Skip to content

Reverse Proxy Service

The Reverse Proxy acts as the ingress boundary of the platform. It terminates SSL/TLS certificates and routes inbound external traffic to the appropriate backend containers.

1. Technology Stack

  • Proxy Engine: Nginx Proxy Manager (NPM)
  • Metadata Database: MariaDB (jc21/mariadb-aria)
  • Certificate Authority: Let's Encrypt (integrated natively within Nginx Proxy Manager)

2. Ingress Layout

All external client traffic flows through the reverse proxy on ports 80 (HTTP redirect) and 443 (HTTPS with SSL). 

                                       +---------------+
                                  +--->|  Web Frontend |
                                  |    +---------------+
  [ Inbound HTTPS ] --> [ Nginx ] +--->| Proxy API GW  |
                                  |    +---------------+
                                  +--->| Keycloak Auth |
                                       +---------------+

The router distributes traffic based on HTTP host headers and URL paths: * / and static assets -> Routed to angular-client container on port 4200. * /api/* and /terminal -> Routed to proxy-server container on port 3000 (preserving websocket upgrade headers). * /auth/* -> Routed to keycloak container on port 8080.

3. Configuration & State Storage

  • SSL Certificates: Stored persistently inside the local directory ./reverse-proxy/letsencrypt.
  • Nginx Configuration: Stored inside ./reverse-proxy/data.
  • Database State: Stored persistently inside the DB mount volume directory, preserving user custom proxy hosts and redirection rules.
  • WebSockets: Explicitly enabled on paths routing to proxy-server to allow terminal interactive execution flows to handshake successfully.