The Verilock container serves HTTP on port 8080. For production, you should terminate SSL with a reverse proxy.
Option 1: Caddy (Recommended)
Caddy provides automatic HTTPS with Let’s Encrypt.
Add to your docker-compose.yml:
caddy:
image: caddy:2-alpine
container_name: verilock-caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- caddy-data:/data
- caddy-config:/config
depends_on:
- app
networks:
- verilock
volumes:
caddy-data:
caddy-config:
Caddyfile:
kyc.your-domain.com {
reverse_proxy app:80
}
.env:
APP_URL=https://kyc.your-domain.com
APP_PORT=127.0.0.1:8080 # Only expose internally
docker compose up -d caddy
Caddy automatically obtains and renews TLS certificates from Let’s Encrypt. No configuration needed.
Option 2: Nginx Reverse Proxy
If you already have an Nginx reverse proxy:
server {
listen 443 ssl http2;
server_name kyc.your-domain.com;
ssl_certificate /etc/ssl/certs/your-cert.pem;
ssl_certificate_key /etc/ssl/private/your-key.pem;
client_max_body_size 50M;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
}
}
server {
listen 80;
server_name kyc.your-domain.com;
return 301 https://$server_name$request_uri;
}
Option 3: Traefik
If you use Traefik as your ingress controller, add labels to the app service:
app:
labels:
- "traefik.enable=true"
- "traefik.http.routers.verilock.rule=Host(`kyc.your-domain.com`)"
- "traefik.http.routers.verilock.entrypoints=websecure"
- "traefik.http.routers.verilock.tls.certresolver=letsencrypt"
- "traefik.http.services.verilock.loadbalancer.server.port=80"
Trusted Proxies
When behind a reverse proxy, update your .env to trust the proxy headers:
# Trust all proxies in Docker network
TRUSTED_PROXIES=*
