NeXuS

SSL / TLS

NeXuS uses a dual-layer SSL architecture: Cloudflare for edge TLS and Traefik + Let’s Encrypt for origin TLS.

Architecture

Client ──(HTTPS)──▢ Cloudflare ──(HTTPS)──▢ Traefik ──(HTTP)──▢ Container
                    Edge TLS                 Origin TLS          Internal

Traefik + Let’s Encrypt

Traefik automatically provisions TLS certificates using the ACME protocol with Let’s Encrypt.

Configuration

Each service declares its TLS requirements via Docker labels:

labels:
  - "traefik.http.routers.nexus-api.entrypoints=websecure"
  - "traefik.http.routers.nexus-api.tls.certresolver=letsencrypt"

Traefik handles:

Certificate Storage

Certificates are stored in a Traefik volume. Ensure this volume persists across restarts to avoid rate-limit issues with Let’s Encrypt.

Cloudflare SSL

Configure Cloudflare SSL/TLS to Full (Strict) mode:

  1. Go to your Cloudflare dashboard β†’ SSL/TLS
  2. Set encryption mode to Full (strict)
  3. This ensures end-to-end encryption with certificate validation

Edge Certificates

Cloudflare automatically provisions edge certificates for all proxied domains. No configuration needed.

Domain Setup

Each NeXuS service needs:

  1. A DNS record in Cloudflare pointing to your server
  2. Cloudflare proxy enabled (orange cloud)
  3. Traefik label with the matching Host() rule

Example for a new service:

# In docker-compose.yml
my-service:
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.my-service.rule=Host(`my-service.sebhosting.com`)"
    - "traefik.http.routers.my-service.entrypoints=websecure"
    - "traefik.http.routers.my-service.tls.certresolver=letsencrypt"
    - "traefik.http.services.my-service.loadbalancer.server.port=8080"
    - "traefik.docker.network=traefik-public"

Then add a DNS record:

my-service.sebhosting.com β†’ A β†’ <server-ip> (proxied)
This site is open source. Improve this page.