Skip to content

Proxy configuration

Overview

Team Edition includes a built-in reverse proxy for secure access and load balancing.

This article explains how to set up a proxy in the Team Edition Compose setup.

For proxy configuration in other deployment types, see README in the team-edition-deploy repository.

Configure proxy server

Starting in version 25.1, Team Edition supports two proxy types: Nginx and HAProxy. Set the proxy type in your .env file:

PROXY_TYPE=nginx  # Options: nginx, haproxy

If you previously used Nginx and want to switch to HAProxy, you can do it without losing configuration or SSL certificates - shared Docker volumes handle it.

Info

For details on environment configuration, see Team Edition deployment from Docker Compose

Proxy ports

When using Docker Compose with network_mode: host, set ports in your .env file:

LISTEN_PORT_HTTP=80
LISTEN_PORT_HTTPS=443

These control which ports the proxy listens to inside the container.

Extra step for Nginx

If you use Nginx and set a custom COMPOSE_PROJECT_NAME in your .env, pass it explicitly in the container’s environment block:

environment:
  - COMPOSE_PROJECT_NAME=${COMPOSE_PROJECT_NAME}

Note

This isn’t needed for HAProxy - it resolves service names via Docker DNS.

Force HTTPS mode

Force HTTPS enforces secure connections across the entire application. When this option is enabled, the server automatically redirects all HTTP requests to HTTPS and sets cookies with the Secure flag, so they’re never sent over unencrypted channels.

Why enable force HTTPS

  • Protect sensitive data - ensures that credentials, tokens, and query results are never transmitted in plain text
  • Stay compliant - many organizations, regulations, and audits require HTTPS-only communication
  • Remove inconsistencies - even if users try to connect via http://, they’re redirected to https://
  • Harden authentication - secure cookies prevent hijacking over unencrypted channels

Tip

Browsers like Chrome may auto-upgrade some HTTP connections, but this isn’t guaranteed for all users or environments. Force HTTPS ensures the same security policy everywhere.

Turn on force HTTPS

  1. You can enable Force HTTPS in one of the following ways:

    • during initial setup, in the Easy Config wizard when starting the application
    • later, in Settings -> Administration -> Server configuration
    • or, by setting the environment variable:
    CLOUDBEAVER_FORCE_HTTPS=true
    

    Info

    For details, see Server configuration.

  2. Confirm that your proxy already has valid SSL certificates (see SSL certificates)

Once enabled, all requests over port 80 will be redirected to 443, and session cookies will be marked secure.

Warning

If SSL isn’t configured in the proxy, enabling force HTTPS will make the application unreachable.

Multiple server URLs

You can allow access from several domains instead of a single entry point. This improves SSO, migration, and high-availability scenarios.

For details, see Multiple server URLs.