Behind Nginx

Run Drip behind Nginx for advanced configurations.

Overview

Run Drip on an internal port (e.g., 8443) in plain TCP mode and let Nginx handle TLS termination. Useful when:

You have multiple services on the same server
You need advanced load balancing
You want to use Nginx's caching or rate limiting

> Important: When tls_enabled: false, drip-server runs in plain TCP mode and MUST be placed behind a reverse proxy (Caddy, Nginx, etc.) that handles TLS termination. Never expose plain TCP mode directly to the internet.

Step 1: Create Drip Server Config

Create /etc/drip/config.yaml:

yaml

port: 8443
domain: tunnel.example.com
tls_enabled: false
public_port: 443
token: YOUR_SECRET_TOKEN
tcp_port_min: 20000
tcp_port_max: 20100
metrics_token: YOUR_METRICS_TOKEN

Note: tls_enabled: false means Drip runs in plain TCP mode, letting Nginx handle TLS.

Step 2: Get SSL Certificate

bash

sudo certbot certonly --manual --preferred-challenges dns \
  -d "*.tunnel.example.com" -d "tunnel.example.com"

Step 3: Configure Nginx

Create /etc/nginx/sites-available/drip:

nginx

# Redirect all HTTP traffic to HTTPS
server {
    listen 80;
    server_name tunnel.example.com *.tunnel.example.com;
    return 301 https://$host$request_uri;
}

# HTTPS reverse proxy → Drip Server
server {
    listen 443 ssl http2;
    server_name *.tunnel.example.com tunnel.example.com;

    # SSL certificate
    ssl_certificate /etc/letsencrypt/live/tunnel.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/tunnel.example.com/privkey.pem;

    # Proxy to Drip Server
    location / {
        proxy_pass http://127.0.0.1:8443;
        proxy_http_version 1.1;

        # Forward request headers
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Timeout settings
        proxy_connect_timeout 60s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;

        # Disable buffering
        proxy_buffering off;
        proxy_request_buffering off;
    }
}

Step 4: Enable Site

bash

sudo ln -s /etc/nginx/sites-available/drip /etc/nginx/sites-enabled/
sudo nginx -t
sudo systemctl reload nginx

Important Notes

proxy_buffering off is required for real-time streaming
WebSocket upgrade headers are required for tunnel connections
Since tls_enabled: false, we use http:// in proxy_pass (not https)

TCP Tunnels

TCP tunnels bypass Nginx and connect directly to the Drip server's TCP port range. Make sure to open the TCP port range in your firewall:

bash

sudo ufw allow 20000:20100/tcp

Verify Setup

bash

# Check Nginx config
sudo nginx -t

# Check Nginx logs
sudo tail -f /var/log/nginx/error.log

# Test health endpoint
curl https://tunnel.example.com/health

Behind Caddy Systemd Service