This nginx reverse proxy is the only public entry point for all My Nethesis services. Backend, collect, and frontend are private services (pserv) accessible only via this proxy on Render's internal network.
- Production:
my.nethesis.it - QA:
qa.my.nethesis.it
my.nethesis.it (Production)
├── / → Frontend Service (private, HTTP :10000)
├── /backend/api/ → Backend Service (private, HTTP :10000)
└── /collect/api/ → Collect Service (private, HTTP :10000)
qa.my.nethesis.it (QA)
├── / → Frontend Service (private, HTTP :10000)
├── /backend/api/ → Backend Service (private, HTTP :10000)
└── /collect/api/ → Collect Service (private, HTTP :10000)
All inter-service communication uses HTTP over Render's internal network. The proxy handles TLS termination for external clients.
Add these CNAME records in your DNS provider:
# Production
my.nethesis.it CNAME my-proxy-prod.onrender.com
# QA
qa.my.nethesis.it CNAME my-proxy-qa.onrender.com
-
Go to Render Dashboard
-
Production Proxy Service (
my-proxy-prod):- Settings → Custom Domains
- Add
my.nethesis.it - Wait for SSL certificate provisioning
-
QA Proxy Service (
my-proxy-qa):- Settings → Custom Domains
- Add
qa.my.nethesis.it - Wait for SSL certificate provisioning
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Referrer-Policy: strict-origin-when-cross-origin
- Gzip compression enabled
- Proper caching headers
- Connection pooling to upstream services
- Health check endpoint at
/health - Structured access logging
- Error logging with proper levels
The proxy receives service hostnames from Render's fromService mechanism and routes traffic to private services via HTTP on port 10000.
The entrypoint script extracts the DNS resolver from /etc/resolv.conf to resolve internal Render hostnames. This is required because private services are not accessible via public DNS.
Set automatically by Render:
BACKEND_SERVICE_NAME- Internal hostname of the backend serviceCOLLECT_SERVICE_NAME- Internal hostname of the collect serviceFRONTEND_SERVICE_NAME- Internal hostname of the frontend serviceRESOLVER- DNS resolver extracted from/etc/resolv.conf
# Production
curl https://my.nethesis.it/health
curl https://my.nethesis.it/backend/api/health
curl https://my.nethesis.it/collect/api/health
# QA
curl https://qa.my.nethesis.it/health
curl https://qa.my.nethesis.it/backend/api/health
curl https://qa.my.nethesis.it/collect/api/health# Backend API (requires authentication)
curl -X POST https://my.nethesis.it/backend/api/auth/exchange \
-H "Content-Type: application/json" \
-d '{"access_token": "your-logto-token"}'
# Collect API (requires basic auth)
curl -X POST https://my.nethesis.it/collect/api/systems/inventory \
-H "Content-Type: application/json" \
-H "Authorization: Basic base64(system_id:secret)" \
-d '{"hostname": "test", "data": {}}'- Backend, collect, and frontend are private services, not accessible from the internet
- All inter-service communication uses HTTP over Render's internal network
- TLS termination happens at the proxy level for external clients
- Security headers added to all responses
Current configuration supports:
- 1024 concurrent connections
- 30-second timeouts
- Gzip compression for text content
- HTTP/1.1 keep-alive connections