Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,10 @@ sudo docker compose up -d

Now, launch your web browser and enjoy Huly! To stop all services, run `docker compose down` from the `huly-selfhost` project directory.

> [!TIP]
> Prefer **Caddy** (automatic HTTPS) or **Traefik** instead of nginx? See
> [`guides/reverse-proxy.md`](guides/reverse-proxy.md).

> [!IMPORTANT]
> Provided configrations include deployments of CockroachDB and Redpanda which might not be production-ready. Please inspect them carefully before using in production. For more information on the recommended deployment configurations, please refer to the [CockroachDB](https://www.cockroachlabs.com/docs/stable/recommended-production-settings) and [Redpanda](https://docs.redpanda.com/24.3/deploy/) documentation.

Expand Down
18 changes: 18 additions & 0 deletions examples/Caddyfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Caddyfile - front Huly with automatic HTTPS (Let's Encrypt) and WebSocket support.
#
# 1. Point your domain's DNS at this host (ports 80 and 443 reachable).
# 2. In huly.conf / .env set:
# HTTP_BIND=127.0.0.1
# HTTP_PORT=8087
# SECURE=true
# HOST_ADDRESS=huly.example.com
# so Huly emits https/wss URLs that match what Caddy serves.
# 3. Replace huly.example.com and 8087 below, then run: caddy run --config ./Caddyfile
#
# Caddy provisions and renews the TLS certificate automatically, and forwards WebSocket
# upgrades and the X-Forwarded-* headers with no extra configuration (the Huly transactor
# needs WebSockets).

huly.example.com {
reverse_proxy 127.0.0.1:8087
}
38 changes: 38 additions & 0 deletions guides/reverse-proxy.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
# Reverse proxy options

Huly's `front` service is served on a single local port (`HTTP_PORT`, default `8087`), and
the app uses **WebSockets** (the transactor). So any reverse proxy in front of it must
forward WebSocket upgrades and the usual `X-Forwarded-*` headers, and Huly must be told it
is behind TLS so it emits `https`/`wss` URLs.

> [!IMPORTANT]
> Keep Huly's config consistent with the proxy. When you terminate TLS at the proxy, set
> `SECURE=true` and `HOST_ADDRESS=your-domain` in `huly.conf` / `.env`. A mismatch (proxy on
> HTTPS while Huly still emits `http://` / `ws://`) is the usual cause of "Failed to fetch"
> and WebSocket errors after the UI loads.

## nginx (default)

`./setup.sh` generates `nginx.conf`, and `./nginx.sh` keeps `server_name`, `listen`, and
`proxy_pass` in sync with your config. See the main README for the full walk-through.

## Caddy (automatic HTTPS)

[`examples/Caddyfile`](../examples/Caddyfile) fronts Huly with automatic Let's Encrypt TLS
and transparent WebSocket support - no manual certificates, no renewal cron:

```caddy
huly.example.com {
reverse_proxy 127.0.0.1:8087
}
```

Set `HTTP_BIND=127.0.0.1`, `HTTP_PORT=8087`, `SECURE=true`, and `HOST_ADDRESS=huly.example.com`
in your config, then run `caddy run --config ./Caddyfile` (or point your system Caddy at the
file). Caddy handles certificate issuance/renewal and the WebSocket upgrade for you.

## Traefik

A sample Traefik setup lives under [`traefik/`](../traefik). As with the others, set
`SECURE=true` and `HOST_ADDRESS` so Huly emits `https`/`wss`, and make sure the router
forwards WebSockets to the `front` service.