Reverse proxy & custom domains
Avibe’s Web UI runs on your machine, listening on127.0.0.1:5123 by default. The simplest way to reach it from elsewhere is the avibe.bot tunnel. If you’d rather front it yourself — for example with nginx on your own domain — Avibe needs to know it can trust the host your proxy forwards.
Why a plain reverse proxy gets blocked
Avibe checks that each request’s origin matches the address it is actually being served on. That check is what stops a malicious page from forging requests to your local control panel. Since PR #781, Avibe does not trust theX-Forwarded-Host header by default. Unless a request arrives from a proxy you have explicitly registered, Avibe ignores the forwarded host and computes the origin from the direct connection it sees — e.g. http://127.0.0.1:5123.
So if nginx serves https://avibe.example.com but the proxy is not registered, the browser sends avibe.example.com while Avibe still believes it is 127.0.0.1. The two don’t match, and the request is refused:
- state-changing actions return
403(invalid origin); - depending on your avibe.bot remote-access configuration, the page load itself may return
503(host mismatch).
Make it work
Two things are required: register your proxy’s IP as trusted, and forward the right headers.1. Register the proxy as trusted
SetVIBE_UI_TRUSTED_PROXY_IPS to the address Avibe sees your proxy connecting from — the direct peer, not the browser:
- nginx on the same machine, proxying to Avibe’s loopback listener →
127.0.0.1 - nginx on another host or container → its real IP, or a CIDR range
vibe service runs — your shell profile, service-manager unit, or container env — then restart Avibe. When the value is empty (the default), no proxy is trusted and forwarded hosts are ignored.
A future release may let you set trusted proxies from the Web UI settings instead of an environment variable. Until then, use
VIBE_UI_TRUSTED_PROXY_IPS.2. Forward the headers from nginx
A trusted proxy must pass the browser’s host and scheme through, or Avibe has nothing to trust:proxy_set_header X-Forwarded-Port $server_port;.
Full nginx example
Verify
Restart Avibe, then load the Web UI on your custom domain and sign in. If you still get403 invalid origin or a 503 host mismatch:
- confirm the browser’s address matches the host nginx forwards (
$host); - confirm the proxy’s real source IP is the one you registered — a malformed value is skipped with an
Ignoring invalid VIBE_UI_TRUSTED_PROXY_IPS entrywarning in Avibe’s logs; - confirm you restarted Avibe after setting the variable.
Upgrading from before PR #781
This is a breaking change for self-hosted setups that put Avibe behind a reverse proxy on a custom domain. Before PR #781, Avibe acceptedX-Forwarded-Host from any source; after it, forwarded hosts are ignored unless the proxy is registered — so an upgrade turns a previously-working custom domain into 403/503 until you migrate.
To migrate:
- Set
VIBE_UI_TRUSTED_PROXY_IPSto your proxy’s IP (see above), minding the loopback/tunnel warning. - Make sure nginx forwards
Host,X-Forwarded-Host, andX-Forwarded-Proto. - Restart Avibe.
vibe remote) is unaffected and needs no changes — it authenticates its own public origin and does not rely on X-Forwarded-Host.