Bring your own reverse proxy

If you already run Nginx, Traefik, Cloudflare Tunnel, or a Kubernetes ingress, you don’t need Caddy. Point your proxy at Hiveloom bound to 127.0.0.1:3000 (see systemd) and make sure the following forwarded headers are set.

Required forwarded headers

Header	Required value	Consumed by
`X-Forwarded-Proto`	`https`	Used to construct `https://` URLs in OAuth metadata.
`X-Forwarded-Host`	`<your-public-host>`	Hostname in public URLs.
`Host`	`<your-public-host>`	Fallback if `X-Forwarded-Host` is absent.
`X-Forwarded-For`	`<client-ip>`	Optional; logged on the Hiveloom side.

If these are wrong, the OAuth metadata returns http:// URLs and MCP clients reject the auth server.

Minimal Nginx snippet


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name hiveloom.example.com;
 
    # ssl_certificate / ssl_certificate_key — via certbot or your own CA
 
    location / {
        proxy_pass         http://127.0.0.1:3000;
        proxy_set_header   Host                $host;
        proxy_set_header   X-Forwarded-Host    $host;
        proxy_set_header   X-Forwarded-Proto   https;
        proxy_set_header   X-Forwarded-For     $proxy_add_x_forwarded_for;
        proxy_read_timeout 300s;
    }
}

Cloudflare Tunnel

Cloudflare Tunnel can replace your reverse proxy entirely for the public edge. Point the tunnel at http://127.0.0.1:3000 and set httpHostHeader to your public hostname so Hiveloom builds correct OAuth and MCP URLs. Cloudflare forwards X-Forwarded-Proto, and Hiveloom already uses that header when constructing public metadata.

Full working example: Cloudflare Tunnel.