Help Home / Reverse Proxy Setup

Reverse Proxy Setup

Expose your Web Dashboard securely over HTTPS using your own domain and reverse proxy. Keep your credentials safe and let public clients access the dashboard without managing complex certificate configurations inside SwiftMiner.

If you prefer not to use the automated SwiftBot tunnels and want to host your Web Dashboard on your own domain (e.g., https://dashboard.example.com), you can run SwiftMiner behind a self-managed reverse proxy. Since SwiftMiner runs a standard HTTP/1.1 server, it is fully compatible with standard proxy routing.

Why use a Reverse Proxy?

Exposing a local web server to the public internet requires robust encryption (HTTPS) to ensure that login credentials and session tokens cannot be sniffed by attackers. Using a reverse proxy like Nginx, Caddy, or Cloudflare Tunnels is highly recommended because:

  • SSL/TLS Termination: The proxy server handles the complex cryptography and secures the connection to the client. The proxy communicates locally with SwiftMiner over a secure localhost loopback or internal LAN.
  • Automatic Certificates: Modern proxies like Caddy or Nginx (with Certbot) automatically request, configure, and renew free SSL certificates from Let's Encrypt or ZeroSSL.
  • Lean SwiftMiner Application: SwiftMiner is kept lightweight by not embedding a complex certificate manager, dynamic DNS parser, or dynamic ACME protocol client.

SwiftMiner Configuration

Before configuring your reverse proxy, make sure the following settings are updated in SwiftMiner:

  1. Set your Base URL:

    In SwiftMiner settings under the Web tab, set the Base URL to your public domain (e.g., https://dashboard.example.com). This is critical for two reasons:

    • Twitch OAuth redirection: The login flow uses the Base URL to construct correct redirect validation callbacks.
    • Secure Cookies: When SwiftMiner sees that the Base URL begins with https, it automatically configures session cookies with the Secure attribute, ensuring they are only transmitted over encrypted connections.
  2. Set the Local Port:

    Configure the local access port (default: 8080) and make sure it is running. Your reverse proxy will route incoming traffic to this port.

Nginx Configuration

Below is a standard Nginx virtual host configuration. It forwards incoming HTTPS requests to SwiftMiner running on port 8080, passes appropriate client headers, and sets up body-size limits.

server {
    listen 443 ssl http2;
    server_name dashboard.example.com;

    # SSL Certificates (managed via Certbot / Let's Encrypt)
    ssl_certificate /etc/letsencrypt/live/dashboard.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dashboard.example.com/privkey.pem;
    
    # Secure SSL Protocols and Ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://127.0.0.1:8080;
        
        # Forward standard headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        
        # Disable buffering for instantaneous log streams
        proxy_buffering off;
        
        # Set client header and body timeout limits
        client_max_body_size 10m;
        proxy_read_timeout 60s;
        proxy_connect_timeout 60s;
    }
}

Caddy Configuration

Caddy is an exceptionally easy reverse proxy that handles SSL certificate generation and renewal automatically. Your configuration in a Caddyfile can be as simple as a single block:

dashboard.example.com {
    # Forward all traffic to SwiftMiner's local port
    reverse_proxy 127.0.0.1:8080 {
        # Disable buffering for real-time dashboard log updates
        header_up Host {host}
        header_up X-Real-IP {remote}
    }
    
    # Configure logging (optional)
    log {
        output file /var/log/caddy/swiftminer_access.log
    }
}

Verification & Troubleshooting

Once your reverse proxy is active, check the following to verify your setup is safe and working:

  • HTTPS padlock: Visit your public domain in a browser and verify the lock icon appears in the address bar.
  • Verify Cookie security: Open your browser's Developer Tools, go to the Application (or Storage) tab, select Cookies, and look for the SwiftMiner session cookie (swiftminer_session). Confirm that the HttpOnly, SameSite=Lax, and Secure flags are all enabled.
  • Check Redirect URLs: If Twitch login fails, verify that your exact public callback URL (e.g. https://dashboard.example.com/auth/callback) is registered in your Twitch Developer Console application.
Local Firewalls

For maximum security, make sure your Mac's firewall blocks external incoming connections directly to port 8080 from outside your network. The reverse proxy should be the only application exposing and forwarding access to that port.