Ingress & Reverse Proxy
Broch listens on HTTP internally (port 8080) and does not terminate TLS itself. Every deployment needs a reverse proxy (ingress) in front of it to handle TLS termination and forward requests to the server.
This is not optional — your wildcard TLS certificate is attached to the ingress, not to Broch directly.
Per-Platform Ingress
Section titled “Per-Platform Ingress”| Platform | Ingress | Notes |
|---|---|---|
| Docker Compose | Any reverse proxy — run alongside Docker Compose or external | Caddy can provision and renew the wildcard certificate automatically via DNS-01 |
| DigitalOcean (Terraform) | Any reverse proxy — run alongside Docker Compose or external | The provided Terraform configuration uses Caddy, which provisions and renews the wildcard certificate automatically via DNS-01 |
| Azure Container Apps | Built-in ACA ingress, Azure Application Gateway, or Azure Load Balancer | Adding an Application Gateway or Load Balancer in front of ACA narrows the Trusted Proxy CIDR to a much smaller, well-defined IP range |
| AWS | Application Load Balancer, Network Load Balancer, or CloudFront | Using a load balancer narrows the Trusted Proxy CIDR to a much smaller, well-defined IP range |
What the Ingress Must Do
Section titled “What the Ingress Must Do”Regardless of which ingress you use, it must:
- Terminate TLS for
*.your-wildcard-hostnameandyour-wildcard-hostname - Forward all traffic to Broch on port 8080
- Pass
X-Forwarded-For,X-Forwarded-Proto, andHostheaders - Support WebSocket upgrades (
Upgrade: websocket,Connection: upgrade) — tunnel connections use WebSockets
If you bring your own reverse proxy (Docker Compose BYO cert option), verify these headers are forwarded correctly. Missing WebSocket support will prevent tunnels from connecting.
Trusted Proxy CIDRs
Section titled “Trusted Proxy CIDRs”Because Broch sits behind a reverse proxy, the IP address it sees on incoming connections is the proxy’s IP, not the client’s. Broch reads the real client IP from the X-Forwarded-For header — but only from proxies it trusts.
After deployment, configure Trusted Proxy CIDRs in the admin dashboard under Settings → System Info. Set this to the IP range of your reverse proxy or load balancer.
| Platform | What to set |
|---|---|
| Docker Compose (same host) | 172.16.0.0/12 (Docker bridge network) |
| DigitalOcean | 10.0.0.0/8 or the Droplet’s internal network |
| Azure Container Apps | The ACA internal VNET range |
| AWS ALB | The ALB subnet CIDRs |
The System Info tab shows the ingress IP the server currently sees and whether it is covered by your configured CIDRs — use this to verify the setting is correct.
Why this matters: If Trusted Proxy CIDRs is not set correctly, tunneling will not work at all. Share Policy network rules compare inbound request IPs against the CIDRs you configure — if the proxy IP is used instead of the client IP, requests will not match any rules and will be denied. Audit logs will also show proxy IPs instead of client IPs.