[GH-ISSUE #936] Configuring Ntfy with Nginx as a Reverse Proxy: Seeking Assistance #655

New issue

Closed

opened 2026-05-07 00:26:20 +02:00 by BreizhHardware · 6 comments

BreizhHardware commented 2026-05-07 00:26:20 +02:00

Owner

Copy link

Originally created by @YezGotIt on GitHub (Nov 1, 2023).
Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/936

❓ Question

How can I configure Ntfy with Nginx as a reverse proxy? I've tried following the documentation on ntfy.sh but haven't been successful.

And one more thing, I added Cloudflare Tunnel access to the notification service from the public.

Originally created by @YezGotIt on GitHub (Nov 1, 2023). Original GitHub issue: https://github.com/binwiederhier/ntfy/issues/936 <!-- Before you submit, consider asking on Discord/Matrix instead. You'll usually get an answer sooner, and there are more people there to help! - Discord: https://discord.gg/cT7ECsZj9w - Matrix: https://matrix.to/#/#ntfy:matrix.org / https://matrix.to/#/#ntfy-space:matrix.org --> :question: **Question** <!-- Go ahead and ask your question here :) --> How can I configure Ntfy with Nginx as a reverse proxy? I've tried following the documentation on ntfy.sh but haven't been successful. And one more thing, I added Cloudflare Tunnel access to the notification service from the public.

BreizhHardware 2026-05-07 00:26:20 +02:00

• closed this issue
• added the
  question
  label

BreizhHardware commented 2026-05-07 00:26:20 +02:00

Author

Owner

Copy link

@bear commented on GitHub (Nov 2, 2023):

What part of the current nginx examples are you curious about? Most of what is contained in them are stock nginx items for proxying a web server while terminating SSL with all of the normal production level items covered.

Where are you having trouble? Do you see the ntfy service receiving traffic? I do know that starting the service standalone was more useful for debugging as it allowed me to see the trace and debug logs more easier

<!-- gh-comment-id:1789894339 --> @bear commented on GitHub (Nov 2, 2023): What part of the current nginx examples are you curious about? Most of what is contained in them are stock nginx items for proxying a web server while terminating SSL with all of the normal production level items covered. Where are you having trouble? Do you see the ntfy service receiving traffic? I do know that starting the service standalone was more useful for debugging as it allowed me to see the trace and debug logs more easier

BreizhHardware commented 2026-05-07 00:26:21 +02:00

Author

Owner

Copy link

@YezGotIt commented on GitHub (Nov 2, 2023):

This is my setup:

• Nginx version: nginx/1.24.0
• Ntfy version: ntfy 2.7.0
• OS version:
  • Description: Ubuntu 20.04.6 LTS
  • Release: 20.04
  • Codename: focal

I will attach the nginx error.log file. Here is the nginx configuration file, default.conf.txt

<!-- gh-comment-id:1789979576 --> @YezGotIt commented on GitHub (Nov 2, 2023): This is my setup: - Nginx version: nginx/1.24.0 - Ntfy version: ntfy 2.7.0 - OS version: - Description: Ubuntu 20.04.6 LTS - Release: 20.04 - Codename: focal I will attach the nginx [error.log](https://github.com/binwiederhier/ntfy/files/13233730/error.log) file. Here is the nginx configuration file, [default.conf.txt](https://github.com/binwiederhier/ntfy/files/13233752/default.conf.txt)

BreizhHardware commented 2026-05-07 00:26:21 +02:00

Author

Owner

Copy link

@YezGotIt commented on GitHub (Nov 2, 2023):

If I visit the domain...

This is happening.

If I connect with the localhost IP, such as 10.8.x.x, it works, but not with the actual domain name.

<!-- gh-comment-id:1789993313 --> @YezGotIt commented on GitHub (Nov 2, 2023): If I visit the domain... <img width="305" alt="error from domain" src="https://github.com/binwiederhier/ntfy/assets/83292822/6a1b7857-6037-4e94-af87-40137c0ae944"> This is happening. If I connect with the localhost IP, such as 10.8.x.x, it works, but not with the actual domain name. <img width="959" alt="ss" src="https://github.com/binwiederhier/ntfy/assets/83292822/cce967ca-2a41-466a-8ba9-fabd4f653021">

BreizhHardware commented 2026-05-07 00:26:21 +02:00

Author

Owner

Copy link

@bear commented on GitHub (Nov 4, 2023):

A couple of small items first, for your server port 80, you are only going to redirect so you don't need to have any proxy_pass items in it. Those are really being ignored but it helps to be explicit with nginx configs IMO

If you are redirecting all of your port 80 to 443, you can take advantage of some nginx config items - the following tells nginx that the server block is the default for port 80 and that it matches all server names (that's the _ bit). It also uses a simpler "pass on the rest of the URI" method that avoids all of the args and query param junk

server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

Let me know if you have any questions about this change - it's what I have discovered works well when you get the dreaded too many redirects issue.

<!-- gh-comment-id:1793283082 --> @bear commented on GitHub (Nov 4, 2023): A couple of small items first, for your server port 80, you are only going to redirect so you don't need to have any proxy_pass items in it. Those are really being ignored but it helps to be explicit with nginx configs IMO If you are redirecting all of your port 80 to 443, you can take advantage of some nginx config items - the following tells nginx that the server block is the default for port 80 *and* that it matches all server names (that's the _ bit). It also uses a simpler "pass on the rest of the URI" method that avoids all of the args and query param junk ``` server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } ``` Let me know if you have any questions about this change - it's what I have discovered works well when you get the dreaded too many redirects issue.

BreizhHardware commented 2026-05-07 00:26:21 +02:00

Author

Owner

Copy link

@YezGotIt commented on GitHub (Nov 4, 2023):

You can check it here: https://demo.ygi.li/. + Cloudflare tunnel

Here is the configuration:

server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  server_name demo.ygi.li;

  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
  ssl_session_tickets off;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-EC                                                                             DSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:                                                                             ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;

  ssl_certificate /etc/ssl/cert.pem;
  ssl_certificate_key /etc/ssl/key.pem;

  location / {
    proxy_pass http://127.0.0.1:34567;
    proxy_http_version 1.1;

    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_connect_timeout 3m;
    proxy_send_timeout 3m;
    proxy_read_timeout 3m;

    client_max_body_size 0; # Stream request body to backend
  }
}

Still same error.

<!-- gh-comment-id:1793505319 --> @YezGotIt commented on GitHub (Nov 4, 2023): You can check it here: https://demo.ygi.li/. + Cloudflare tunnel Here is the configuration: ``` server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl; server_name demo.ygi.li; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-EC DSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305: ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ssl_certificate /etc/ssl/cert.pem; ssl_certificate_key /etc/ssl/key.pem; location / { proxy_pass http://127.0.0.1:34567; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 3m; proxy_send_timeout 3m; proxy_read_timeout 3m; client_max_body_size 0; # Stream request body to backend } } ``` Still same error.

BreizhHardware commented 2026-05-07 00:26:21 +02:00

Author

Owner

Copy link

@binwiederhier commented on GitHub (Nov 17, 2023):

Feel free to join the Discord or Matrix chat if you're still experiencing issues.

<!-- gh-comment-id:1816274254 --> @binwiederhier commented on GitHub (Nov 17, 2023): Feel free to join the Discord or Matrix chat if you're still experiencing issues.

BreizhHardware referenced this issue 2026-05-07 01:01:47 +02:00

[PR #655] [MERGED] "visitor-subscriber-rate-limiting" flag #1367

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

dependabot/npm_and_yarn/web/fast-uri-3.1.2

email-verification

attachment-no-http2

attachment-fixes

attachment-s3

config-generator

postgres-replica

dockers-v2

postgres-support

postgres-webpush+user+message

postgres-webpush+user

postgres-webpush

1364-copy-action

crashfix

user-header

scalar-api-docs

cancel-scheduled

update-available

windows-server

303-update-notifications

postgres

admin-ui

require-login

http-clipboard

message-cache-lock

debian-stripe

predefined-users

busy-timeout

template-dir

ipv6

client-ip-header

apns-fix

feat_optional_require_login

security-updates

pg-message-cache

templating-disallow

templating-3

templating-2

message-size-limit+delay-limit

remove-rate-topics

html-emails

cf-priority

acl-underscores

auth-user-header

markdown

img-attach

web-improvements

utf8-headers

matrix-507-reject

http-response-writer

new-homepage-design

e2e

canary

windows

electron

update-messages

webhook-templating

v2.22.0

v2.21.0

v2.20.1

v2.20.0

v2.19.2

v2.19.1

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.14.0

v2.13.0

v2.12.0

v2.11.0

v2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

v2.0.0

v1.31.0

v1.30.1

v1.29.1

v1.29.0

v1.28.0

v1.27.2

v1.27.1

v1.26.0

v1.25.2

v1.25.1

v1.25.0

v1.24.0

v1.23.0

v1.22.0

v1.21.2

v1.21.1

v1.21.0

v1.20.0

v1.19.0

v1.18.1

v1.18.0

v1.17.1

v1.17.0

v1.16.0

v1.15.0

v1.14.1

v1.14.0

v1.13.0

v1.12.1

v1.12.0

v1.11.1

v1.11.2

v1.11.0

v1.10.0

v1.9.0

v1.8.0

v1.7.0

v1.6.1

v1.6.0

v1.5.3

v1.5.2

v1.5.1

v1.5.0

v1.4.8

v1.4.7

v1.4.6

v1.4.5

v1.4.4

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.3.2

v1.3.3

v1.3.1

v1.3.0

v1.2.5

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

v0.0.5

v0.0.4

v0.0.3

v0.0.2

v0.0.1

Labels

Clear labels   

ai-generated

  

android-app

  

android-app

  

android-app

  

🪲 bug

  

build

  

build

  

dependencies

  

docs

  

enhancement

  

enhancement

  

🔥 HOT

  

in-progress 🏃

  

ios

  

prio:low

  

prio:low

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

🔒 security

  

server

  

server

  

unified-push

  

web-app

  

website

No labels

ai-generated

android-app

android-app

android-app

🪲 bug

build

build

dependencies

docs

enhancement

enhancement

🔥 HOT

in-progress 🏃

ios

prio:low

prio:low

pull-request

question

🔒 security

server

server

unified-push

web-app

website

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/ntfy#655

No description provided.