ELONIQ / ELONIQ Handbook
Deutsch English Français
Overview / Components / Secure Proxy

Secure Proxy

Secure Reverse Proxy with TLS and Authentication

The SecureProxy is an integrated reverse proxy that securely exposes internal HTTP services — with TLS, authentication and rate limiting.

Overview

The SecureProxy acts as a reverse proxy between external clients and internal backend services. It provides TLS termination, access control and rate limiting in an integrated solution.

Use Cases
  • API Gateway — Expose the ELONIQ API over HTTPS with API key authentication.
  • Webhook Receiver — Securely accept incoming webhooks and forward them to internal services.
  • Service Proxy — Expose internal services (e.g. database API, monitoring) via a secured endpoint.

Features

  • TLS termination — Automatic TLS via Let's Encrypt, manual certificate or no TLS.
  • API key authentication — Access control via named API keys in the X-API-Key header.
  • IP whitelist — Restrict access to specific IP ranges (CIDR).
  • Combined authentication — Require both API key and IP whitelist simultaneously.
  • Rate limiting — Limit requests per IP per minute to protect against overload.
  • Path-based routing — Route different URL paths to different backend services.
  • Path stripping — Matched path prefix is removed when forwarding.
  • Header forwarding — X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto are set automatically.
  • Request logging — Detailed logging of all proxy requests.

Usage

  1. Open component — Navigate to Components > SecureProxy in AdminUI.
  2. Enable proxy — Set enabled to true and choose the listen address.
  3. Configure TLS — Choose the TLS mode: auto for Let's Encrypt, manual for own certificates or none.
  4. Set up authentication — Choose the auth mode and configure API keys and/or IP whitelist.
  5. Create proxy rules — Define a rule for each backend service with path prefix and target URL.
  6. Enable rate limiting — Optionally set a request limit per minute per client.
  7. Start proxy — Save configuration and start the proxy.

Best Practices

  • Auto TLS in production — Use auto mode with Let's Encrypt for automatic certificate management.
  • Rotate API keys — Create named API keys and rotate them regularly.
  • Add IP whitelist — Combine API key with IP whitelist (mode "both") for maximum security.
  • Enable rate limiting — Set a rate limit to prevent abuse.
  • Only expose needed paths — Create proxy rules only for the backend services that are actually needed.
  • Check logs — Monitor proxy logs for unusual access patterns.

Examples

1. Secure API with Let's Encrypt
Listen: :443
TLS: auto
Domain: api.company.com
Auth: apikey
API Keys:
  - Name: erp-system, Key: xxx
  - Name: mobile-app, Key: yyy
Rules:
  - /api → http://localhost:8080
2. Internal Service with IP Whitelist
Listen: :8443
TLS: none
Auth: whitelist
Whitelist: 10.0.0.0/8, 192.168.1.0/24
Rules:
  - /internal → http://localhost:9090
3. Combined Security (API Key + IP)
Listen: :443
TLS: manual
Cert: /etc/ssl/certs/proxy.crt
Key: /etc/ssl/private/proxy.key
Auth: both
Rate Limit: 100 req/min
Rules:
  - /webhook → http://localhost:8080/api/webhook
  - /status → http://localhost:8080/api/status