Reverse Proxy Setup
Fabricator includes a built-in operator login, but it still serves plain HTTP by itself. Use a reverse proxy for HTTPS, hostname routing, and any additional access controls such as SSO, basic auth, IP allowlists, VPN-only access, or rate limiting.
Recommended binding
Section titled “Recommended binding”Keep Fabricator on loopback when the proxy runs on the same host.
Native install:
HOST=127.0.0.1PORT=5000FABRICATOR_SESSION_COOKIE_SECURE=1Then restart:
sudo systemctl restart fabricatorDocker compose already uses a loopback-only host mapping by default:
ports: - "127.0.0.1:5000:5000"Keep HOST=0.0.0.0 inside the container; the host-side mapping is what restricts exposure.
nginx example
Section titled “nginx example”server { listen 80; server_name fabricator.example.com;
location / { proxy_pass http://127.0.0.1:5000; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; }}Add TLS with Certbot, your platform’s certificate automation, or a provider such as Cloudflare.
Caddy example
Section titled “Caddy example”fabricator.example.com { reverse_proxy 127.0.0.1:5000}Caddy automatically provisions TLS when DNS points to the host.
Authentication and cookies
Section titled “Authentication and cookies”- Complete Fabricator’s first-boot setup before exposing the hostname to untrusted clients, or preconfigure
FABRICATOR_AUTH_PASSWORD_HASH. - Set
FABRICATOR_SESSION_COOKIE_SECURE=1when the public URL is HTTPS so browsers only send the session cookie over TLS. - If your reverse proxy provides its own authentication, you may disable Fabricator’s built-in login with
FABRICATOR_DISABLE_AUTH=1, but only behind that trusted layer.
Security checklist
Section titled “Security checklist”- Restrict dashboard access with VPN, SSO, basic auth, IP allowlists, or firewall rules when possible.
- Use HTTPS for remote browser access.
- Do not set
CORS_ORIGINS=*; Fabricator rejects it. - Keep the Minecraft server port separate from the Fabricator dashboard port.
- Review
/etc/sudoers.d/fabricator-self-updateon native installs; it should only allow the bundled update wrapper.