/

# Traefik dashboard (if enabled)
# http://localhost:8080/dashboard/

Got: Requests route to correct backends. WebSocket upgrades succeed.

Checks

  • HTTP requests route to correct backend based on path or host
  • WebSocket connections establish, maintain
  • SSL termination works (if configured)
  • Backend services receive correct Host, X-Real-IP, X-Forwarded-For headers
  • Traefik auto-discovers new services via labels (if using Traefik)
  • Configuration survives docker compose restart

Pitfalls

  • Trailing slash mismatch: proxy_pass http://app/ vs http://app behaves differently with path stripping in Nginx.
  • WebSocket timeout: Default proxy_read_timeout is 60s. Long-lived WebSocket connections need 86400 (24h).
  • Docker socket security: Mounting /var/run/docker.sock in Traefik gives it full Docker access. Use ro mount, consider socket proxy.
  • DNS resolution: Nginx resolves upstreams at startup. Use resolver 127.0.0.11 for Docker internal DNS with dynamic services.
  • Missing proxy_buffering off: Shiny and SSE endpoints need proxy_buffering off for real-time streaming.

See Also

  • configure-nginx - detailed Nginx configuration with SSL and security headers
  • deploy-shinyproxy - ShinyProxy for containerized Shiny app hosting
  • setup-compose-stack - compose stack that uses reverse proxy
  • configure-api-gateway - API gateway patterns with Kong, Traefik

GitHub Repository

pjt222/agent-almanac
Path: i18n/caveman/skills/configure-reverse-proxy
0
agentsagentskillsai-assisted-developmentclaude-codeskillsteams

Related Skills

railway-docs

Documentation

This skill fetches current Railway documentation to answer questions about features, functionality, or specific docs URLs. It ensures developers receive accurate, up-to-date information directly from Railway's official sources. Use it when users ask how Railway works or reference Railway documentation.

View skill

n8n-code-python

Documentation

This Claude Skill provides expert guidance for writing Python code in n8n's Code nodes, specifically for using Python's standard library and working with n8n's special syntax like `_input`, `_json`, and `_node`. It helps developers understand Python's limitations within n8n and recommends using JavaScript for most workflows while offering Python solutions for specific data transformation needs.

View skill

archon

Documentation

The Archon skill provides RAG-powered semantic search and project management through a REST API. Use it for querying documentation, managing hierarchical projects/tasks, and performing knowledge retrieval with document upload capabilities. Always prioritize Archon first when searching external documentation before using other sources.

View skill

n8n-code-javascript

Documentation

This Claude Skill provides expert guidance for writing JavaScript code in n8n's Code nodes. It covers essential n8n-specific syntax like `$input`/`$json` variables, HTTP helpers, and DateTime handling, while troubleshooting common errors. Use it when developing n8n workflows that require custom JavaScript processing in Code nodes.

View skill