configure-reverse-proxy
关于
This Claude Skill helps developers configure reverse proxies using tools like Nginx, Traefik, and ShinyProxy. It covers essential patterns including WebSocket proxying, routing methods, SSL termination, and Docker service auto-discovery. Use it when you need to route multiple services through a single entry point or add TLS to services that lack native support.
快速安装
Claude Code
推荐npx skills add pjt222/agent-almanac -a claude-code/plugin add https://github.com/pjt222/agent-almanacgit clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/configure-reverse-proxy在 Claude Code 中复制并粘贴此命令以安装该技能
技能文档
Configure Reverse Proxy
Set up reverse proxy patterns for routing traffic to backend services using Nginx, Traefik, or ShinyProxy.
When to Use
- Routing multiple services behind a single entry point
- Proxying WebSocket connections (Shiny, Socket.IO, live reload)
- Auto-discovering Docker services with Traefik labels
- Path-based or host-based routing to different backends
- Adding SSL termination to services that don't handle TLS
Inputs
- Required: Backend services to proxy (host:port)
- Required: Routing strategy (path-based, host-based, or both)
- Optional: Proxy tool preference (Nginx, Traefik)
- Optional: Domain name(s) for host-based routing
- Optional: WebSocket endpoints to proxy
Procedure
Step 1: Choose Proxy Tool
| Feature | Nginx | Traefik |
|---|---|---|
| Configuration | Static files | Docker labels / dynamic |
| Auto-discovery | No (manual) | Yes (Docker provider) |
| Let's Encrypt | Via certbot | Built-in ACME |
| Dashboard | No (3rd party) | Built-in |
| WebSocket | Manual config | Automatic |
| Best for | Static config, high traffic | Dynamic Docker environments |
Step 2: Nginx — Path-Based Routing
server {
listen 80;
location /api/ {
proxy_pass http://api:8000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /app/ {
proxy_pass http://webapp:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
}
}
Note: Trailing / on proxy_pass strips the location prefix. proxy_pass http://api:8000/; with location /api/ forwards /api/users as /users.
Step 3: Nginx — Host-Based Routing
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://api:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://webapp:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Step 4: Nginx — WebSocket Proxying
WebSockets require upgrade headers. Essential for Shiny, Socket.IO, and live reload:
location /ws/ {
proxy_pass http://app:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400;
}
For Shiny apps specifically:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
location / {
proxy_pass http://shiny:3838;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_read_timeout 86400;
proxy_buffering off;
}
}
Got: WebSocket connections establish and persist.
If fail: Check proxy_http_version 1.1 is set. Verify Upgrade and Connection headers.
Step 5: Traefik — Docker Label Auto-Discovery
docker-compose.yml:
services:
traefik:
image: traefik:v3.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "[email protected]"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- letsencrypt:/letsencrypt
api:
image: myapi:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`api.example.com`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
- "traefik.http.services.api.loadbalancer.server.port=8000"
webapp:
image: myapp:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.webapp.rule=Host(`app.example.com`)"
- "traefik.http.routers.webapp.entrypoints=websecure"
- "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
- "traefik.http.services.webapp.loadbalancer.server.port=3000"
volumes:
letsencrypt:
Got: Traefik auto-discovers services via labels, provisions SSL certificates.
Step 6: Traefik — Path-Based Routing with Labels
services:
api:
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`example.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.middlewares=strip-api"
- "traefik.http.middlewares.strip-api.stripprefix.prefixes=/api"
- "traefik.http.services.api.loadbalancer.server.port=8000"
Step 7: Traefik — Rate Limiting and Headers
labels:
- "traefik.http.middlewares.ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.ratelimit.ratelimit.burst=50"
- "traefik.http.middlewares.security.headers.stsSeconds=63072000"
- "traefik.http.middlewares.security.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.security.headers.frameDeny=true"
- "traefik.http.routers.app.middlewares=ratelimit,security"
Step 8: Verify Proxy Configuration
# Nginx: test config
docker compose exec nginx nginx -t
# Check routing
curl -H "Host: api.example.com" http://localhost/health
# Check WebSocket (needs wscat: npm install -g wscat)
wscat -c ws://localhost/ws/
# Traefik dashboard (if enabled)
# http://localhost:8080/dashboard/
Got: Requests route to correct backends. WebSocket upgrades succeed.
Validation
- HTTP requests route to the correct backend based on path or host
- WebSocket connections establish and maintain
- SSL termination works (if configured)
- Backend services receive correct
Host,X-Real-IP,X-Forwarded-Forheaders - Traefik auto-discovers new services via labels (if using Traefik)
- Configuration survives
docker compose restart
Pitfalls
- Trailing slash mismatch:
proxy_pass http://app/vshttp://appbehaves differently with path stripping in Nginx. - WebSocket timeout: Default
proxy_read_timeoutis 60s. Long-lived WebSocket connections need86400(24h). - Docker socket security: Mounting
/var/run/docker.sockin Traefik gives it full Docker access. Useromount and consider socket proxy. - DNS resolution: Nginx resolves upstreams at startup. Use
resolver 127.0.0.11for Docker's internal DNS with dynamic services. - Missing
proxy_buffering off: Shiny and SSE endpoints needproxy_buffering offfor real-time streaming.
Related Skills
configure-nginx- detailed Nginx configuration with SSL and security headersdeploy-shinyproxy- ShinyProxy for containerized Shiny app hostingsetup-compose-stack- compose stack that uses a reverse proxyconfigure-api-gateway- API gateway patterns with Kong and Traefik
GitHub 仓库
相关推荐技能
railway-docs
文档Railway Docs Skill可实时获取最新的Railway官方文档,确保回答的准确性。当开发者询问Railway功能特性、工作原理或分享docs.railway.com链接时,应优先使用此技能。它通过专门的LLM优化文档源提供最新信息,避免依赖过时记忆来回答技术问题。
n8n-code-python
文档该Skill为在n8n平台的Python代码节点中编写代码提供专家指导,特别适用于需要使用_input/_json/_node语法、Python标准库或了解n8n中Python限制的场景。它强调JavaScript应作为首选方案,仅当需要特定Python功能或对Python语法更熟悉时才使用Python。Skill提供了快速入门模板和关键注意事项,帮助开发者在n8n中高效编写Python代码。
archon
文档Archon Skill为开发者提供了基于RAG的语义搜索和项目任务管理功能,可通过REST API访问知识库。它支持文档搜索、网站爬取、文件上传和版本控制,适用于技术文档查询和项目管理场景。首次使用时需要配置Archon主机地址,建议在处理外部文档时优先使用该Skill。
n8n-code-javascript
文档这个Skill为n8n工作流中的JavaScript代码节点提供专业指导,涵盖数据处理、HTTP请求和日期操作等核心场景。它详细解释了如何正确使用n8n特有的`$input`/`$json`语法、`$helpers`工具以及DateTime对象,并包含关键的错误排查和模式选择建议。开发者通过该Skill能快速掌握Code节点的正确返回格式、数据访问方法和常见陷阱解决方案。