Nginx acts as the public-facing reverse proxy in front of the PharmaVault Docker container. It handles SSL termination, redirects all plain HTTP traffic to HTTPS, and forwards requests — including WebSocket upgrade handshakes — to the container onDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/JReyna217/PharmaVault/llms.txt
Use this file to discover all available pages before exploring further.
http://127.0.0.1:5010. The application itself never needs to manage certificates or deal with TLS directly.
Why Nginx Is Needed
SSL Termination
Nginx holds the SSL certificate and handles the TLS handshake. The backend container communicates over unencrypted HTTP on the internal loopback interface.
HTTP → HTTPS Redirect
A dedicated server block on port 80 issues a permanent 301 redirect to the HTTPS equivalent URL, ensuring all traffic is encrypted in transit.
WebSocket / SignalR Support
Blazor Server relies on SignalR, which uses WebSocket connections. The
Upgrade and Connection headers must be forwarded or the interactive UI will not function.Configuration File
The Nginx config template lives atdeploy/nginx/pharmavault.conf in the repository. Copy it to /etc/nginx/sites-available/pharmavault on your server and fill in the two placeholder values before enabling the site.
Configuration Breakdown
HTTP Block (Port 80) — Redirect to HTTPS
HTTP Block (Port 80) — Redirect to HTTPS
The first server block listens on port 80 and does nothing other than issue a permanent 301 redirect to the HTTPS equivalent of whatever URL was requested. The
$host and $request_uri variables preserve the original domain and path, so bookmarked URLs and crawled links automatically resolve to the secure version.HTTPS Block (Port 443) — SSL and Reverse Proxy
HTTPS Block (Port 443) — SSL and Reverse Proxy
The second server block handles all encrypted traffic. The
ssl_certificate and ssl_certificate_key directives point to the certificate files on disk. Once TLS is terminated, Nginx forwards every request to the PharmaVault Docker container at http://127.0.0.1:5010 via proxy_pass.WebSocket Headers — Required for Blazor Server SignalR
WebSocket Headers — Required for Blazor Server SignalR
Blazor Server maintains a persistent WebSocket connection between the browser and server to process UI events and push DOM updates in real time. This connection is negotiated via an HTTP Upgrade handshake. Three directives work together to make this possible:
proxy_http_version 1.1— HTTP/1.0 does not support persistent connections; WebSockets require HTTP/1.1.proxy_set_header Upgrade $http_upgrade— Forwards the browser’sUpgrade: websocketheader to the backend.proxy_set_header Connection "upgrade"— Instructs Nginx to treat this as a connection upgrade rather than a standard HTTP request.
Forwarded Headers — Client IP and Protocol
Forwarded Headers — Client IP and Protocol
Because requests arrive at the application from Nginx (127.0.0.1) rather than directly from the client, the original client context must be passed explicitly through headers.
X-Forwarded-For— The real client IP address, appended to the forwarding chain by$proxy_add_x_forwarded_for.X-Forwarded-Proto— The original protocol (httporhttps) via$scheme, so ASP.NET Core can correctly determine whether the request was secure.
Logging — Access and Error Logs
Logging — Access and Error Logs
The access and error logs are written to dedicated files under Tail either log in real time with
/var/log/nginx/, keeping PharmaVault traffic separate from any other sites on the same server.sudo tail -f /var/log/nginx/pharmavault.access.log.Deployment Steps
Copy the config to sites-available
From the root of the cloned repository, copy the template to the Nginx configuration directory:
Fill in the placeholders
Open the file with a text editor and replace the two placeholder tokens:
[YOUR_URL]→ your domain name, e.g.pharmavault.example.com[YOUR_CERT_PATH]→ the directory containing your SSL certificate and key files, e.g./etc/ssl/pharmavault
Test the configuration
Validate the Nginx config for syntax errors before applying it:A successful test prints
syntax is ok and test is successful.