services/nginx-auth-service.md
Table of Contents
Nginx Auth Service + Self-Hosted Apps
Auth gateway and reverse proxy for self-hosted web apps. Lives at ~/Work/services/nginx-auth-service.
Architecture
graph TD
Client["Browser
(HTTPS)"] --> Nginx["nginx
192.168.1.185"]
Nginx --> Auth["auth-service
auth_request"]
Nginx --> MacStudio["Mac Studio
192.168.1.189"]
MacStudio --> Pi["pi-webui
:49998"]
MacStudio --> Max["max.dph.am
OpenClaw :18789"]
MacStudio --> Rsx["rsx.dph.am
Reasonix :49999"]
MacStudio --> Term["term.dph.am
ttyd :8089"]
style Client fill:#2d5a27,color:#fff
style Nginx fill:#1a4a7a,color:#fff
style Auth fill:#6b3fa0,color:#fff
style MacStudio fill:#8b4513,color:#fff
All backends run on the Mac Studio (192.168.1.189).
Apps behind the proxy
| Domain | Backend Port | Description |
|---|---|---|
pi.dph.am |
49998 |
Pi coding agent web UI |
max.dph.am |
18789 |
OpenClaw Control UI (gateway auth mode: trusted-proxy) |
rsx.dph.am |
49999 |
Reasonix coding agent dashboard |
term.dph.am |
8089 |
ttyd — browser-based terminal |
Auth Service
Project: ~/Work/services/nginx-auth-service
Provides an authentication layer that nginx checks via auth_request before proxying to any backend. Keeps self-hosted tools behind a login wall.
How it works
- nginx receives a request for
*.dph.am - Before proxying, nginx sends a sub-request to the auth service endpoint
- Auth service validates session/cookie/token
- If valid: nginx stamps
X-Forwarded-Userheader and proxies to backend - If invalid: redirects to login page or returns 401
OpenClaw trust
OpenClaw runs in trusted-proxy auth mode — it only trusts X-Forwarded-User if it comes from the nginx proxy at 192.168.1.185. This means:
- Access through
max.dph.amis seamless (nginx auth + header = auto-authed) - Direct LAN access to OpenClaw's port requires a token
trusted-proxylocks out loopback CLI commands — localopenclaw cron listwon't work without switching auth mode
pi.dph.am
Serves pi-webui — a web-based UI for the Pi coding agent.
Backend config
| Detail | Value |
|---|---|
| Host | Mac Studio (192.168.1.189) |
| Port | 49998 |
| Bind | 0.0.0.0 (via PI_WEBUI_HOST / PI_WEBUI_PORT env vars) |
| Auth | nginx auth service (same login wall as other apps) |
For full Pi web UI + MCP adapter setup, see AI/pi-coding-agent.md.
rsx.dph.am
Serves Reasonix — a coding agent with its own dashboard UI.
Startup command
npx reasonix code --dashboard-host 0.0.0.0 --dashboard-port 49999 -n
- Runs on the Mac Studio (192.168.1.189), port 49999
-nflag runs it non-interactively (daemon/background mode)- nginx proxies
rsx.dph.am→ backend 192.168.1.189:49999
Backend config
| Detail | Value |
|---|---|
| Host | Mac Studio (192.168.1.189) |
| Port | 49999 |
| Dashboard | 0.0.0.0 (via --dashboard-host / --dashboard-port) |
| Auth | nginx auth service (same login wall as other apps) |