Load balancer

The HTTP/s load balancer terminates HTTPS (TLS) for clients. It is configured with a certificate from your cloud provider or another CA, completes the TLS handshake, forwards traffic to Fabricate's application container, and exposes the application to the internet.

AWS ALB

If you use AWS, you can create an Application Load Balancer with a TLS certificate in front of your Fabricate instance.

You can either:

Use a free SSL/TLS certificate from AWS Certificate Manager
Bring your own certificate

To configure the ALB:

In AWS Certificate Manager (ACM), issue a certificate for your hostname, such as fabricate.example.com , using a DNS or Email challenge.
Create new target group (at EC2 / Load Balancing / Target Groups) with:
- Protocol HTTP
- Port 3000
- Health check path /up
Register the used Amazon EC2 instance in that target group.
Create a new application load balancer under EC2 / Load Balancing / Load balancers with:
- HTTPS (443) forwarding to the target group
- Optional HTTP (80) redirecting to HTTPS
- Previously issued ACM certificate for your domain
- Previously created target group with the Amazon EC2 instance
Allow 443 on the ALB security group.
Allow 3000 on the instance only from the ALB security group.
Point DNS for your hostname to the ALB CNAME / A / AAAA.

In Fabricate's .env file, set FABRICATE_HOST to the public hostname that the ALB serves. Do not include the internal application port.

For example:

FABRICATE_HOST="fabricate.example.com"

Caddy

If you run Fabricate on a single VPS, you can use Caddy to terminate TLS on the server.

To configure Caddy:

Create an A or AAAA record for your Fabricate hostname that points to the server IP address.
Allow inbound TCP 80 and 443.
Add a caddy service to your Docker Compose setup:

services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    extra_hosts:
      - 'host.docker.internal:host-gateway'
    networks:
      - fabricate_internal

volumes:
  caddy_data:
  caddy_config:

In the same directory, create a Caddyfile configuration with a proxy to the http://web:3000 container. Caddy uses ACME HTTP change to automatically issue and renew the certificate for your domain.

fabricate.example.com {
  reverse_proxy http://web:3000
  tls {
    protocols tls1.2 tls1.3
  }
}

Set FABRICATE_HOST in .env file to the public hostname:

FABRICATE_HOST="fabricate.example.com"

Nginx

If you run Fabricate behind nginx, then on the /cable path, you must enable websocket connection upgrades.

For example:

location /cable {
    proxy_pass fabricate;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

Other load balancers / proxies

Other load balancer / proxy options include:

Google Cloud Load Balancer
Traefik
Envoy

Last updated 26 days ago

Was this helpful?