Nginx

Edge reverse proxy handling SSL termination and external traffic before routing to Traefik internal proxy.

Current State

Nginx serves as the edge proxy in the dual-proxy architecture. Handles SSL termination via Let’s Encrypt certificates, external-facing domains (*.arjtech.in), and BasicAuth for protected services. Also used as nginx:alpine for static sites like Runwal BKC and File Share (dl.arjtech.in).

Key Learnings

• blackbox-http-2xx-module-rejects-basicauth-401-breaks-ssl — Blackbox HTTP 2xx module rejects BasicAuth 401

• file-manager-extraction-behavior-docx-pptx-single-md-in — File manager behind Nginx

• aws-ec2-docker-pattern-mirrors-hostinger-for-org-deployments — For AWS org infrastructure managed by Claude Code, the recommended stack is: EC2 (m6i.2xlarge, Ubuntu 24.04) + Docker +

• aws-org-instance-pattern-ec2-docker-triggerdev — Runwal Group AWS org instance uses EC2 (m6i.2xlarge, 8vCPU/32GB/gp3 SSD) + Ubuntu 24.04 + Docker, with Nginx as edge pro

• aws-org-platform-mirrors-hostinger-pattern-not-content — The Runwal Group AWS platform architecture decision: purpose-built clean slate (not a Hostinger clone), but replicating

• hostinger-pattern-replicated-to-aws-ec2-stack — The validated AWS architecture for Claude Code-managed multi-agent platforms mirrors the Hostinger pattern: EC2 m6i.2xla

• aws-agent-platform-architecture-for-claude-code-ops-model — The validated architecture for a Claude Code-managed AWS agent platform is: EC2 (ap-south-1, m6i.2xlarge, 8vCPU/32GB) +

• openclaw-gateway-docker-internal-not-browser-accessible — The OpenClaw gateway runs on host.docker.internal:18789 and is accessible only from Docker containers on the same netw

• floating-latest-docker-tags-resolve-differently-mid-upgrade — :latest Docker image tags are non-deterministic — they can resolve to different image digests between docker pull in

• floating-latest-docker-tags-cause-silent-version-drift-mid-u — Docker Compose services using :latest tags can silently resolve to different image versions during an upgrade run if t

• r-same-local-repo-and-monorepo-topology — R-Same lives at /opt/infra/r-same/ (matching Runwal infra convention from /opt/infra/runwal-bkc/ precedent). Monorepo us

Known Issues

(none)

Decisions

• dual-reverse-proxy-nginx-edge-traefik-internal — Dual reverse proxy: Nginx edge + Traefik internal
• mcp-servers-streamable-http-on-port-8000-traefik-routed — MCP servers routed through Traefik behind Nginx
• per-subdomain-a-records-instead-of-wildcard-dns — Per-subdomain A records
• prometheus-auto-discovery-via-filesdconfigs-for-mcp-servers — Prometheus discovery behind Nginx
• bible-v181-transport-appropriate-auth-pattern-a-for-all-vps — Auth pattern for all VPS services

Relationships

• Depends on: letsencrypt, docker
• Used by: traefik, file-manager
• Integrates with: prometheus

Sources

• Vault notes: 5 references

Contradictions

(none)

Related

traefik | docker | letsencrypt

• hostinger-nginx-traefik-docker-pattern-portable-to-aws-ec2
• runwal-vps-infra-path-convention-opt-infra