# Reverse Proxy Setup

Running Windshift behind a reverse proxy is recommended for production deployments. This guide uses Docker Compose with Caddy for automatic HTTPS.

## Docker Compose with Caddy

Create a `docker-compose.yml`:

```yaml
version: '3.8'

services:
  windshift:
    image: windshift/windshift:latest
    restart: unless-stopped
    volumes:
      - ./data:/data
      - ./attachments:/attachments
    command:
      - -db=/data/windshift.db
      - -attachment-path=/attachments
      - -use-proxy
      - -allowed-hosts=windshift.example.com
    networks:
      - web

  caddy:
    image: caddy:2-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - caddy_data:/data
      - caddy_config:/config
    networks:
      - web

networks:
  web:

volumes:
  caddy_data:
  caddy_config:
```

Create a `Caddyfile`:

```text
windshift.example.com

reverse_proxy windshift:8080
```

Start the stack:

```bash
docker compose up -d
```

Caddy automatically obtains and renews SSL certificates from Let's Encrypt.

## Running Without Docker

If running Windshift directly (not in Docker), start it with proxy mode enabled:

```bash
./windshift -use-proxy -allowed-hosts "windshift.example.com"
```

Then configure your reverse proxy to forward requests to `localhost:8080`.

## Important Notes

1. **Always use `-use-proxy`** when behind a reverse proxy. This tells Windshift to trust the `X-Forwarded-Proto` header.

2. **Never expose Windshift directly** to the internet when using `-use-proxy`. An attacker could spoof headers.

3. **Set `-allowed-hosts`** to your domain name(s) for CSRF protection.

4. **WebSocket support** is required for real-time updates. Ensure your proxy passes WebSocket connections.