[GH-ISSUE #143] Add official support & documentation for running Convoy behind a reverse proxy (Nginx / NPM / Cloudflare) without auto-HTTPS issues #93

New issue

Open

opened 2026-02-26 17:31:21 +03:00 by kerem · 2 comments

kerem commented 2026-02-26 17:31:21 +03:00

Owner

Copy link

Originally created by @Yamamoto-2 on GitHub (Nov 14, 2025).
Original GitHub issue: https://github.com/ConvoyPanel/panel/issues/143

Is there an existing feature request for this?

• I have searched the existing issues before opening this feature request.

Describe the feature you would like to see.

Convoy v4’s current default behavior (Caddy auto-HTTPS based on APP_URL + Laravel not trusting proxy headers by default) works well for “directly exposed to the Internet” setups, but makes it very difficult to deploy Convoy behind a reverse proxy that terminates TLS — which is one of the most common production architectures.

Most users deploy Convoy behind:

Nginx / OpenResty

Nginx Proxy Manager

Cloudflare (proxied or DNS-only)

HAProxy / Traefik

Load balancers on cloud providers

In these environments:

❌ Issues encountered today

Caddy automatically forces HTTP → HTTPS redirects when APP_URL begins with https://

Redirect loops occur:
Client → HTTPS → Proxy → HTTP → Convoy → 308 → HTTPS → Proxy → HTTP → …

Laravel generates http://… asset URLs → Mixed Content errors

No official way to toggle “Reverse Proxy Mode”

No documentation describing how to properly run Convoy behind a proxy
(even though the documentation says auto-TLS doesn’t work behind proxies)

These issues are not installation errors — they are architectural incompatibilities between Convoy’s defaults and real-world deployments.

Describe the solution you'd like.

I would love to see Convoy provide first-class support for reverse proxy deployments.

✔ Preferred solution: “Reverse Proxy Mode”

Add an environment variable or preset like:

REVERSE_PROXY_MODE=true

When enabled, Convoy would:

Disable auto-HTTPS in Caddy automatically

Listen only on HTTP (port 80) internally
(auto_https off and replacing {$APP_URL} with :80)

Trust proxy headers automatically for Laravel:

X-Forwarded-Proto
X-Forwarded-Host
X-Forwarded-For

Force Laravel to generate correct HTTPS URLs when the proxy says so
(either via TrustProxies or automatic scheme detection)

Provide example reverse-proxy configs (Nginx/TLS termination)

✔ Documentation addition

Add an official section:

Deploying Convoy behind a reverse proxy (Nginx / Nginx Proxy Manager / Cloudflare / Traefik)

Including:

Example Caddyfile for HTTP-only mode

Required headers for reverse proxying

Required Laravel proxy trust configuration

Example Nginx/NPM configs

When not to use auto-TLS

How APP_URL should be set in proxy setups

This would dramatically improve user experience and avoid confusion.

Additional context to this request.

Without reverse proxy documentation or a toggle, many users deploying Convoy behind standard production proxies encounter:

Infinite redirect loops

Mixed Content errors

Cert conflicts between Caddy and external proxy

Difficulty disabling auto-HTTPS

Confusion around how to configure APP_URL

I worked through these issues by:

Manually disabling auto-HTTPS in Caddy

Replacing {$APP_URL} with :80

Adding URL::forceScheme('https') to Laravel

Clearing caches

Ensuring proper X-Forwarded headers

Configuring Nginx Proxy Manager to forward HTTP only

These steps work, but are not documented and require modifying Convoy’s shipped Caddyfile, which will break on future updates.

Providing a built-in mode + documentation would eliminate all of these problems.

Originally created by @Yamamoto-2 on GitHub (Nov 14, 2025). Original GitHub issue: https://github.com/ConvoyPanel/panel/issues/143 ### Is there an existing feature request for this? - [x] I have searched the existing issues before opening this feature request. ### Describe the feature you would like to see. Convoy v4’s current default behavior (Caddy auto-HTTPS based on APP_URL + Laravel not trusting proxy headers by default) works well for “directly exposed to the Internet” setups, but makes it very difficult to deploy Convoy behind a reverse proxy that terminates TLS — which is one of the most common production architectures. Most users deploy Convoy behind: Nginx / OpenResty Nginx Proxy Manager Cloudflare (proxied or DNS-only) HAProxy / Traefik Load balancers on cloud providers In these environments: ❌ Issues encountered today Caddy automatically forces HTTP → HTTPS redirects when APP_URL begins with https:// Redirect loops occur: Client → HTTPS → Proxy → HTTP → Convoy → 308 → HTTPS → Proxy → HTTP → … Laravel generates http://… asset URLs → Mixed Content errors No official way to toggle “Reverse Proxy Mode” No documentation describing how to properly run Convoy behind a proxy (even though the documentation says auto-TLS doesn’t work behind proxies) These issues are not installation errors — they are architectural incompatibilities between Convoy’s defaults and real-world deployments. ### Describe the solution you'd like. I would love to see Convoy provide first-class support for reverse proxy deployments. ✔ Preferred solution: “Reverse Proxy Mode” Add an environment variable or preset like: REVERSE_PROXY_MODE=true When enabled, Convoy would: Disable auto-HTTPS in Caddy automatically Listen only on HTTP (port 80) internally (auto_https off and replacing {$APP_URL} with :80) Trust proxy headers automatically for Laravel: X-Forwarded-Proto X-Forwarded-Host X-Forwarded-For Force Laravel to generate correct HTTPS URLs when the proxy says so (either via TrustProxies or automatic scheme detection) Provide example reverse-proxy configs (Nginx/TLS termination) ✔ Documentation addition Add an official section: Deploying Convoy behind a reverse proxy (Nginx / Nginx Proxy Manager / Cloudflare / Traefik) Including: Example Caddyfile for HTTP-only mode Required headers for reverse proxying Required Laravel proxy trust configuration Example Nginx/NPM configs When not to use auto-TLS How APP_URL should be set in proxy setups This would dramatically improve user experience and avoid confusion. ### Additional context to this request. Without reverse proxy documentation or a toggle, many users deploying Convoy behind standard production proxies encounter: Infinite redirect loops Mixed Content errors Cert conflicts between Caddy and external proxy Difficulty disabling auto-HTTPS Confusion around how to configure APP_URL I worked through these issues by: Manually disabling auto-HTTPS in Caddy Replacing {$APP_URL} with :80 Adding URL::forceScheme('https') to Laravel Clearing caches Ensuring proper X-Forwarded headers Configuring Nginx Proxy Manager to forward HTTP only These steps work, but are not documented and require modifying Convoy’s shipped Caddyfile, which will break on future updates. Providing a built-in mode + documentation would eliminate all of these problems.

kerem added the

enhancement

label 2026-02-26 17:31:21 +03:00

kerem commented 2026-02-26 17:31:22 +03:00

Author

Owner

Copy link

@GunniBusch commented on GitHub (Dec 20, 2025):

but makes it very difficult to deploy Convoy behind a reverse proxy that terminates TLS — which is one of the most common production architectures.

Caddy is a reverse proxy.

These issues are not installation errors — they are architectural incompatibilities between Convoy’s defaults and real-world deployments.

Only because something is not documented doesn't mean it doesn't work. Especially since this is a "code available" laravel project, it should be harder to set up a reverse proxy, than just removing caddy and replacing it with something else.

Most users deploy Convoy behind:
Nginx / OpenResty
Nginx Proxy Manager
Cloudflare (proxied or DNS-only)
HAProxy / Traefik
Load balancers on cloud providers

Cloudflare (proxied or DNS-only not tunnel) work.
Also I would bet that there is no one using convoy running it behind HAProxy.

I am not saying that there isn't room for improvement especially regarding punishing docker container rather than always rebuilding them, but I think, that providing documentation about so simple stuff is not priority 1.

Providing a built-in mode + documentation would eliminate all of these problems.

Apparently you have never dealt with users, but since you know so much, I think, no one would kill you if you provide enhancements in that way.

<!-- gh-comment-id:3678218060 --> @GunniBusch commented on GitHub (Dec 20, 2025): > but makes it very difficult to deploy Convoy behind a reverse proxy that terminates TLS — which is one of the most common production architectures. Caddy is a reverse proxy. > These issues are not installation errors — they are architectural incompatibilities between Convoy’s defaults and real-world deployments. Only because something is not documented doesn't mean it doesn't work. Especially since this is a "code available" laravel project, it should be harder to set up a reverse proxy, than just removing caddy and replacing it with something else. > Most users deploy Convoy behind: > Nginx / OpenResty > Nginx Proxy Manager > Cloudflare (proxied or DNS-only) > HAProxy / Traefik > Load balancers on cloud providers Cloudflare (proxied or DNS-only not tunnel) work. Also I would bet that there is no one using convoy running it behind HAProxy. I am not saying that there isn't room for improvement especially regarding punishing docker container rather than always rebuilding them, but I think, that providing documentation about so simple stuff is not priority 1. > Providing a built-in mode + documentation would eliminate all of these problems. Apparently you have never dealt with users, but since you know so much, I think, no one would kill you if you provide enhancements in that way.

kerem commented 2026-02-26 17:31:22 +03:00

Author

Owner

Copy link

@staalexa commented on GitHub (Feb 6, 2026):

Also, a short addition: when you are a server hosting company, you should be familiar with these kinds of setups, and also should be familiar with how to change things so they work for your deployment. In a private use case, it won't make a difference.

<!-- gh-comment-id:3858786119 --> @staalexa commented on GitHub (Feb 6, 2026): Also, a short addition: when you are a server hosting company, you should be familiar with these kinds of setups, and also should be familiar with how to change things so they work for your deployment. In a private use case, it won't make a difference.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

next

shift-130906

vm-install-enhancement

template-storage

3.0-develop

v4.5.1

v4.5.0

v4.5.0-rc.1

v4.4.1

v4.4.0

v4.3.1

v4.3.0-rc.1

v4.2.4

v4.2.3

v4.2.2-rc.2

v4.2.2-rc.1

v4.2.1-rc.1

v4.2.0-beta

v4.1.0-beta

v4.0.0-beta

v4.0.0-rc.6

v4.0.0-rc.5

v4.0.0-rc.4

v4.0.0-rc.3

v4.0.0-rc.2

v3.10.2-beta

v4.0.0-rc.1

v3.10.1-beta

v3.10.0-beta

v3.9.3-beta

v3.9.2-beta

v3.9.1-beta

v3.9.0-beta

v3.9.0-rc.9

v3.9.0-rc.8

v3.9.0-rc.7

v3.9.0-rc.6

v3.9.0-rc.5

v3.9.0-rc.3

v3.9.0-rc.2

v3.9.0-rc.1

v3.8.1-beta

v3.8.0-beta

v3.7.5-beta

v3.7.4-beta

v3.7.3-beta

v3.7.2-beta

v3.7.1-beta

v3.7.0-beta

v3.6.2-beta

v3.6.1-beta

v3.6.0-beta

v3.5.1-beta

v3.5.0-beta

v3.4.0-beta

v3.3.0-beta

v3.2.0-beta

v3.1.2-beta

v3.1.1-beta

v3.1.0-beta

v3.0.0-beta

v2.0.3-beta

v2.0.2-beta

v2.0.1-beta

v2.0.0-beta

v1.1.0-beta

v1.0.0-beta

v1.0.0-beta-rc.3

v1.0.0-beta-rc.2

v1.0.0-beta-rc.1

v0.1.0-beta

Labels

Clear labels   

bug

  

enhancement

  

enhancement

  

not confirmed

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

wontfix

No labels

bug

enhancement

enhancement

not confirmed

pull-request

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/panel#93

No description provided.