| title | Configure external reverse proxy • Commercial Edition |
|---|---|
| sidebarTitle | External reverse proxy |
This page provides configuration for setting up an external reverse proxy with Plane.
Make sure to update the following environment variables in your plane.env file.
-
Assign free ports for Plane to listen on. Update the following variables with two different unsused ports:
LISTEN_HTTP_PORT= LISTEN_HTTPS_PORT=
-
Update the SITE_ADDRESS variable to
:80SITE_ADDRESS=:80
This is required so that generated links and redirects work correctly behind the proxy:
-
After editing plane.env, restart your instance so the changes take effect:
sudo prime-cli restart
-
Choose the appropriate configuration template for your reverse proxy.
-
Replace the following placeholders:
<domain>
Your Plane application's domain name.<plane-host-ip>
The IP address where Plane is hosted.<plane-host-port>
The port Plane listens on.
-
For Traefik, also update
your-email@example.comwith your email.
Ensure that your reverse proxy setup follows the template provided, and that the forwarded headers and ports are correctly set to match the environment variable configuration.
All configurations include:
- Automatic HTTPS redirection
- WebSocket support
- Standard proxy headers
- SSL/TLS certificate management
- NGINX: Uses Certbot
- Caddy: Handles certificates automatically
- Traefik: Uses Let’s Encrypt
location / {
proxy_pass http://<plane-host-ip>:<plane-host-port>/;
# Set headers for proxied request
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_http_version 1.1;
}
client_max_body_size 10M;
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/<domain>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<domain>/privkey.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
}
server { if ($host = ) { return 301 https://$host$request_uri; }
listen 80;
server_name <domain>;
return 404;
}
</Accordion>
<Accordion title="Caddy configuration">
```bash
<domain> {
tls {
# Caddy will automatically handle certificates
}
redir / https://{host}{uri} permanent
reverse_proxy <plane-host-ip>:<plane-host-port> {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up Host {http.request.host}
header_up Upgrade {http.request.header.Upgrade}
header_up Connection {http.request.header.Connection}
transport http {
tls_insecure_skip_verify
read_buffer 4096
write_buffer 4096
}
}
request_body {
max_size 10MB
}
}
websecure: address: ":443"
certificatesResolvers: letsencrypt: acme: email: your-email@example.com # Replace with your email storage: acme.json httpChallenge: entryPoint: web
providers:
http:
routers:
plane-router:
rule: "Host(<domain>)"
service: plane-service
entryPoints:
- websecure
tls:
certResolver: letsencrypt
services:
plane-service:
loadBalancer:
servers:
- url: "http://<plane-host-ip>:<plane-host-port>"
passHostHeader: true
responseForwarding:
flushInterval: "100ms"
serversTransport:
maxIdleConnsPerHost: 100
forwardingTimeouts:
dialTimeout: 30s
responseHeaderTimeout: 30s
idleConnTimeout: 90s
middlewares:
headers:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Real-IP: "{{ .RemoteAddr }}"
</Accordion>