NeXuS

Networking

NeXuS uses a dual-network Docker architecture with Traefik as the reverse proxy and Cloudflare for edge SSL/CDN.

Docker Networks

traefik-public (External)

networks:
  traefik-public:
    external: true  # Managed by Traefik

All public-facing services connect to this network. Traefik routes incoming HTTPS requests to the correct container based on Host() rules defined in Docker labels.

Connected services: Frontend, API, Auth, CMS, CDN, Cache, WAF, AI Gateway, MCP Server, Grafana

nexus-internal (Bridge, Internal)

networks:
  nexus-internal:
    driver: bridge
    internal: true  # No external routing

Databases live exclusively on this network. The internal: true flag prevents any outbound internet access from these containers.

Connected services: All application services + PostgreSQL, MongoDB, Redis, Memcached

Network Topology

Internet
   β”‚
   β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚          traefik-public              β”‚
β”‚                                      β”‚
β”‚  Frontend  API  Auth  CMS  CDN  WAF  β”‚
β”‚  Cache  AI-Gateway  MCP  Grafana     β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
           β”‚ (dual-homed services)
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚          nexus-internal              β”‚
β”‚                                      β”‚
β”‚  PostgreSQL  MongoDB  Redis  Memcachedβ”‚
β”‚  + all application services          β”‚
β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜

Traefik Configuration

Each service declares its routing via Docker labels:

labels:
  - "traefik.enable=true"
  - "traefik.http.routers.nexus-api.rule=Host(`api.sebhosting.com`)"
  - "traefik.http.routers.nexus-api.entrypoints=websecure"
  - "traefik.http.routers.nexus-api.tls.certresolver=letsencrypt"
  - "traefik.http.services.nexus-api.loadbalancer.server.port=4000"
  - "traefik.docker.network=traefik-public"

Key points:

SSL/TLS

Traefik + Let’s Encrypt

Traefik automatically provisions and renews TLS certificates via the Let’s Encrypt ACME protocol. The certresolver=letsencrypt label triggers this for each router.

Cloudflare (Edge)

When using Cloudflare as the DNS provider:

Port Mapping

No container ports are exposed to the host in production. All traffic flows through Traefik:

Client β†’ Cloudflare (443) β†’ Traefik (443) β†’ Container (internal port)

DNS Records

Each service requires a DNS record pointing to the Traefik host:

Record Type Target
nexus.sebhosting.com A/CNAME Server IP
api.sebhosting.com A/CNAME Server IP
auth.sebhosting.com A/CNAME Server IP
cms.sebhosting.com A/CNAME Server IP
cdn.sebhosting.com A/CNAME Server IP
cache.sebhosting.com A/CNAME Server IP
waf.sebhosting.com A/CNAME Server IP
ai-gateway.sebhosting.com A/CNAME Server IP
mcp.sebhosting.com A/CNAME Server IP
grafana.sebhosting.com A/CNAME Server IP

All records should be proxied through Cloudflare (orange cloud) for edge protection.

This site is open source. Improve this page.