configure-reverse-proxy
关于
This skill configures reverse proxy setups for Nginx, Traefik, and ShinyProxy, handling WebSocket proxying, routing, and SSL termination. Use it to route multiple services through a single entry point, auto-discover Docker services with Traefik, or add TLS to services without native support. It's ideal for developers needing to manage traffic for containerized applications or web apps like Shiny.
快速安装
Claude Code
推荐npx skills add pjt222/agent-almanac -a claude-code/plugin add https://github.com/pjt222/agent-almanacgit clone https://github.com/pjt222/agent-almanac.git ~/.claude/skills/configure-reverse-proxy在 Claude Code 中复制并粘贴此命令以安装该技能
技能文档
Configure Reverse Proxy
Set up reverse proxy patterns for routing traffic to backend services w/ Nginx, Traefik, or ShinyProxy.
Use When
- Route multi services behind single entry point
- Proxy WebSocket connections (Shiny, Socket.IO, live reload)
- Auto-discover Docker services w/ Traefik labels
- Path-based / host-based routing to diff backends
- Add SSL termination to services that don't handle TLS
In
- Required: Backend services to proxy (host:port)
- Required: Routing strategy (path-based, host-based, or both)
- Optional: Proxy tool preference (Nginx, Traefik)
- Optional: Domain name(s) for host-based routing
- Optional: WebSocket endpoints to proxy
Do
Step 1: Choose Proxy Tool
| Feature | Nginx | Traefik |
|---|---|---|
| Configuration | Static files | Docker labels / dynamic |
| Auto-discovery | No (manual) | Yes (Docker provider) |
| Let's Encrypt | Via certbot | Built-in ACME |
| Dashboard | No (3rd party) | Built-in |
| WebSocket | Manual config | Automatic |
| Best for | Static config, high traffic | Dynamic Docker environments |
Step 2: Nginx — Path-Based Routing
server {
listen 80;
location /api/ {
proxy_pass http://api:8000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location /app/ {
proxy_pass http://webapp:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
}
}
Note: Trailing / on proxy_pass strips location prefix. proxy_pass http://api:8000/; w/ location /api/ forwards /api/users as /users.
Step 3: Nginx — Host-Based Routing
server {
listen 80;
server_name api.example.com;
location / {
proxy_pass http://api:8000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://webapp:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
Step 4: Nginx — WebSocket Proxying
WebSockets require upgrade headers. Essential for Shiny, Socket.IO, live reload:
location /ws/ {
proxy_pass http://app:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_read_timeout 86400;
}
For Shiny apps specifically:
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
location / {
proxy_pass http://shiny:3838;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_read_timeout 86400;
proxy_buffering off;
}
}
→ WebSocket connections establish + persist.
If err: Check proxy_http_version 1.1 set. Valid. Upgrade + Connection headers.
Step 5: Traefik — Docker Label Auto-Discovery
docker-compose.yml:
services:
traefik:
image: traefik:v3.2
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "[email protected]"
- "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
- "--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=web"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- letsencrypt:/letsencrypt
api:
image: myapi:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`api.example.com`)"
- "traefik.http.routers.api.entrypoints=websecure"
- "traefik.http.routers.api.tls.certresolver=letsencrypt"
- "traefik.http.services.api.loadbalancer.server.port=8000"
webapp:
image: myapp:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.webapp.rule=Host(`app.example.com`)"
- "traefik.http.routers.webapp.entrypoints=websecure"
- "traefik.http.routers.webapp.tls.certresolver=letsencrypt"
- "traefik.http.services.webapp.loadbalancer.server.port=3000"
volumes:
letsencrypt:
→ Traefik auto-discovers services via labels, provisions SSL certs.
Step 6: Traefik — Path-Based Routing w/ Labels
services:
api:
labels:
- "traefik.enable=true"
- "traefik.http.routers.api.rule=Host(`example.com`) && PathPrefix(`/api`)"
- "traefik.http.routers.api.middlewares=strip-api"
- "traefik.http.middlewares.strip-api.stripprefix.prefixes=/api"
- "traefik.http.services.api.loadbalancer.server.port=8000"
Step 7: Traefik — Rate Limiting + Headers
labels:
- "traefik.http.middlewares.ratelimit.ratelimit.average=100"
- "traefik.http.middlewares.ratelimit.ratelimit.burst=50"
- "traefik.http.middlewares.security.headers.stsSeconds=63072000"
- "traefik.http.middlewares.security.headers.contentTypeNosniff=true"
- "traefik.http.middlewares.security.headers.frameDeny=true"
- "traefik.http.routers.app.middlewares=ratelimit,security"
Step 8: Verify Proxy Configuration
# Nginx: test config
docker compose exec nginx nginx -t
# Check routing
curl -H "Host: api.example.com" http://localhost/health
# Check WebSocket (needs wscat: npm install -g wscat)
wscat -c ws://localhost/ws/
# Traefik dashboard (if enabled)
# http://localhost:8080/dashboard/
→ Reqs route to correct backends. WebSocket upgrades succeed.
Check
- HTTP reqs route to correct backend by path or host
- WebSocket connections establish + maintain
- SSL termination works (if config'd)
- Backend services receive correct
Host,X-Real-IP,X-Forwarded-Forheaders - Traefik auto-discovers new services via labels (if using Traefik)
- Config survives
docker compose restart
Traps
- Trailing slash mismatch:
proxy_pass http://app/vshttp://appbehaves differently w/ path stripping in Nginx. - WebSocket timeout: Default
proxy_read_timeout= 60s. Long-lived WebSocket connections need86400(24h). - Docker socket security: Mounting
/var/run/docker.sockin Traefik gives full Docker access. Useromount + consider socket proxy. - DNS resolution: Nginx resolves upstreams at startup. Use
resolver 127.0.0.11for Docker's internal DNS w/ dynamic services. - Missing
proxy_buffering off: Shiny + SSE endpoints needproxy_buffering offfor real-time streaming.
→
configure-nginx- detailed Nginx config w/ SSL + security headersdeploy-shinyproxy- ShinyProxy for containerized Shiny app hostingsetup-compose-stack- compose stack using reverse proxyconfigure-api-gateway- API gateway patterns w/ Kong + Traefik
GitHub 仓库
相关推荐技能
railway-docs
文档Railway Docs Skill可实时获取最新的Railway官方文档,确保回答的准确性。当开发者询问Railway功能特性、工作原理或分享docs.railway.com链接时,应优先使用此技能。它通过专门的LLM优化文档源提供最新信息,避免依赖过时记忆来回答技术问题。
n8n-code-python
文档该Skill为在n8n平台的Python代码节点中编写代码提供专家指导,特别适用于需要使用_input/_json/_node语法、Python标准库或了解n8n中Python限制的场景。它强调JavaScript应作为首选方案,仅当需要特定Python功能或对Python语法更熟悉时才使用Python。Skill提供了快速入门模板和关键注意事项,帮助开发者在n8n中高效编写Python代码。
archon
文档Archon Skill为开发者提供了基于RAG的语义搜索和项目任务管理功能,可通过REST API访问知识库。它支持文档搜索、网站爬取、文件上传和版本控制,适用于技术文档查询和项目管理场景。首次使用时需要配置Archon主机地址,建议在处理外部文档时优先使用该Skill。
n8n-code-javascript
文档这个Skill为n8n工作流中的JavaScript代码节点提供专业指导,涵盖数据处理、HTTP请求和日期操作等核心场景。它详细解释了如何正确使用n8n特有的`$input`/`$json`语法、`$helpers`工具以及DateTime对象,并包含关键的错误排查和模式选择建议。开发者通过该Skill能快速掌握Code节点的正确返回格式、数据访问方法和常见陷阱解决方案。