Reverse Proxy Configuration

Set up HTTPS and domain routing with a reverse proxy in front of WorkForce.

Why a Reverse Proxy?

HTTPS/TLS — Encrypt traffic with SSL certificates
Domain routing — Serve on your custom domain
Load balancing — Distribute traffic (if scaling)
Security — Hide the application port, add headers

Caddy (Recommended)

Caddy automatically obtains and renews Let's Encrypt certificates.

Install Caddy

Ubuntu:

sudo apt install -y caddy

Windows: Download from caddyserver.com.

Caddyfile

workforce.example.com {
    reverse_proxy localhost:3000

    header {
        X-Content-Type-Options nosniff
        X-Frame-Options DENY
        X-XSS-Protection "1; mode=block"
        Referrer-Policy strict-origin-when-cross-origin
        Strict-Transport-Security "max-age=31536000; includeSubDomains"
    }
}

Start Caddy:

caddy run --config /etc/caddy/Caddyfile

Nginx

Install

sudo apt install -y nginx

Configuration

Create /etc/nginx/sites-available/workforce:

server {
    listen 80;
    server_name workforce.example.com;
    return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    server_name workforce.example.com;

    ssl_certificate /etc/letsencrypt/live/workforce.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/workforce.example.com/privkey.pem;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }

    # File upload limit
    client_max_body_size 10M;
}

Enable the site:

sudo ln -s /etc/nginx/sites-available/workforce /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl restart nginx

IIS (Windows Server)

Prerequisites

Install URL Rewrite module
Install Application Request Routing (ARR)

Steps

Open IIS Manager
Create a new site bound to your domain on port 443
Configure SSL certificate
Add a URL Rewrite rule:
- Pattern: (.*)
- Rewrite URL: http://localhost:3000/{R:1}
- Check Append query string

Web.config

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <rule name="ReverseProxy" stopProcessing="true">
                    <match url="(.*)" />
                    <action type="Rewrite" url="http://localhost:3000/{R:1}" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

SSL Certificates

Let's Encrypt (Free)

Caddy handles this automatically. For Nginx:

sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d workforce.example.com

Certificates auto-renew via a systemd timer.

Custom Certificate

Place your .pem files in a secure directory and reference them in the reverse proxy config.

Why a Reverse Proxy?​

Caddy (Recommended)​

Install Caddy​

Caddyfile​

Nginx​

Install​

Configuration​

IIS (Windows Server)​

Prerequisites​

Steps​

Web.config​

SSL Certificates​

Let's Encrypt (Free)​

Custom Certificate​