Proxy Settings
Configure ATStatus behind a reverse proxy
When running ATStatus behind a reverse proxy (NGINX, Traefik, Caddy, etc.), you need to configure the application to trust proxy headers. This ensures correct IP detection, secure cookie handling, and proper HTTPS redirects.
TRUST_PROXY Setting
# Enable proxy trust
TRUST_PROXY=true
# Or specify trusted proxy addresses
TRUST_PROXY=127.0.0.1,10.0.0.0/8
Security Warning: Only enable
TRUST_PROXY when running behind a trusted reverse proxy. Enabling it without a proxy can expose your application to IP spoofing attacks.What TRUST_PROXY Affects
X-Forwarded-For
Client IP address detection for audit logs, rate limiting, and analytics.
X-Forwarded-Proto
Protocol detection (HTTP/HTTPS) for secure cookie handling and redirects.
X-Forwarded-Host
Original host header for correct URL generation.
Common Reverse Proxy Configurations
NGINX
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
}
Caddy
status.example.com {
reverse_proxy localhost:3000
}
Caddy automatically handles SSL certificates and forwards proper headers.
Traefik (Docker)
labels:
- "traefik.enable=true"
- "traefik.http.routers.atstatus.rule=Host(`status.example.com`)"
- "traefik.http.services.atstatus.loadbalancer.server.port=3000"
Related Environment Variables
| Variable | Description | Default |
|---|---|---|
| TRUST_PROXY | Trust X-Forwarded-* headers | false |
| FORCE_SECURE_COOKIES | Override secure cookie detection | auto |
| NEXTAUTH_URL | Public URL (required for auth) | - |