From c11ca8e5e2aeb496fe1474ee44e1bf52ee55b830 Mon Sep 17 00:00:00 2001 From: Long Le Date: Tue, 27 Jan 2026 06:33:04 +0700 Subject: [PATCH 1/7] use nginx for handling and proxy request to API and Web UI (#15) * use nginx for handling request * Use /backend, not /api (/api is already used) * BASE_URL; add conditions for nginx start * api -> backend * Use descriptive language * Config hardening * Fix config for websocket support --------- Co-authored-by: Blue Mouse --- .env.example | 3 ++- README.md | 4 +-- compose.yaml | 22 +++++++++++---- configure.sh | 13 ++++----- nginx/config | 75 ++++++++++++++++++++++++++++++++++++++++------------ 5 files changed, 86 insertions(+), 31 deletions(-) diff --git a/.env.example b/.env.example index a44dd78..6edf66f 100644 --- a/.env.example +++ b/.env.example @@ -3,7 +3,8 @@ # For more information, refer to our documentation: https://docs.swetrix.com/selfhosting/configuring # Swetrix Frontend configuration -API_URL=http://localhost:8080 +# Public URL where your Swetrix instance is reachable (no trailing slash). +BASE_URL=http://localhost # Swetrix API configuration diff --git a/README.md b/README.md index dacc326..aeb44f9 100644 --- a/README.md +++ b/README.md @@ -20,8 +20,8 @@ git clone https://github.com/swetrix/selfhosting cd selfhosting ``` 2. [Install Docker](https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-ubuntu-20-04?ref=swetrix.com) if you haven't already. -3. Configure the environment variables for your Swetrix instance. It can be easily done by running `./configure.sh` script, which will ask you to provide the necessary values and generate a `.env` file with them. A table explaining what each value means can be found [here](https://docs.swetrix.com/selfhosting/configuring). +3. Configure the environment variables for your Swetrix instance. It can be easily done by running `./configure.sh` script, which will ask you to provide the necessary values (including `BASE_URL`) and generate a `.env` file with them. See the [configuration variable reference](https://docs.swetrix.com/selfhosting/configuring). 4. Run `docker compose up -d` to start the Swetrix services. -5. After that, you will be able to access Swetrix web portal on the port you specified in `swetrix` category in `compose.yaml` (by default, it's set to `80`). +5. After that, you will be able to access Swetrix web portal at the URL you set in `BASE_URL` (by default, `http://localhost`). And that's it! :) If you have any questions, feel free to join our [Discord community](https://discord.gg/ZVK8Tw2E8j). You can also star our [main repository](https://github.com/Swetrix/swetrix) as a token of appreciation. diff --git a/compose.yaml b/compose.yaml index 48c3da6..314413c 100644 --- a/compose.yaml +++ b/compose.yaml @@ -5,10 +5,8 @@ services: restart: always depends_on: - swetrix-api - ports: - - "80:3000" environment: - - API_URL=${API_URL} + - BASE_URL=${BASE_URL} healthcheck: test: [ @@ -23,8 +21,6 @@ services: image: swetrix/swetrix-api:v4.1.0 restart: always container_name: swetrix-api - ports: - - "8080:5005" environment: # Configurable with .env file - SECRET_KEY_BASE=${SECRET_KEY_BASE} @@ -114,6 +110,22 @@ services: nofile: soft: 262144 hard: 262144 + + nginx-proxy: + image: nginx:1.29.4-alpine + restart: always + depends_on: + swetrix: + condition: service_healthy + swetrix-api: + condition: service_healthy + links: + - "swetrix-api" + - "swetrix" + ports: + - "80:80" + volumes: + - ./nginx/config:/etc/nginx/conf.d/default.conf volumes: swetrix-events-data: driver: local diff --git a/configure.sh b/configure.sh index 333ec75..0d0e32c 100755 --- a/configure.sh +++ b/configure.sh @@ -251,15 +251,16 @@ echo -e "${GREEN}Creating new .env file...${NC}" echo -e "# Swetrix Frontend configuration" > .env -# API_URL +# BASE_URL while true; do - echo - read -e -p "Enter API_URL of your Swetrix API instance (required, e.g., https://api.swetrix.example.com): " api_url - if [ -n "$api_url" ]; then - echo "API_URL=$api_url" >> .env + echo + read -e -p "Enter public URL of your Swetrix instance (required, e.g., https://swetrix.example.com): " base_url + if [ -n "$base_url" ]; then + base_url="${base_url%/}" + echo "BASE_URL=$base_url" >> .env break else - echo -e "${RED}API_URL is required. Please enter a value.${NC}" + echo -e "${RED}BASE_URL is required. Please enter a value.${NC}" fi done diff --git a/nginx/config b/nginx/config index a984924..86c5ffc 100644 --- a/nginx/config +++ b/nginx/config @@ -1,27 +1,68 @@ +map $http_upgrade $connection_upgrade { + default upgrade; + "" close; +} + server { - listen 81; - listen [::]:81; - # server_name swetrix.yourdomain.com; + listen 80; + listen [::]:80; server_name _; - location / { - proxy_pass http://localhost:80; + # security headers + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Permissions-Policy "interest-cohort=()" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + + # Keep /backend/ prefix; this is used to route requests to the Swetrix API. + location /backend/ { + proxy_pass http://swetrix-api:5005/; + proxy_http_version 1.1; proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } -} -server { - listen 8081; - listen [::]:8081; - # server_name api.swetrix.yourdomain.com; - server_name _; + # Proxy headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Proxy buffering (prevents truncated responses for large files) + proxy_buffering on; + proxy_buffer_size 256k; + proxy_buffers 32 512k; + proxy_busy_buffers_size 4m; + proxy_max_temp_file_size 1024m; + } location / { - proxy_pass http://localhost:8080; + proxy_pass http://swetrix:3000; + proxy_http_version 1.1; proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + # Proxy headers + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header X-Forwarded-Port $server_port; + + # Proxy buffering (prevents truncated responses for large files) + proxy_buffering on; + proxy_buffer_size 256k; + proxy_buffers 32 512k; + proxy_busy_buffers_size 4m; + proxy_max_temp_file_size 1024m; } + + gzip on; + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; } From 94c7275f448eb78d81b2655d6cb1130c3b4586aa Mon Sep 17 00:00:00 2001 From: Blue Mouse Date: Tue, 27 Jan 2026 00:15:38 +0000 Subject: [PATCH 2/7] Remove CLOUDFLARE_PROXY_ENABLED --- .env.example | 1 - 1 file changed, 1 deletion(-) diff --git a/.env.example b/.env.example index 6edf66f..9a59cf9 100644 --- a/.env.example +++ b/.env.example @@ -15,7 +15,6 @@ SECRET_KEY_BASE= DISABLE_REGISTRATION=true IP_GEOLOCATION_DB_PATH= DEBUG_MODE=false -CLOUDFLARE_PROXY_ENABLED=false # Emails configuration (SMTP) # See https://docs.swetrix.com/selfhosting/configuring#email-configuration-smtp From c11a4a3f7a797d0f657bd9648b65f2c839d10986 Mon Sep 17 00:00:00 2001 From: Blue Mouse Date: Tue, 27 Jan 2026 00:18:05 +0000 Subject: [PATCH 3/7] Trim trailing slashes for BASE_URL --- configure.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.sh b/configure.sh index 0d0e32c..9902957 100755 --- a/configure.sh +++ b/configure.sh @@ -256,7 +256,7 @@ while true; do echo read -e -p "Enter public URL of your Swetrix instance (required, e.g., https://swetrix.example.com): " base_url if [ -n "$base_url" ]; then - base_url="${base_url%/}" + base_url="$(echo "$base_url" | sed 's:/*$::')" echo "BASE_URL=$base_url" >> .env break else From 650a1a227d49b8772a48bf0fc2131fa087b20e55 Mon Sep 17 00:00:00 2001 From: Blue Mouse Date: Tue, 27 Jan 2026 00:20:30 +0000 Subject: [PATCH 4/7] Bump swetrix version --- compose.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compose.yaml b/compose.yaml index 314413c..4dc9da2 100644 --- a/compose.yaml +++ b/compose.yaml @@ -1,7 +1,7 @@ services: # This is Swetrix user interface application, it's used to display the analytics data, render charts, etc. swetrix: - image: swetrix/swetrix-fe:v4.1.0 + image: swetrix/swetrix-fe:v5.0.0 restart: always depends_on: - swetrix-api @@ -18,7 +18,7 @@ services: # This is Swetrix API, it's purpose is to collect incoming analytical events and serve the data to the UI swetrix-api: - image: swetrix/swetrix-api:v4.1.0 + image: swetrix/swetrix-api:v5.0.0 restart: always container_name: swetrix-api environment: From 720b0764b63f7f64eca74ffda2c0553e958f1044 Mon Sep 17 00:00:00 2001 From: Blue Mouse Date: Tue, 27 Jan 2026 00:22:37 +0000 Subject: [PATCH 5/7] Remove Cloudflare Proxy stuff --- compose.yaml | 1 - configure.sh | 10 ---------- 2 files changed, 11 deletions(-) diff --git a/compose.yaml b/compose.yaml index 4dc9da2..2204270 100644 --- a/compose.yaml +++ b/compose.yaml @@ -27,7 +27,6 @@ services: - DISABLE_REGISTRATION - IP_GEOLOCATION_DB_PATH - DEBUG_MODE - - CLOUDFLARE_PROXY_ENABLED # Emails configuration (SMTP) - SMTP_HOST diff --git a/configure.sh b/configure.sh index 9902957..111ed21 100755 --- a/configure.sh +++ b/configure.sh @@ -275,16 +275,6 @@ if [ -z "$secret_key_base" ]; then fi echo "SECRET_KEY_BASE=$secret_key_base" >> .env -# Cloudflare proxy -echo -read -p "Enable Cloudflare proxy? (y/N): " -n 1 -r -echo -if [[ $REPLY =~ ^[Yy]$ ]]; then - echo "CLOUDFLARE_PROXY_ENABLED=true" >> .env -else - echo "CLOUDFLARE_PROXY_ENABLED=false" >> .env -fi - # Debug mode (always false) echo "DEBUG_MODE=false" >> .env echo "IP_GEOLOCATION_DB_PATH=" >> .env From ffdbbd34392c0d494c3e0c36781d28b451f82663 Mon Sep 17 00:00:00 2001 From: Blue Mouse Date: Wed, 28 Jan 2026 02:37:34 +0000 Subject: [PATCH 6/7] Add CLIENT_IP_HEADER --- .env.example | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.env.example b/.env.example index 9a59cf9..9cc6959 100644 --- a/.env.example +++ b/.env.example @@ -33,3 +33,6 @@ OIDC_ONLY_AUTH=false OIDC_DISCOVERY_URL=http://localhost:8080/.well-known/openid-configuration OIDC_CLIENT_ID= OIDC_CLIENT_SECRET= + +# Additional configuration +CLIENT_IP_HEADER=x-forwarded-for From e44f5a5c25057b7489428cb3a681a5b9419735b4 Mon Sep 17 00:00:00 2001 From: Blue Mouse Date: Wed, 28 Jan 2026 02:43:29 +0000 Subject: [PATCH 7/7] Add OIDC_PROMPT variable --- .env.example | 1 + 1 file changed, 1 insertion(+) diff --git a/.env.example b/.env.example index 9cc6959..4298419 100644 --- a/.env.example +++ b/.env.example @@ -33,6 +33,7 @@ OIDC_ONLY_AUTH=false OIDC_DISCOVERY_URL=http://localhost:8080/.well-known/openid-configuration OIDC_CLIENT_ID= OIDC_CLIENT_SECRET= +OIDC_PROMPT=select_account # Additional configuration CLIENT_IP_HEADER=x-forwarded-for