add caddy and nginx configs for self-hosted

[aantti]

I have read the CONTRIBUTING.md file.

YES

What kind of change does this PR introduce?

• Add Docker Compose overlays to start Caddy or Nginx on top of Kong
• Add Caddy and Nginx configuration files
• Add placeholder variables to .env.example

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment, Open in v0	Mar 2, 2026 6:14pm
studio-self-hosted	Ready	Preview, Comment	Mar 2, 2026 6:14pm
studio-staging	Ready	Preview, Comment	Mar 2, 2026 6:14pm
zone-www-dot-com	Ready	Preview, Comment, Open in v0	Mar 2, 2026 6:14pm

5 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
cms	Ignored		Mar 2, 2026 6:14pm
studio	Ignored		Mar 2, 2026 6:14pm
design-system	Skipped		Mar 2, 2026 6:14pm
learn	Skipped		Mar 2, 2026 6:14pm
ui-library	Skipped		Mar 2, 2026 6:14pm

[supabase]

This pull request has been ignored for the connected project xguihxuzqibwxjnimxev because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Central YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a11fa32 and 0ead72c.

📒 Files selected for processing (1)

• docker/volumes/proxy/nginx/supabase-nginx.conf.tpl

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Added optional reverse-proxy deployment with automated HTTPS support, including Docker Compose presets for Caddy and Nginx.
  • Included proxy templates to route API, realtime, functions, storage, and dashboard traffic with authentication and health-aware orchestration.

• Documentation

  • Added environment example keys for PROXY_DOMAIN and CERTBOT_EMAIL and notes for proxy/dashboard credentials, CORS, and header handling for storage compatibility.

Walkthrough

Adds optional reverse-proxy support for Docker deployments via new Caddy and Nginx compose files, proxy configuration templates, and env example entries. Introduces PROXY_DOMAIN and CERTBOT_EMAIL in docker/.env.example. New compose files run Caddy or an nginx+certbot image dependent on kong's health, persist TLS/config volumes, and hash dashboard credentials at startup. New proxy configs route API paths to kong, storage paths to storage (with CORS/preflight handling and X-Forwarded-Prefix), and dashboard requests to studio behind basic auth. No application logic or public APIs were changed.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Proxy as Caddy/Nginx
    participant Kong
    participant Storage
    participant Studio
    participant LetsEncrypt as "Let's Encrypt / Certbot"

    Client->>Proxy: TLS handshake / HTTPS request
    Proxy->>LetsEncrypt: Obtain/renew certs (ACME) -- async/setup-->
    alt Request to API paths (/auth,/rest,/graphql,/functions,/mcp,/realtime)
        Proxy->>Kong: Reverse proxy to kong:8000
        Kong-->>Proxy: Response
        Proxy-->>Client: Forward response
    else Request to storage (/storage/v1)
        alt OPTIONS (preflight)
            Proxy->>Client: Respond with CORS headers
        else Other methods
            Proxy->>Storage: Reverse proxy to storage:5000 (add X-Forwarded-Prefix)
            Storage-->>Proxy: Response
            Proxy-->>Client: Forward response (with CORS headers)
        end
    else Request to dashboard root (/ or default)
        Client->>Proxy: Request with Basic Auth
        Proxy->>Proxy: Validate basic_auth (hashed password)
        Proxy->>Studio: Reverse proxy to studio:3000
        Studio-->>Proxy: Response
        Proxy-->>Client: Forward response
    end

Loading

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docker/docker-compose.nginx.yml`:
- Line 25: The openssl passwd invocation uses an unquoted environment variable
so PASSWORDs with spaces/special chars get word-split; update the command that
writes to /etc/nginx/user_conf.d/dashboard-passwd to quote PROXY_AUTH_PASSWORD
(e.g., use "$${PROXY_AUTH_PASSWORD}" in the openssl passwd -apr1 call) so
openssl receives the password as a single argument when generating the hash.

---

ℹ️ Review info

Configuration used: Central YAML (base), Repository UI (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Cache: Disabled due to Reviews > Disable Cache setting

Disabled knowledge base sources:

• Linear integration is disabled

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between b03866f and 40fecf2.

📒 Files selected for processing (5)

• docker/.env.example
• docker/docker-compose.caddy.yml
• docker/docker-compose.nginx.yml
• docker/volumes/proxy/caddy/Caddyfile
• docker/volumes/proxy/nginx/supabase-nginx.conf.tpl

[Moses-main]

Hi team,

I'll add Caddy and Nginx configs for self-hosted. This will help users deploy easier.

Please assign!

[github-actions]

Braintrust eval report

Assistant (master-1772543192)

Score	Average	Improvements	Regressions
SQL Identifier Quoting	92.9% (-7.000000000000001pp)	-	1 🔴
SQL Validity	92.9% (-7.000000000000001pp)	-	1 🔴
Tool Usage	97% (-3pp)	-	1 🔴
Completeness	94.3% (0pp)	1 🟢	2 🔴
Conciseness	0% (+0pp)	-	-
Goal Completion	90% (-6pp)	1 🟢	3 🔴
Correctness	83.3% (-12pp)	-	2 🔴
Docs Faithfulness	63.9% (+6pp)	2 🟢	-
URL Validity	100% (+8pp)	-	-
Time_to_first_token	0.43tok (+0.24tok)	-	12 🔴
Llm_calls	8.42 (+0.08)	4 🟢	5 🔴
Tool_calls	3.22 (-0.03)	3 🟢	5 🔴
Errors	0 (+0)	-	-
Llm_errors	0 (+0)	-	-
Tool_errors	0 (+0)	-	-
Prompt_tokens	50993.44tok (+1674.5tok)	5 🟢	7 🔴
Prompt_cached_tokens	26368tok (+753.78tok)	5 🟢	6 🔴
Prompt_cache_creation_tokens	0tok (+0tok)	-	-
Completion_tokens	2771.64tok (-252.86tok)	9 🟢	3 🔴
Completion_reasoning_tokens	2017.78tok (-227.56tok)	10 🟢	2 🔴
Completion_accepted_prediction_tokens	0tok (+0tok)	-	-
Completion_rejected_prediction_tokens	0tok (+0tok)	-	-
Completion_audio_tokens	0tok (+0tok)	-	-
Total_tokens	53765.08tok (+1421.64tok)	6 🟢	6 🔴
Estimated_cost	0.01$ (0$)	5 🟢	6 🔴
Duration	44.22s (-10.71s)	11 🟢	1 🔴
Llm_duration	86.3s (-21.93s)	11 🟢	1 🔴