# Nginx Proxy Manager Setup (Existing Edge)

This guide assumes you already run Nginx Proxy Manager (NPM) as your shared reverse proxy and want to route Fiddy through it.

## 1) Proxy Host in NPM UI
1. Create a Proxy Host for your Fiddy domain.
2. Forward Hostname/IP: your app host/internal IP.
3. Forward Port: your app port (for example `3000`).
4. Enable:
- Block Common Exploits
- Websockets Support
- SSL certificate
- Force SSL
- HTTP/2 support

## 2) Host Advanced Config (NPM UI)
In Proxy Host -> Advanced, paste from:
- `docker/nginx/npm/proxy-host-advanced.conf.example`

This adds:
- timeout/body limits
- connection cap
- structured access/error logs

## 3) Required Root Custom Location `/` (NPM UI)
Create a Custom Location for:
- `/`

In that location Advanced field, paste:
- `docker/nginx/npm/location-root-advanced.conf.example`

This handles:
- security headers
- request-id propagation/response header
- upstream proxy timeouts

## 4) Per-Location Rate Limits (NPM UI)
Create Custom Locations in NPM for:
- `/api/auth/login`
- `/api/auth/register`
- `/api/entries`
- `/api/buckets`
- `/api/groups`
- `/api/tags`
- `/api/schedules` (canonical)
- `/api/recurring-entries` (compatibility, deprecated)

Then use:
- `docker/nginx/npm/location-auth-advanced.conf.example` for auth locations
- `docker/nginx/npm/location-write-advanced.conf.example` for write API locations

Note:
- because these are more specific locations than `/`, keep request-id directives in these location snippets too.

## 5) Global NPM Config Needed for Rate Limit Zones
`limit_req_zone`, `limit_conn_zone`, and `log_format` must exist in Nginx `http` context.

Use template:
- `docker/nginx/npm/http_top.conf.example`

Typical NPM path:
- `/data/nginx/custom/http_top.conf`

## 6) SSH Method (If UI Is Not Enough)
If your NPM UI does not expose everything you need:

1. Enter the container:
```bash
docker exec -it <npm_container_name> sh
```

2. Verify active config and custom includes:
```bash
nginx -T | grep -n "include .*custom"
nginx -T | grep -n "http_top.conf"
```

3. Write global HTTP custom file (path may vary by image/version):
```bash
mkdir -p /data/nginx/custom
cat >/data/nginx/custom/http_top.conf <<'EOF'
# paste docker/nginx/npm/http_top.conf.example content
EOF
```

4. Reload Nginx:
```bash
nginx -t
nginx -s reload
```

5. In NPM UI, apply:
- host advanced snippet
- location `/` snippet
- auth/write location snippets

## 7) Log Path Alignment
If your NPM uses a different log path than `/var/log/nginx`:
- update `access_log` / `error_log` lines in your host advanced config
- update:
  - `docker/observability/promtail-config.yml`
  - `docker/security/fail2ban/jail.d/fiddy-nginx.conf`
  - `docker/security/crowdsec/acquis.yaml`

## 8) Validate
Run:
```bash
scripts/smoke-public-launch.sh https://your-domain
```

Then confirm:
- `X-Request-Id` response header exists
- response JSON includes `request_id`
- nginx access logs receive entries for the Fiddy host
- auth and write endpoint bursts are rate limited