Reverse Proxy

Configure a reverse proxy to expose Crow CI with TLS termination.

Ports

Port	Service	Required
8000	Web UI and API	Yes
9000	GRPC (agent communication)	Only for remote agents

Note

GRPC proxy configuration is only needed when agents connect over the public internet.

Caddy

# Web UI
crow.example.com {
    reverse_proxy crow-server:8000
}

# GRPC (optional - for remote agents)
grpc.crow.example.com {
    reverse_proxy h2c://crow-server:9000
}

Nginx

server {
    listen 443 ssl;
    server_name crow.example.com;

    ssl_certificate /path/to/cert;
    ssl_certificate_key /path/to/key;

    location / {
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:8000;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_buffering off;
        chunked_transfer_encoding off;
    }
}

# GRPC (optional - for remote agents)
server {
    listen 443 ssl;
    server_name grpc.crow.example.com;

    ssl_certificate /path/to/cert;
    ssl_certificate_key /path/to/key;

    location / {
        grpc_pass grpc://127.0.0.1:9000;
    }
}

Traefik

Docker Compose with TLS termination and HTTP→HTTPS redirect:

services:
    server:
        image: codeberg.org/crowci/crow-server:v4
        networks:
            - traefik
        volumes:
            - crow-data:/var/lib/crow
        deploy:
            labels:
                - traefik.enable=true
                # Web UI
                - traefik.http.services.crow.loadbalancer.server.port=8000
                - traefik.http.routers.crow-secure.rule=Host(`crow.example.com`)
                - traefik.http.routers.crow-secure.tls=true
                - traefik.http.routers.crow-secure.tls.certresolver=letsencrypt
                - traefik.http.routers.crow-secure.entrypoints=web-secure
                - traefik.http.routers.crow-secure.service=crow
                # HTTP redirect
                - traefik.http.routers.crow.rule=Host(`crow.example.com`)
                - traefik.http.routers.crow.entrypoints=web
                - traefik.http.middlewares.crow-redirect.redirectscheme.scheme=https
                - traefik.http.routers.crow.middlewares=crow-redirect@docker
                # GRPC (optional - for remote agents)
                - traefik.http.services.crow-grpc.loadbalancer.server.port=9000
                - traefik.http.services.crow-grpc.loadbalancer.server.scheme=h2c
                - traefik.http.routers.crow-grpc-secure.rule=Host(`grpc.crow.example.com`)
                - traefik.http.routers.crow-grpc-secure.tls=true
                - traefik.http.routers.crow-grpc-secure.tls.certresolver=letsencrypt
                - traefik.http.routers.crow-grpc-secure.entrypoints=web-secure
                - traefik.http.routers.crow-grpc-secure.service=crow-grpc

networks:
    traefik:
        external: true

HAProxy

frontend https_in
    mode http
    bind :::443 v4v6 ssl crt /path/to/cert

    acl is_crow hdr(host) -i crow.example.com
    acl is_crow_grpc hdr(host) -i grpc.crow.example.com

    use_backend crow if is_crow
    use_backend crow_grpc if is_crow_grpc

backend crow
    mode http
    balance roundrobin
    http-request del-header X-Forwarded-For
    http-request del-header X-Real-IP
    option forwardfor
    server crow 127.0.0.1:8000 maxconn 100000 check

backend crow_grpc
    mode http
    server crow_grpc 127.0.0.1:9000 maxconn 100000 no-check proto h2

Apache

Required modules: proxy, proxy_http

ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"
ProxyPass / http://127.0.0.1:8000/
ProxyPassReverse / http://127.0.0.1:8000/

Development Tunnels

For local development without a domain, use a tunnel service.

ngrok

ngrok http 8000

Set CROW_HOST to the returned URL and restart Crow.

Tunnelmole

tmole 8000
# Returns: https://abc123.tunnelmole.net is forwarding to localhost:8000

Set CROW_HOST to the returned URL and restart Crow.