SupascaleSupascale
Sign Up

Web Server Setup

Configure Nginx, Apache, or Caddy as a reverse proxy.

Supascale can run behind Nginx, Apache, or Caddy as a reverse proxy. This provides SSL termination, caching, and additional security.

Nginx (Recommended)

Installation

# Ubuntu/Debian
sudo apt update
sudo apt install nginx

# CentOS/RHEL
sudo yum install nginx

# Start and enable
sudo systemctl start nginx
sudo systemctl enable nginx

Basic Configuration

Create /etc/nginx/sites-available/supascale:

server {
    listen 80;
    server_name supascale.yourdomain.com;

    # Redirect HTTP to HTTPS
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name supascale.yourdomain.com;

    # SSL certificates (from Let's Encrypt)
    ssl_certificate /etc/letsencrypt/live/supascale.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/supascale.yourdomain.com/privkey.pem;

    # SSL settings
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
    ssl_prefer_server_ciphers off;

    # Security headers
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Proxy to Supascale
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
        proxy_read_timeout 86400;
    }
}

Enable Site

# Create symlink
sudo ln -s /etc/nginx/sites-available/supascale /etc/nginx/sites-enabled/

# Test configuration
sudo nginx -t

# Reload Nginx
sudo systemctl reload nginx

Apache

Installation

# Ubuntu/Debian
sudo apt update
sudo apt install apache2

# Enable required modules
sudo a2enmod proxy proxy_http proxy_wstunnel ssl headers rewrite

# Start and enable
sudo systemctl start apache2
sudo systemctl enable apache2

Configuration

Create /etc/apache2/sites-available/supascale.conf:

<VirtualHost *:80>
    ServerName supascale.yourdomain.com
    Redirect permanent / https://supascale.yourdomain.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName supascale.yourdomain.com

    # SSL certificates
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/supascale.yourdomain.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/supascale.yourdomain.com/privkey.pem

    # Security headers
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-XSS-Protection "1; mode=block"

    # Proxy settings
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:3000/
    ProxyPassReverse / http://127.0.0.1:3000/

    # WebSocket support
    RewriteEngine On
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule ^/?(.*) ws://127.0.0.1:3000/$1 [P,L]
</VirtualHost>

Enable Site

# Enable site
sudo a2ensite supascale.conf

# Test configuration
sudo apache2ctl configtest

# Reload Apache
sudo systemctl reload apache2

Caddy

Caddy automatically handles SSL certificates via Let's Encrypt.

Installation

# Ubuntu/Debian
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

Configuration

Edit /etc/caddy/Caddyfile:

supascale.yourdomain.com {
    reverse_proxy localhost:3000

    header {
        X-Frame-Options "SAMEORIGIN"
        X-Content-Type-Options "nosniff"
        X-XSS-Protection "1; mode=block"
    }
}

Start Caddy

# Reload Caddy
sudo systemctl reload caddy

# Check status
sudo systemctl status caddy

Caddy will automatically obtain and renew SSL certificates.

Direct Access (No Proxy)

For development or internal use, access Supascale directly:

http://your-server-ip:3000

Update NEXTAUTH_URL in .env.local:

NEXTAUTH_URL=http://your-server-ip:3000

Direct access without SSL is not recommended for production. Always use HTTPS with a reverse proxy.

Verifying Setup

Test HTTPS

curl -I https://supascale.yourdomain.com

Expected response:

HTTP/2 200
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff

Test WebSocket

The reverse proxy must support WebSocket connections for real-time features:

# Install wscat
npm install -g wscat

# Test WebSocket
wscat -c wss://supascale.yourdomain.com

Troubleshooting

502 Bad Gateway

  1. Verify Supascale is running: pm2 status
  2. Check the port matches the proxy configuration
  3. Check Supascale logs: pm2 logs supascale-web

SSL Certificate Errors

  1. Verify DNS is pointing to your server
  2. Check certificate paths are correct
  3. Verify certificates are readable by web server
  4. Check certificate expiration

WebSocket Connection Failed

  1. Verify WebSocket modules are enabled
  2. Check proxy headers include Upgrade
  3. Verify no firewall blocking WebSocket