Get started

Infrastructure

Front Door

The built-in Nginx reverse proxy that handles all inbound HTTP/HTTPS traffic and TCP database tunnels. No manual Nginx config required.

How it works

Front Door is an Nginx instance that Simplewala installs and manages as part of the baseline setup. It listens on ports 80 and 443 and proxies requests to your apps based on domain name and path rules. SSL certificates from Let’s Encrypt are provisioned and renewed automatically.

All external traffic goes through Front Door. Apps and databases are never exposed directly on raw ports (except via explicit TCP tunnel configuration).

Adding a route

  1. Navigate to Front Door in the server sidebar.
  2. Click Add Route.
  3. Enter your domain name (e.g. myapp.com) and the port your app listens on (e.g. 3000).
  4. Optionally add a path prefix (e.g. /api) to route only matching paths.
  5. Click Save.

Simplewala writes the nginx vhost config and reloads nginx. If your DNS A record already points to the server, the SSL certificate is provisioned within seconds.

SSL certificates

Let’s Encrypt certificates are provisioned automatically when a route is added, provided:

  • The DNS A record for the domain points to the server IP.
  • Port 80 is reachable from the internet (required for the ACME HTTP-01 challenge).

Certificates renew automatically before expiry. You can also trigger a manual renewal from the Front Door page.

Path-based routing

Multiple routes on the same domain can be configured with different path prefixes:

# Example: same domain, two backends
myapp.com /        → port 3000   (frontend)
myapp.com /api     → port 8080   (API server)

Routes are matched longest-prefix first. The path prefix is stripped before forwarding unless Keep prefix is enabled.

TCP database tunnels

To expose a database externally, enable External Access on the database detail page. Front Door allocates a TCP port via the nginx stream module and proxies it to the database container’s port. This lets you connect with a standard database client from outside the server without a VPN.

Custom headers and proxy settings

For advanced configuration, connect via SSH and edit the vhost file in /etc/nginx/sites-enabled/. Nginx is standard — no proprietary syntax. Run nginx -t && systemctl reload nginx after changes. Note that the portal may overwrite manual changes when routes are modified; set your custom config in a separate include file.

Troubleshooting

SSL certificate not provisioning

Verify the DNS A record has propagated (dig myapp.com +short should return the server IP). Confirm port 80 is open in UFW and your cloud provider’s firewall. Check certbot logs: cat /var/log/letsencrypt/letsencrypt.log | tail -50.

502 Bad Gateway

The upstream app is not listening on the configured port. Check your app is running (docker ps or ss -tlnp | grep <port>) and that it binds to 0.0.0.0 or 127.0.0.1.

Nginx not reloading after route change

SSH in and run nginx -t to check for config errors. If the test fails, a syntax error in a vhost file is preventing reload. Fix or remove the offending file and reload manually.