Skip to content

Reverse Proxy (Caddy)

Strix uses Caddy as its sole ingress point. All traffic flows through Caddy before reaching the Strix backend.

Production

Only ports 80 and 443 are exposed in production. All internal services (LiteLLM, PostgreSQL, ClickHouse) are accessible only within the Docker network. Caddy supports three SSL modes.

Let's Encrypt (Automatic)

Caddy automatically obtains and renews certificates from Let's Encrypt. Your server must be reachable on ports 80 and 443 from the internet.

STRIX_DOMAIN=strix.example.com \
STRIX_CORS_ORIGINS=https://strix.example.com \
STRIX_SECURE_COOKIES=true \
docker compose up -d

Self-Signed

Caddy generates a self-signed certificate using its internal CA. Useful for internal or air-gapped deployments where a public certificate is not possible. Browsers will show a certificate warning.

Set the tls directive to internal in your Caddyfile:

strix.internal {
    tls internal
    ...
}

Note: The setup wizard configures this automatically when you select the self-signed SSL option.

Custom Certificates

Use your own certificate and key files (e.g. from an internal CA or purchased certificate). Mount the files into the Caddy container and reference them in the Caddyfile:

strix.example.com {
    tls /etc/caddy/certs/cert.pem /etc/caddy/certs/key.pem
    ...
}

Mount the certificates in docker-compose.yml:

caddy:
  volumes:
    - ./certs/cert.pem:/etc/caddy/certs/cert.pem:ro
    - ./certs/key.pem:/etc/caddy/certs/key.pem:ro

Development

In development, Caddy runs in HTTP-only mode on port 8080:

docker compose -f docker-compose.yml -f docker-compose.dev.yml up -d

Note: Database ports (PostgreSQL 5432, ClickHouse 8123/9000) are exposed for development. Do not use this configuration in production.

Access Logs

Caddy access logs are automatically shipped to the system fractal. Switch to the system fractal in the UI to view them.