Install and configure

Reverse proxy and HTTPS

Put SlugBase behind nginx, Caddy, or Traefik: set public URLs, preserve client IP, and keep cookies working.

What you need

A domain name and TLS certificate (Let’s Encrypt or your CA).
A reverse proxy that can forward HTTP to the SlugBase container or process (default upstream port 5000).
Environment variables BASE_URL and FRONTEND_URL set to the public HTTPS URL users type in the browser.

The Express app sets trust proxy to 1 hop so X-Forwarded-* headers from your proxy are honored for IP and protocol-aware behavior. Session cookies are marked secure when NODE_ENV=production and BASE_URL starts with https://.

If BASE_URL stays http:// while users reach the site over HTTPS, secure cookies may not match how browsers treat the session. Set both BASE_URL and FRONTEND_URL to the canonical https:// origin.

Steps

Point DNS at your proxy

Create an A/AAAA (or CNAME) record for your hostname to the machine or load balancer that terminates TLS.

Forward to SlugBase

Proxy / to the backend listening on PORT (default 5000). Use HTTP to the upstream unless you terminate TLS again behind the proxy.

Typical headers to set (names may vary by proxy):

Host — original host from the client.
X-Forwarded-Proto — https when the client used HTTPS.
X-Forwarded-For — client IP chain.

Align environment variables

Set:

NODE_ENV=production
BASE_URL=https://bookmarks.example.com
FRONTEND_URL=https://bookmarks.example.com

Add CORS_EXTRA_ORIGINS only if a separate origin loads the SPA or calls the API. See Configuration.

Reload and test

Open the public URL, complete or confirm login, and verify Admin and Bookmarks load without mixed-content or redirect loops.

Example snippets

bookmarks.example.com {
  reverse_proxy localhost:5000
}

location / {
  proxy_pass http://127.0.0.1:5000;
  proxy_http_version 1.1;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}

Verify

Load https://your-domain/api/health and confirm 200 (or your health JSON) through the proxy.
Sign in, refresh, and confirm you stay signed in: the HttpOnly token cookie (JWT) should persist with Secure when NODE_ENV=production and BASE_URL starts with https://. With OIDC, slugbase.sid may appear during the callback (express-session); token is what keeps you signed in afterward.
If OIDC login is configured, complete a round trip; callback URLs must match the public BASE_URL.

Troubleshooting

Configuration

Full environment variable reference.

Docker Compose

Published ports and .env next to a proxy.

Was this page helpful?

Last updated 2 days ago

Built with Documentation.AI