Behind a proxy (TLS, etc.)

Warning

If you are running ntfy behind a proxy, you must set the behind-proxy flag. Otherwise, all visitors are rate limited as if they are one.

It may be desirable to run ntfy behind a proxy (e.g. nginx, HAproxy or Apache), so you can provide TLS certificates using Let's Encrypt using certbot, or simply because you'd like to share the ports (80/443) with other services. Whatever your reasons may be, there are a few things to consider.

If you are running ntfy behind a proxy, you should set the behind-proxy flag. This will instruct the rate limiting logic to use the X-Forwarded-For header as the primary identifier for a visitor, as opposed to the remote IP address. If the behind-proxy flag is not set, all visitors will be counted as one, because from the perspective of the ntfy server, they all share the proxy's IP address.

/etc/ntfy/server.yml

# Tell ntfy to use "X-Forwarded-For" to identify visitors
behind-proxy: true

Installation with repository

Basic Configuration

Web Push

Access Control

Users and roles

Access control list (ACL)

Access Tokens

Behind a proxy (TLS, etc.)

TLS/SSL

nginx/Apache2/caddy

Behind a proxy (TLS, etc.)

No Comments