A generic secure proxy server with Bearer token authentication. Designed for Coolify deployment, this proxy can secure any HTTP/HTTPS service that lacks built-in authentication.
- 🔒 Bearer token authentication
- 🔄 Full path forwarding (all paths proxied as-is)
- 🐳 Docker-ready for Coolify
- 🏥 Health check endpoint
- ⚡ Lightweight and fast
- 🌐 Works with any HTTP/HTTPS service
- 🌍 Configurable CORS support for browser requests
Set the following environment variables:
PORT- Port for the proxy server (default: 3000)TARGET_URL- Target service URL (required, e.g.,http://service-name:port)BEARER_TOKEN- Required bearer token for authenticationTARGET_SERVICE_NAME- Target service name shown in health check (default: "target-service")
To enable CORS for browser requests, set the following:
CORS_ENABLED- Enable CORS support (set to"true"to enable, default: disabled)CORS_ALLOWED_ORIGINS- Comma-separated list of allowed origins (e.g.,"https://example.com,https://app.example.com"). Use"*"to allow all origins (not recommended for production)CORS_ALLOWED_METHODS- Comma-separated list of allowed HTTP methods (default:"GET,POST,PUT,DELETE,PATCH,OPTIONS")CORS_ALLOWED_HEADERS- Comma-separated list of allowed headers (default:"Content-Type,Authorization")CORS_CREDENTIALS- Allow credentials in CORS requests (set to"true"to enable, default: disabled)
Note: If CORS_ENABLED=true but CORS_ALLOWED_ORIGINS is not set, all origins will be allowed.
- Create a new application in Coolify
- Connect your repository
- Set environment variables:
BEARER_TOKEN- Your secure tokenTARGET_URL- Your target service URL (use container/service name, e.g.,http://ollama-api:11434)
- Deploy
Note: In Coolify, containers on the same network can communicate using their container/service names. Use the target container name as the hostname in TARGET_URL.
- All requests to the proxy are forwarded to
TARGET_URLwith the same path - Example:
GET /api/users→GET http://target-service:port/api/users - The Bearer token is validated but removed before forwarding to the target service
- Paths are forwarded exactly as received (no rewriting)
All requests must include the Bearer token in the Authorization header:
# Example: Proxying to an API service
curl -H "Authorization: Bearer your-token" \
http://localhost:3000/api/endpoint
# Example: Proxying to Ollama
curl -H "Authorization: Bearer your-token" \
-H "Content-Type: application/json" \
-d '{"model": "llama2", "prompt": "Hello"}' \
http://localhost:3000/api/generateFor browser requests from a different origin, enable CORS:
// Example: Fetch request from browser
fetch('https://your-proxy.com/api/endpoint', {
method: 'POST',
headers: {
'Authorization': 'Bearer your-token',
'Content-Type': 'application/json'
},
body: JSON.stringify({ data: 'example' })
})Required CORS configuration:
CORS_ENABLED=true
CORS_ALLOWED_ORIGINS=https://your-frontend-domain.comGET /proxy/health- Health check (no auth required)*- All other paths are proxied to the target service (requires auth)
TARGET_URL=http://ollama-api:11434
# Access via: https://your-proxy.com/api/generateTARGET_URL=http://api-service:8080
# Access via: https://your-proxy.com/v1/usersTARGET_URL=http://internal-service:3000
# All paths forwarded as-is- Install dependencies:
npm install- Create
.envfile:
PORT=3000
TARGET_URL=http://localhost:8080
BEARER_TOKEN=your-secure-token-here
# Optional: Enable CORS for browser requests
CORS_ENABLED=true
CORS_ALLOWED_ORIGINS=http://localhost:3001,http://localhost:5173- Start the server:
npm start- Always use a strong, randomly generated token in production
- Keep your
BEARER_TOKENsecret and never commit it to version control - The proxy removes the authorization header before forwarding to the target service
- Consider using HTTPS in production (configure in Coolify)
- The target service should not be directly accessible from the internet