From f806021bfcb20d633c9ffc5f1742e41f2cab2f29 Mon Sep 17 00:00:00 2001
From: Dogukan Tatar <dogukan.tatar93@gmail.com>
Date: Tue, 28 Apr 2026 22:11:59 +0300
Subject: [PATCH 1/3] Run app nginx behind host reverse proxy

---
 docker-compose.prod.yml      |  5 +---
 docker-compose.yml           |  5 +---
 nginx/hooktray.conf.template | 49 ++++++------------------------------
 3 files changed, 9 insertions(+), 50 deletions(-)

diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 7476e1f..61e2faf 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -12,10 +12,7 @@ services:
     image: ghcr.io/dgknttr/hooktray-nginx:${HOOKTRAY_IMAGE_TAG:-latest}
     restart: unless-stopped
     ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - /etc/ssl/hooktray:/etc/nginx/ssl:ro
+      - "127.0.0.1:3000:80"
     environment:
       DOMAIN: ${DOMAIN}
     depends_on:
diff --git a/docker-compose.yml b/docker-compose.yml
index b4ad2ea..13946f3 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -19,10 +19,7 @@ services:
         NEXT_PUBLIC_API_URL: https://${DOMAIN}
     restart: unless-stopped
     ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - /etc/ssl/hooktray:/etc/nginx/ssl:ro
+      - "127.0.0.1:3000:80"
     environment:
       DOMAIN: ${DOMAIN}
     depends_on:
diff --git a/nginx/hooktray.conf.template b/nginx/hooktray.conf.template
index 1eb3934..7b9e301 100644
--- a/nginx/hooktray.conf.template
+++ b/nginx/hooktray.conf.template
@@ -1,46 +1,11 @@
-server {
-    listen 80;
-    server_name ${DOMAIN} www.${DOMAIN};
-    return 301 https://${DOMAIN}$request_uri;
-}
-
-server {
-    listen 443 ssl;
-    server_name www.${DOMAIN};
-
-    ssl_certificate /etc/nginx/ssl/fullchain.pem;
-    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
-
-    return 301 https://${DOMAIN}$request_uri;
+map $http_x_forwarded_proto $proxy_x_forwarded_proto {
+    default $http_x_forwarded_proto;
+    "" $scheme;
 }
 
 server {
-    listen 443 ssl;
-    server_name ${DOMAIN};
-
-    ssl_certificate /etc/nginx/ssl/fullchain.pem;
-    ssl_certificate_key /etc/nginx/ssl/privkey.pem;
-    ssl_protocols TLSv1.2 TLSv1.3;
-    ssl_prefer_server_ciphers on;
-
-    # Restore real client IP from Cloudflare
-    # https://www.cloudflare.com/ips/
-    set_real_ip_from 103.21.244.0/22;
-    set_real_ip_from 103.22.200.0/22;
-    set_real_ip_from 103.31.4.0/22;
-    set_real_ip_from 104.16.0.0/13;
-    set_real_ip_from 104.24.0.0/14;
-    set_real_ip_from 108.162.192.0/18;
-    set_real_ip_from 131.0.72.0/22;
-    set_real_ip_from 141.101.64.0/18;
-    set_real_ip_from 162.158.0.0/15;
-    set_real_ip_from 172.64.0.0/13;
-    set_real_ip_from 173.245.48.0/20;
-    set_real_ip_from 188.114.96.0/20;
-    set_real_ip_from 190.93.240.0/20;
-    set_real_ip_from 197.234.240.0/22;
-    set_real_ip_from 198.41.128.0/17;
-    real_ip_header CF-Connecting-IP;
+    listen 80;
+    server_name _;
 
     client_max_body_size 2m;
 
@@ -54,7 +19,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
         proxy_buffering off;
         proxy_cache off;
         proxy_read_timeout 3600s;
@@ -67,7 +32,7 @@ server {
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
     }
 
     # Frontend static files

From 1ed9ffe71e4acf7f400b286a86ac7b5a695f2d4c Mon Sep 17 00:00:00 2001
From: Dogukan Tatar <dogukan.tatar93@gmail.com>
Date: Tue, 28 Apr 2026 22:15:02 +0300
Subject: [PATCH 2/3] Use environment app directory for deploy

---
 .github/workflows/deploy.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 5321638..401aa1f 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -22,7 +22,6 @@ env:
   REGISTRY: ghcr.io
   BACKEND_IMAGE: ghcr.io/dgknttr/hooktray-backend
   NGINX_IMAGE: ghcr.io/dgknttr/hooktray-nginx
-  APP_DIR: /srv/apps/hooktray
 
 jobs:
   build:
@@ -85,6 +84,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     environment: production
+    env:
+      APP_DIR: ${{ vars.APP_DIR }}
     steps:
       - name: Checkout deploy files
         uses: actions/checkout@v4

From 66bd84f5e5d32c1e722755517de11a18cbf6c47b Mon Sep 17 00:00:00 2001
From: Dogukan Tatar <dogukan.tatar93@gmail.com>
Date: Tue, 28 Apr 2026 22:23:50 +0300
Subject: [PATCH 3/3] fix: pass NEXT_PUBLIC_API_URL build arg to nginx image

Without this the frontend is built without an API URL and
all requests fail at runtime.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/deploy.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 401aa1f..4e59e81 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -78,6 +78,7 @@ jobs:
           tags: |
             ${{ env.NGINX_IMAGE }}:${{ steps.meta.outputs.image_tag }}
             ${{ env.NGINX_IMAGE }}:latest
+          build-args: NEXT_PUBLIC_API_URL=https://${{ vars.DOMAIN }}
 
   deploy:
     name: Deploy Production