Skip to content
Odeion

Reverse Proxy

Odeion’s HTTP server does not handle TLS itself. If you want to use the mobile apps, TV apps, or the device linking feature, you need a reverse proxy that terminates SSL and forwards traffic to Odeion over plain HTTP.

The web interface works over plain HTTP for local access, but all client apps require HTTPS to connect. The device linking service at link.odeion.app also redirects users to your server’s base URL, which must be publicly reachable over HTTPS for the redirect to work.

Caddy

Section titled “Caddy”

Caddy is the simplest option because it obtains and renews TLS certificates automatically via Let’s Encrypt. Create a Caddyfile:

odeion.example.com {
    reverse_proxy localhost:8080
}

Start Caddy and it will handle certificate issuance on its own. No further TLS configuration is needed.

nginx

Section titled “nginx”

An nginx configuration with manually provisioned certificates (for example, via certbot):

Drop this into /etc/nginx/conf.d/odeion.conf (or sites-available/odeion on Debian/Ubuntu):

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}


server {
    listen 443 ssl http2;
    server_name odeion.example.com;


    ssl_certificate     /etc/letsencrypt/live/odeion.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/odeion.example.com/privkey.pem;


    client_max_body_size 0;


    location / {
        proxy_pass http://localhost:8080;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_buffering off;
        proxy_read_timeout 3600s;
    }
}

client_max_body_size 0 disables the upload size limit (needed for backup uploads). proxy_buffering off prevents nginx from buffering streaming responses (needed for server-sent events). The Upgrade/Connection headers with proxy_http_version 1.1 are required for the Watch Together feature, which uses WebSockets — nginx strips these hop-by-hop headers by default. proxy_read_timeout 3600s prevents nginx from closing idle WebSocket and SSE connections.

Traefik

Section titled “Traefik”

If you use Traefik as your reverse proxy, add labels to the Odeion service in your docker-compose.yml:

services:
  odeion:
    # ... existing config ...
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.odeion.rule=Host(`odeion.example.com`)"
      - "traefik.http.routers.odeion.entrypoints=websecure"
      - "traefik.http.routers.odeion.tls.certresolver=letsencrypt"
      - "traefik.http.services.odeion.loadbalancer.server.port=8080"

After Setup

Section titled “After Setup”

Once your reverse proxy is working, update the base URL in the admin settings (or during the setup wizard) to your public HTTPS URL, for example https://odeion.example.com. This ensures device linking and app connections route to the correct address.