@Marvin How do I run a Prefect server behind a NGINX reverse proxy with SSL termination.

To run a Prefect server behind an NGINX reverse proxy with SSL termination, you'll need to consider both the configuration of Prefect and NGINX. Here's a concise guide: 1. Prefect Configuration: - Set the

ui.api_url

in your

prefect.toml

file to point to the external proxy URL. For example, if your external URL is

<https://prefect-server.example.com>

, configure it accordingly. - Ensure that the Prefect server is aware of the proxy by setting the

PREFECT_API_URL

environment variable to the proxy URL. - Handle SSL certificates by adding them to your system bundle and configuring the

SSL_CERT_FILE

environment variable. Avoid setting

PREFECT_API_TLS_INSECURE_SKIP_VERIFY

to

True

in production as it disables certificate verification. 2. NGINX Configuration: - Set up NGINX to listen on port 443 for SSL and handle SSL certificates using

ssl_certificate

and

ssl_certificate_key

. - Proxy requests to the Prefect server, typically running on an internal port like 4200, using the

proxy_pass

directive. - Ensure headers like

Host

and

X-Real-IP

are properly forwarded. Here's a basic NGINX configuration snippet:

nginx
server {
    listen 443 ssl;
    server_name <http://prefect-server.example.com|prefect-server.example.com>;

    ssl_certificate /path/to/your/certificate.crt;
    ssl_certificate_key /path/to/your/private.key;

    location / {
        proxy_pass <http://localhost:4200;>
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

For more detailed information, you can refer to the Prefect's self-hosting guide and NGINX documentation. If you have specific needs or run into issues, let me know, and I can help further.