反向代理(Reverse Proxy)
PocketBase 生产环境通常会把 PocketBase 进程 放在内网端口(如 127.0.0.1:8090),再用 反向代理(Nginx/Caddy)对外提供 HTTPS、压缩、限流与日志。
为什么需要反向代理
Section titled “为什么需要反向代理”- HTTPS:TLS 证书与自动续期
- 统一域名:
api.example.com、admin.example.com - WebSocket:Realtime/SSE 兼容配置
- 上传与超时:大文件上传、长连接
- 安全头:CSP / HSTS / 访问控制
推荐域名拆分(更清晰)
Section titled “推荐域名拆分(更清晰)”api.example.com→ PocketBase API(对外)admin.example.com→ PocketBase Admin UI(可选独立子域名)
PocketBase 进程仅监听本机:
./pocketbase serve --http=127.0.0.1:8090Nginx 示例
Section titled “Nginx 示例”server { listen 80; server_name api.example.com;
location / { proxy_pass http://127.0.0.1:8090; proxy_http_version 1.1;
# WebSocket / Realtime proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade";
# Standard headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme;
# Large uploads client_max_body_size 100m;
# Timeouts (Realtime / long polling) proxy_read_timeout 3600; proxy_send_timeout 3600; }}Caddy 示例(更省心)
Section titled “Caddy 示例(更省心)”api.example.com { reverse_proxy 127.0.0.1:8090}如果你使用 Cloudflare 代理,建议确认:
- SSL/TLS 模式为 Full (Strict)
- 保持端口 443/80 可达(便于证书与健康检查)